BTLO - Phishing Analysis
Challenge: https://blueteamlabs.online/home/challenge/phishing-analysis-f92ef500ce
:::spoiler TOC [TOC] :::
Scenario
A user has received a phishing email and forwarded it to the SOC. Can you investigate the email and attachment to collect useful artifacts?
Tools
Text Editor Mozilla Thunderbird URL2PNG WHOis
==Q1==
Who is the primary recipient of this email?
Recon
這一題可以直接用線上工具 - EML Viewer把eml file轉成pdf,不過風險就是有很多的資訊會流失掉,所以比較好的方式就是直接裝Mozilla Thunderbird查看
:::spoiler Flag
Flag: kinnar1975@yahoo.co.uk
:::
==Q2==
What is the subject of this email?
Recon
呈上題
:::spoiler Flag
Flag: Undeliverable: Website contact form submission
:::
==Q3==
What is the date and time the email was sent?
Recon
呈上題
:::spoiler Flag
Flag: 18 March 2021 04:14
:::
==Q4==
What is the Originating IP?
Recon
這個就是要用Text Editor string search Originating就會發現這個IP
:::spoiler Flag
Flag: 103.9.171.10
:::
==Q5==
Perform reverse DNS on this IP address, what is the resolved host? (whois.domaintools.com)
Recon
直接用線上工具看這個IP的相關資訊
:::spoiler Flag
Flag: c5s2-1e-syd.hosting-services.net.au
:::
==Q6==
What is the name of the attached file?
Recon
呈第一題可以發現有一個attachment
:::spoiler Flag
Flag: Website contact form submission.eml
:::
==Q7==
What is the URL found inside the attachment?
Recon
呈上題,點進這個附件可以看到一段URL
:::spoiler Flag
Flag: https://35000usdperwwekpodf.blogspot.sg?p=9swghttps://35000usdperwwekpodf.blogspot.co.il?o=0hnd
:::
==Q8==
What service is this webpage hosted on?
Recon
呈上題,這個我是參考1的說明,可以觀察釣魚的網址
:::spoiler Flag
Flag: blogspot
:::
==Q9==
Using URL2PNG, what is the heading text on this page? (Doesn’t matter if the page has been taken down!)
Recon
這個就直接看線上工具 - URL2PNG
:::spoiler Flag
Flag: Blog has been removed
:::