Task 1: Introduction
Question 1: No answer needed.
Task 2: The Email Address
Question 1: Email dates back to what time frame?
Answer is in the reading. Second paragraph.
Answer: 1970s
Task 3: Email Delivery
Question 1: What port is classified as Secure Transport for SMTP?
Answer to this is at the link in the reading: https://help.dreamhost.com/hc/en-us/articles/215612887-Email-client-protocols-and-port-numbers
Look under Step 3 – “Choose an outgoing SMTP port”
Answer: 465
Question 2: What port is classified as Secure Transport for IMAP?
Same link as question1. Look up a little higher on the page. Under “Step 2 – Choose a secure or insecure incoming port”
Answer: 993
Question 3: What port is classified as Secure Transport for POP3?
Same place in step 2.
Answer: 995
Task 4: Email Headers
Question 1: What email header is the same as “Reply-to”?
The answer for this is in the link from the reading: https://mediatemple.zendesk.com/hc/en-us/articles/204643950-understanding-an-email-header
About halfway down the page in the “How to analyze an email header” you will see…
Answer: Return-Path
Question 2: Once you find the email sender’s IP address, where can you retrieve more information about the IP?
We are looking for an URL here. At the very bottom of the mediatemple page are the instructions to find more information about an IP.
Answer: http://www.arin.net/
Task 5: Email Body
Question 1: In the above screenshots, what is the URI of the blocked image?
In the first image look for an image file.
Answer: https://i.imgur.com/lswotdi.png
Question 2: In the above screenshots, what is the name of the PDF attachment?
In the last screenshot you can see the whole PDF file name…
Answer: Payment-updateid.pdf
Question 3: In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?
Open email2.txt in on the VM and save the base64 code to a new file. decode the file using terminal
base64 --decode base64pdf > answer.pdf
Where base64pdf is the file you created containing the base63 code from email2.txt
Answer: THM{BENIGN_PDF_ATTACHMENT}
Task 6: Types of Phishing
Question 1: What trusted entity is this email masquerading as?
I opened email3.eml with thunderbird which is on the VM. The From says Home Depot.
Answer: home depot
Question 2: What is the sender’s email?
Answer: support@teckbe.com
Question 3: What is the subject line?
Answer: Order Placed : Your Order ID OD2321657089291 Placed Successfully
Question 4: What is the URL link for – CLICK HERE? (Enter the defanged URL)
I used CyberChef to defang the URL. If you open IE on the VM it loads cyberchef by default.
Answer: hxxp[://]t[.]teckbe[.]com/p/?j3=EOowFcEwFHl6EOAyFcoUFVTVEchwFHlUFOo6lVTTDcATE7oUE7AUET==
Task 7: Conclusion
Question: No answer needed
One thought on “TryHackMe Walkthrough – Phishing Analysis Fundamentals”
Comments are closed.