AoC3#19: Something Phishy Is Going On

With the completion of the last 18 days worth of Advent of Cyber challenges, I’m now starting on the blue-teaming exercises.

This blue team exercise see’s me taking a look at a phising email.

Mitre define phishing as:

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.

https://attack.mitre.org/techniques/T1566/

Suspicious phishing email

After spinning up the AttackBox, opening the suspect email in Thunderbird gave me an easy-to-view representation of the email. Finding the email to, reply-to and from addresses was as simple as copying-and-pasting from the separated header.

Hovering over the orange button revealed the dogdy destination of the link:

It took me a while (~2 minutes) to find unusual email header, as it aligned perfectly (badly) with the line-wrap on my screen. If in doubt, search for grinch.

Once I had extracted the attachment, and decoded it using the normal file > base64 decoder > new file pipeline… I was stuck.

I couldn’t grep or use strings to recover the file. So I did the one thing you shouldn’t do with a payload… I opened it.

I’m not sure how you should have recovered the flag without opening it… but opening it definitely gives up the flag. Maybe one for me to research.

Leave a Reply

Your email address will not be published. Required fields are marked *