TryHackMe | The Greenholt Phish Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “The Greenholt Phish” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-Email Analysis
-WHOIS Lookup
-SPF Record
-DMARC Record
-Examine the Attachment
Subject
Just another day as a SOC Analyst..
A Sales Executive at Greenholt PLC received an email that he didn’t expect to receive from a customer. He claims that the customer never uses generic greetings such as “Good day” and didn’t expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation.
Preparation
To begin, launch Thunderbird and then follow the steps shown in the screenshot below:
Mozilla Thunderbird is a free and open-source cross-platform email client, personal information manager, news client, RSS and chat client developed by the Mozilla Foundation and operated by subsidiary MZLA Technologies Corporation.
An EML (Electronic Mail) file is an email message saved by an email application, such as Microsoft Outlook or Apple Mail. It contains the content of the message, along with the subject, sender, recipient(s), and date of the message. EML files may also store one or more email attachments, which are files sent with the message.
You can open EML files with various email programs, such as Microsoft Outlook (Windows), Apple Mail (macOS), and Mozilla Thunderbird (multiplatform).
Solution
Answer the questions below
Q1: What is the email’s timestamp? (answer format: mm/dd/yyyy hh:mm)
A1: 06/10/2020 05:58
Basically, email timestamp displays the time it was received and in accordance with the time-zone of receiver.
Q2: Who is the email from?
A2: Mr. James Jackson
Q3: What is his email address?
A3: info@mutawamarine.com
Q4: What email address will receive a reply to this email?
A4: info.mutawamarine@mail.com
To view the mail source, click “More” in the header and select “View Source” from the menu. Let’s keep going!
Now we can see the source of the mail and in this way we can answer a few questions.
Q5: What is the Originating IP?
A5: 192.119.71.157
Hint: The answer is NOT in X-Originating-Ip.
Q6: Who is the owner of the Originating IP? (Do not include the “.” in your answer.)
A6: Hostwinds LLC
Hint: Perform a WHOIS lookup for the name of the organization.
A Whois domain lookup allows you to trace the ownership and tenure of a domain name. The Whois database contains details such as the registration date of the domain name, when it expires, ownership and contact information, nameserver information of the domain, the registrar via which the domain was purchased, etc.
Q7: What is the SPF record for the Return-Path domain?
A7: v=spf1 include:spf.protection.outlook.com -all
Sender Policy Framework (SPF) is used to authenticate the sender of an email. With an SPF record in place, Internet Service Providers can verify that a mail server is authorized to send email for a specific domain. An SPF record is a DNS TXT record containing a list of the IP addresses that are allowed to send email on behalf of your domain.
v=spf1 include:spf.protection.outlook.com -allv=spf1 → This is the start of the SPF record.
include:spf.protection.outlook.com → This specifies which domain can send mail.
-all → Non-authorized emails will be rejected.
Q8: What is the DMARC record for the Return-Path domain?
A8: v=DMARC1; p=quarantine; fo=1
Domain-based Message Authentication Reporting and Conformance (DMARC) is a method of authenticating email messages.
v=DMARC1; p=quarantine; fo=1v=DMARC1 → Must be in all caps, and it’s not optional.
p=quarantine → If a check fails, then an email will be sent to the spam folder (DMARC Policy).
fo → Specifies failure/forensic reporting options.
fo=1 → Generate a DMARC failure/forensic report if either SPF or DKIM produces a result other than aligned pass.
Q9: What is the name of the attachment?
A9: SWT_#09674321____PDF__.CAB
Q10: What is the SHA256 hash of the file attachment?
A10: <SHA256_Hash_Value>
ubuntu@ip-10-10-107-171:~$ cd Desktop/
ubuntu@ip-10-10-107-171:~/Desktop$ sha256sum [File_Name]The program sha256sum is designed to verify data integrity using the SHA-256 (SHA-2 family with a digest length of 256 bits).
Q11: What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)
A11: 400.26 KB
Hint: Don’t go by the Linux file properties. Obtain the file hash and use an Open Source resource to help you with this.
VirusTotal is an online service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners.
Q12: What is the actual file extension of the attachment?
A12: rar
Congratulations, soldier! You have successfully finished the mission.
Before we leave here, there are some important things we need to know.
→ Scan all email attachments for malware.
→ Be careful about opening attachments from unknown sources.
→ Avoid opening executable files included as attachments.
→ Regularly update and patch mail clients, web browsers and operating systems.
→ Never click on links in the body of email messages.
→ Double-check the sender’s name to confirm that an email is from a legitimate source.
→ Watch for other signs that may indicate phishing emails, such as obvious grammatical errors, suspicious attachments, strange domain names, etc.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://en.wikipedia.org/wiki/Mozilla_Thunderbird
https://fileinfo.com/extension/eml
https://dmarcian.com/what-is-spf
https://www.cloudflare.com/learning/dns/dns-records/dns-dmarc-record
https://dmarcly.com/blog/what-are-dmarc-tags-dmarc-tags-explained
https://learn.microsoft.com/en-us/connectors/virustotal
https://help.ubuntu.com/community/HowToSHA256SUM
https://www.techtarget.com/searchsecurity/definition/email-virus
