Skip to content

THM - Advent of Cyber 2022 - Day 6


Difficulty: ⭐
Challenge Link
OS: Linux

Elf McBlue found an email activity while analysing the log files. It looks like everything started with an email... Check out CyberSecMeg's video walkthrough for Day 6 here!

Q: What is the email address of the sender?

Launching the machine in the Challenge and we can see in Split View that on the desktop is an Urgent:.eml file. We can right-click on this file and open with Sublime Text, Notepad++, or whichever text editor to view the contents of the email. We can see in the From: header where the email came from.

Answer

chief.elf@santaclaus.thm

Q: What is the return address?

Scrolling down some you can see Return-Path which shows where it would be returned too.

Answer

murphy.evident@bandityeti.thm

Q: On whose behalf was the email sent?

The person the email was from was Chief Elf

Answer

Chief Elf

Q: What is the X-spam score?

On line 11 we see X-Pm-Spamscore

Answer

3

Q: What is hidden in the value of the Message-ID field?

We can see in the Message-Id field it looks to be something Base64'd. Run it through CyberChef to get the value.

Answer

AoC2022_Email_Analysis

Q: What is the reputation result of the sender's email address?

Visit the email reputation check website provided in the task. Looking up the email on emailrep we get the result.

Answer

RISKY

Q: What is the filename of the attachment?

Looking back in our text editor at the file. On line 40 we can see the Content-Disposition which shows us the attachments of this email.

Answer

Division_of_labour-Load_share_plan.doc

Q: What is the hash value of the attachment?

We can use VirusTotal to upload the email attachment. Once uploaded you can pull the hash value of the attachment.

Answer

0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467

Q: What is the second tactic marked in the Mitre ATT&CK section?

Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section.

Answer

Defense Evasion

Q: What is the subcategory of the file?

Visit the InQuest website and use the hash value to search.

Answer

macro_hunter