TryHackMe Walkthrough – Phishing Analysis Fundamentals

Task 1: Introduction

Question 1: No answer needed.

Task 2: The Email Address

Question 1: Email dates back to what time frame?

Answer is in the reading. Second paragraph.

Answer: 1970s

Task 3: Email Delivery

Question 1: What port is classified as Secure Transport for SMTP?

Answer to this is at the link in the reading: https://help.dreamhost.com/hc/en-us/articles/215612887-Email-client-protocols-and-port-numbers

Look under Step 3 – “Choose an outgoing SMTP port”

Answer: 465

Question 2: What port is classified as Secure Transport for IMAP?

Same link as question1. Look up a little higher on the page. Under “Step 2 – Choose a secure or insecure incoming port”

Answer: 993

Question 3: What port is classified as Secure Transport for POP3?

Same place in step 2.

Answer: 995

Task 4: Email Headers

Question 1: What email header is the same as “Reply-to”?

The answer for this is in the link from the reading: https://mediatemple.zendesk.com/hc/en-us/articles/204643950-understanding-an-email-header

About halfway down the page in the “How to analyze an email header” you will see…

Answer: Return-Path

Question 2: Once you find the email sender’s IP address, where can you retrieve more information about the IP?

We are looking for an URL here. At the very bottom of the mediatemple page are the instructions to find more information about an IP.

Answer: http://www.arin.net/

Task 5: Email Body

Question 1: In the above screenshots, what is the URI of the blocked image?

In the first image look for an image file.

Answer: https://i.imgur.com/lswotdi.png

Question 2: In the above screenshots, what is the name of the PDF attachment?

In the last screenshot you can see the whole PDF file name…

Answer: Payment-updateid.pdf

Question 3: In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

Open email2.txt in on the VM and save the base64 code to a new file. decode the file using terminal

base64 --decode base64pdf > answer.pdf

Where base64pdf is the file you created containing the base63 code from email2.txt

Answer: THM{BENIGN_PDF_ATTACHMENT}

Task 6: Types of Phishing

Question 1: What trusted entity is this email masquerading as?

I opened email3.eml with thunderbird which is on the VM. The From says Home Depot.

Answer: home depot

Question 2: What is the sender’s email?

Answer: support@teckbe.com

Question 3: What is the subject line?

Answer: Order Placed : Your Order ID OD2321657089291 Placed Successfully

Question 4: What is the URL link for – CLICK HERE? (Enter the defanged URL)

I used CyberChef to defang the URL. If you open IE on the VM it loads cyberchef by default.

Answer: hxxp[://]t[.]teckbe[.]com/p/?j3=EOowFcEwFHl6EOAyFcoUFVTVEchwFHlUFOo6lVTTDcATE7oUE7AUET==

Task 7: Conclusion

Question: No answer needed

One thought on “TryHackMe Walkthrough – Phishing Analysis Fundamentals”

Comments are closed.