2024 Cyber Apocalypse: An Unusual Sighting

#htb #ctf #forensics #email #html #steganography

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryForensics
ChallengeAn Unusual Sighting

Summary

An Unusual Sighting is a forensics challenge involving an email file (.eml) that contains an HTML attachment. The flag is hidden within the HTML page’s source code or inspector elements. The challenge requires parsing the email file and examining the HTML content to locate the flag.

Analysis

The challenge file is an .eml file (email message format). The investigation reveals:

  1. File Format: Standard email message with MIME encoding
  2. Content: HTML attachment containing hidden information
  3. Vulnerability: Flag is visible when inspecting HTML source or using browser developer tools
  4. Obfuscation: Flag appears as styled text that may be hidden via CSS or embedded in comments

Solution

Step 1: Extract the EML File

The .eml file can be opened with any text editor or email client.

Step 2: Locate HTML Content

Search for HTML content within the email:

  • Look for Content-Type: text/html
  • Extract the base64-encoded HTML content if needed
  • Decode from base64 if content is encoded

Step 3: Inspect HTML

Open the extracted HTML in a browser or text editor and examine:

  • Page source code for hidden elements
  • CSS styling that may hide content
  • Comments within the HTML
  • Inspector tools to reveal all elements

Step 4: Find the Flag

The flag is typically:

  • Hidden in a div element with CSS display: none or visibility: hidden
  • Located in HTML comments <!-- flag here -->
  • Styled with white text on white background
  • Or visible when inspecting the page with developer tools

Investigation Checklist

  • Open .eml file in text editor
  • Identify HTML content sections
  • Decode base64 if necessary
  • Extract HTML to separate file
  • Open in browser
  • Use Inspector (F12) to find all elements
  • Check for hidden CSS styles
  • Search page source for flag patterns
  • Look in HTML comments

Key Takeaways

  • Email files contain structured MIME content that can be manually parsed
  • HTML can hide information through CSS styling (display, visibility, color)
  • Browser developer tools reveal all page elements including hidden ones
  • Email attachments should be scrutinized for suspicious content
  • Steganography in plain sight is surprisingly common in CTF challenges