THM - Advent of Cyber 2022 - Day 6¶
Difficulty:
Challenge Link
OS: Linux
Elf McBlue found an email activity while analysing the log files. It looks like everything started with an email... Check out CyberSecMeg's video walkthrough for Day 6 here!
Q: What is the email address of the sender?
Launching the machine in the Challenge and we can see in Split View that on the desktop is an Urgent:.eml file. We can right-click on this file and open with Sublime Text, Notepad++, or whichever text editor to view the contents of the email. We can see in the From:
header where the email came from.
Answer
chief.elf@santaclaus.thm
Q: What is the return address?
Scrolling down some you can see Return-Path
which shows where it would be returned too.
Answer
murphy.evident@bandityeti.thm
Q: On whose behalf was the email sent?
The person the email was from was Chief Elf
Answer
Chief Elf
Q: What is the X-spam score?
On line 11
we see X-Pm-Spamscore
Answer
3
Q: What is hidden in the value of the Message-ID field?
We can see in the Message-Id field it looks to be something Base64'd. Run it through CyberChef to get the value.
Answer
AoC2022_Email_Analysis
Q: What is the reputation result of the sender's email address?
Visit the email reputation check website provided in the task. Looking up the email on emailrep we get the result.
Answer
RISKY
Q: What is the filename of the attachment?
Looking back in our text editor at the file. On line 40 we can see the Content-Disposition
which shows us the attachments of this email.
Answer
Division_of_labour-Load_share_plan.doc
Q: What is the hash value of the attachment?
We can use VirusTotal to upload the email attachment. Once uploaded you can pull the hash value of the attachment.
Answer
0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467
Q: What is the second tactic marked in the Mitre ATT&CK section?
Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section.
Answer
Defense Evasion
Q: What is the subcategory of the file?
Visit the InQuest website and use the hash value to search.
Answer
macro_hunter