Phishing Emails 1: Try Hack Me
Let’s Go Phishing
Phishing is a widely known attack used by cybercriminals to access systems and information we are trying to protect. This room is the first in a series that will guide you through analyzing emails to determine if they are malicious.
Phishing Emails 1 is the first in a series of Phishing Modules. It is a walkthrough room, and most of the questions are answered by reading the content or in linked articles. I tried to keep this write-up as spoiler-free as possible. I have also added some additional resources and tips that may be helpful for decoding and viewing the PDF in Task 5.
Task 1: Introduction
Launch the machine. It should automatically go to “Split-View” if not, follow the directions in the task description.
Task 2: The Email Address
Read some history about the invention of email. The answer to the question is in the content.
Task 3: Email Delivery
In this task, we learn about email ports and protocols. The linked article has more information about choosing secure ports and the answers to the task questions.
Thoughts: Sometimes, I find myself asking more questions while doing a room. To dig a bit deeper, I question why is POP3 still used? Is there a particular use case? I found another article with a further comparison of IMAP and POP3 here. Other discussions point to limited server storage and security as reasons to use POP3. <end tangent and back to the tasks at hand>
Task 4: Email Headers
The answers to the task questions are in the linked article:
under the sections “How to analyze an email header” and “Finding the Original Sender.”
Task 5: Email Body
Showing how to analyze the contents of an email.
Question 1: Examine the “HTML snippet” and find the “src=” for the link to the blocked image.
Question 2: Examine the “attachment within the source code” and find “name =” for the answer.
Question 3: Decode and view the contents of the PDF in email2.txt contained in the room VM.
There are multiple ways to reach the answer; here are two:
- The simple “cut and paste” way uses tools found on base64.guru to clean up the text and view the pdf.
First "select all" the email2.txt content and paste into the base64 repar tool.Then "select all" and copy the cleaned up base64 into the base64.guru pdf decoder.
2. Using the terminal:
Copy the email2.txt into a new file and edit it to include only the base64 contents:
:~/Desktop/Email Samples$ cp email2.txt email2base64.txt
:~/Desktop/Email Samples$ nano email2base64.txtA quick check of the file contents (showing first and last line of base64)
:~/Desktop/Email Samples$ sed -n '1p ; $p' email2base64.txt
JVBERi0xLjYNJeLjz9MNCjE0IDAgb2JqDTw8L0xpbmVhcml6ZWQgMS9MIDM1Mjc3L08gMTYvRSAz
MgAEGADbmAUjDQplbmRzdHJlYW0NZW5kb2JqDXN0YXJ0eHJlZg0KMTE2DQolJUVPRg0KDecode the new base64 file:
~/Desktop/Email Samples$ base64 -d email2base64.txt > decoded.pdfView the PDF:
:~/Desktop/Email Samples$ xdg-open decoded.pdf
Task 6: Types of Phishing
Analyze email3.eml in the virtual machine and answer the questions: I used CyberChef to decode the base64 where necessary.
Question 1: What trusted entity….?
Find the “From” line and copy and paste the base64 into CyberChef to decode the base64:
Question 2: What is the senders’ email?
The answer is in the header; use tips from Task 4 to answer this question.
Question 3: What is the subject line?
Find the “Subject” line and once again decode it using CyberChef:
Question 4: What is the defanged URL? Use CyberChef to clean up and “defang” the URL:
Conclusion:
This section covers what we reviewed and why and the importance of understanding BEC (Business Email Compromise.)
There are four more Try Hack Me Phishing Email rooms to complete!
On to the next one!
