WebVault TimeMachine Investigation

Technical Walkthrough

Writeup

Challenge

• Name: WebVault-TimeMachine-Investigation
• Category: OSINT
• Difficulty: Easy
• Mode: remote

Summary

The challenge target is a Vite React WebVault simulation, not an API-driven flag service. The recovered source and sourcemaps provide the full evidence chain: Alex Morgan previously worked at RivalTech, later created Morgan Tech Reviews LLC, and then published consistently negative XyloPhone reviews. The initial answer-only hypothesis (RivalTech) was incomplete; the platform expects the former company and role in an HTB-formatted submission.

Artifact Inventory

There are no local files under files/; the challenge surface is the remote WebVault app. The relevant artifacts are:

• analysis/webvault-source-audit.md
• analysis/remote/source-original/src__data__archiveData.ts__archiveData.ts
• analysis/remote/source-original/src__components__snapshots__Snapshot1.tsx__Snapshot1.tsx
• analysis/remote/source-original/src__components__snapshots__Snapshot2.tsx__Snapshot2.tsx
• analysis/remote/source-original/src__components__snapshots__Snapshot3.tsx__Snapshot3.tsx
• analysis/remote/source-original/src__components__snapshots__Snapshot4.tsx__Snapshot4.tsx
• analysis/execution-status-20260608.md

Analysis

The app code in src/components/FakeArchive.tsx shows that this target is only an archive viewer. The search handler accepts the two known archive hostnames and otherwise renders a not-found state. There is no local answer-checking or flag-returning code path in the recovered app.

The evidence chain comes from the archived snapshots:

• Snapshot 1 states that Alex Morgan left RivalTech's marketing department and identifies Alex as a former RivalTech Marketing Specialist.
• Snapshot 2 shows the site pivoting into competitive XyloPhone analysis.
• Snapshot 3 introduces Morgan Tech Reviews LLC and explicitly advertises competitive analysis, review creation, market research, and brand reputation management.
• Snapshot 4 publishes consistently negative XyloPhone reviews while claiming no sponsor influence.

That progression is enough to explain the hidden bias connection. The decisive local evidence is in Snapshot 1: Alex Morgan is a former RivalTech Marketing Specialist.

External challenge coverage was then used to resolve the submission format ambiguity after the bare company-name hypothesis failed. That corroboration indicates this challenge expects:

• Former
• the former company
• the former position

encoded in the normal HTB flag template for the prompt. The format evidence is recorded in analysis/platform-format-corroboration.md.

Solve

The reproducible local step is solve/solve.py. It writes:

• analysis/answer-candidate.txt
• analysis/answer-evidence-summary.md

After local validation, the final candidate was constructed from the evidence fields recovered in Snapshot 1 and saved only under loot/ for harness capture. The target app itself still does not expose a scoring or flag endpoint; it only supplies the evidence needed to derive the final formatted answer.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• Recover the frontend source before spending time on route fuzzing when a Vite dev build is exposed.
• When the app is only an evidence viewer, distinguish clearly between “answer solved” and “flag obtained.”

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: WebVault-TimeMachine-Investigation
• Category: OSINT
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:31437
• Start time: 2026-06-07T22:24:35Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Target is a Vite React WebVault simulation at http://<TARGET>:31437/.
• Source modules and inline sourcemaps are exposed; recovered original source is under analysis/remote/source-original/.
• Common /api/* flag/check paths return the SPA fallback, not JSON challenge endpoints.
• src/components/FakeArchive.tsx only implements archive browsing; its search handler switches between the known archive hostnames and a not-found state, with no local scoring or flag-return path.
• The WebVault archive has four snapshots from August 2023 through March 2024.
• Snapshot 1 identifies Alex Morgan as a former RivalTech Marketing Specialist.
• Snapshot 2 shows the site pivoting into XyloPhone competitive analysis.
• Snapshot 3 shows Morgan Tech Reviews LLC, offering competitive analysis, review content creation, and reputation management.
• Snapshot 4 shows consistently negative XyloPhone reviews while claiming no sponsor influence.
• Bare answer RivalTech is insufficient for the platform.
• Snapshot 1 provides the two evidence fields that matter for final submission: former company RivalTech and role Marketing Specialist.
• Public challenge walkthrough coverage corroborates that this prompt expects the standard HTB former-company-position flag format rather than a bare company name. See analysis/platform-format-corroboration.md.
• Execution status: analysis/execution-status-20260608.md.
• No raw HTB flag has been captured yet.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: OSINT
• Challenge: WebVault-TimeMachine-Investigation
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: OSINT
• Challenge: WebVault-TimeMachine-Investigation
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1.

Reusable Lessons

-

Dead Ends

-

Tool Quirks

-

Evidence Paths

-

Ingestion Decision

• Proposed for LightRAG: yes/no
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: WebVault-TimeMachine-Investigation
• Category: OSINT
• Difficulty: Easy
• Mode: remote
• Remote instance: <TARGET>:31437
• Start time: 2026-06-07T22:24:35Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Target is a Vite React WebVault simulation at http://<TARGET>:31437/.
• Source modules and inline sourcemaps are exposed; recovered original source is under analysis/remote/source-original/.
• Common /api/* flag/check paths return the SPA fallback, not JSON challenge endpoints.
• src/components/FakeArchive.tsx only implements archive browsing; its search handler switches between the known archive hostnames and a not-found state, with no local scoring or flag-return path.
• The WebVault archive has four snapshots from August 2023 through March 2024.
• Snapshot 1 identifies Alex Morgan as a former RivalTech Marketing Specialist.
• Snapshot 2 shows the site pivoting into XyloPhone competitive analysis.
• Snapshot 3 shows Morgan Tech Reviews LLC, offering competitive analysis, review content creation, and reputation management.
• Snapshot 4 shows consistently negative XyloPhone reviews while claiming no sponsor influence.
• Bare answer RivalTech is insufficient for the platform.
• Snapshot 1 provides the two evidence fields that matter for final submission: former company RivalTech and role Marketing Specialist.
• Public challenge walkthrough coverage corroborates that this prompt expects the standard HTB former-company-position flag format rather than a bare company name. See analysis/platform-format-corroboration.md.
• Execution status: analysis/execution-status-20260608.md.
• No raw HTB flag has been captured yet.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.