Phishing Emails 1: Try Hack Me

Let’s Go Phishing

TryHackMe Phishing Emails 1 Room Picture

Phishing is a widely known attack used by cybercriminals to access systems and information we are trying to protect. This room is the first in a series that will guide you through analyzing emails to determine if they are malicious.

Phishing Emails 1 is the first in a series of Phishing Modules. It is a walkthrough room, and most of the questions are answered by reading the content or in linked articles. I tried to keep this write-up as spoiler-free as possible. I have also added some additional resources and tips that may be helpful for decoding and viewing the PDF in Task 5.

Task 1: Introduction

Launch the machine. It should automatically go to “Split-View” if not, follow the directions in the task description.

Task 2: The Email Address

Read some history about the invention of email. The answer to the question is in the content.

Task 3: Email Delivery

In this task, we learn about email ports and protocols. The linked article has more information about choosing secure ports and the answers to the task questions.

Thoughts: Sometimes, I find myself asking more questions while doing a room. To dig a bit deeper, I question why is POP3 still used? Is there a particular use case? I found another article with a further comparison of IMAP and POP3 here. Other discussions point to limited server storage and security as reasons to use POP3. <end tangent and back to the tasks at hand>

Task 4: Email Headers

The answers to the task questions are in the linked article:
under the sections “How to analyze an email header” and “Finding the Original Sender.

Task 5: Email Body

Showing how to analyze the contents of an email.

Question 1: Examine the “HTML snippet” and find the “src=” for the link to the blocked image.

Question 2: Examine the “attachment within the source code” and find “name =” for the answer.

Question 3: Decode and view the contents of the PDF in email2.txt contained in the room VM.

There are multiple ways to reach the answer; here are two:

  1. The simple “cut and paste” way uses tools found on base64.guru to clean up the text and view the pdf.
First "select all" the email2.txt content and paste into the base64 repar tool.Then "select all" and copy the cleaned up base64 into the base64.guru pdf decoder.
Showing steps to decode base64 email text

2. Using the terminal:

Copy the email2.txt into a new file and edit it to include only the base64 contents:

:~/Desktop/Email Samples$ cp email2.txt email2base64.txt

:~/Desktop/Email Samples$ nano email2base64.txt

A quick check of the file contents (showing first and last line of base64)

:~/Desktop/Email Samples$ sed -n '1p ; $p'  email2base64.txt                               
JVBERi0xLjYNJeLjz9MNCjE0IDAgb2JqDTw8L0xpbmVhcml6ZWQgMS9MIDM1Mjc3L08gMTYvRSAz
MgAEGADbmAUjDQplbmRzdHJlYW0NZW5kb2JqDXN0YXJ0eHJlZg0KMTE2DQolJUVPRg0K

Decode the new base64 file:

~/Desktop/Email Samples$ base64 -d email2base64.txt > decoded.pdf

View the PDF:

:~/Desktop/Email Samples$ xdg-open decoded.pdf
decode and view base64 pdf via terminal

Task 6: Types of Phishing

Analyze email3.eml in the virtual machine and answer the questions: I used CyberChef to decode the base64 where necessary.

Question 1: What trusted entity….?

Find the “From” line and copy and paste the base64 into CyberChef to decode the base64:

email3 decoded in CyberChef

Question 2: What is the senders’ email?

The answer is in the header; use tips from Task 4 to answer this question.

Question 3: What is the subject line?

Find the “Subject” line and once again decode it using CyberChef:

Question 4: What is the defanged URL? Use CyberChef to clean up and “defang” the URL:

Conclusion:

This section covers what we reviewed and why and the importance of understanding BEC (Business Email Compromise.)

There are four more Try Hack Me Phishing Email rooms to complete!

On to the next one!

https://tryhackme.com/module/phishing

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store