TryHackMe Walkthrough – The Greenholt Phish

Task 1: Just another day as a SOC analyst

Only one task for this room.

Question 1: What date was the email received? (answer format: M/DD/YY)

I opened the email in Thunderbird.

Answer: 6/10/20

Question 2: Who is the email from?

In the From…

Answer: Mr. James Jackson

Question 3: What is his email address?

Also in the From…


Question 4: What email address will receive a reply to this email? 

In Reply-To


Question 5: What is the Originating IP?

Click More, then View Source. Although, it says x.x.x.x in a few places ofr originating ip, Keep looking it’s in there…


Question 6: Who is the owner of the Originating IP? (Do not include the “.” in your answer.)

Google whois and search the ip address from the previous answer.

Answer: Hostwinds LLC

Question 7: What is the SPF record for the Return-Path domain?

This requires us to look up the SPF. We can do this with There if we search for we will receive this back…

Answer: v=spf1 -all

Question 8: What is the DMARC record for the Return-Path domain?

We can use the same website different page to look up this information as well. Search for the same domain.

Answer: v=DMARC1; p=quarantine; fo=1

Question 9: What is the name of the attachment?

We can go back to the email and see this…

Answer: SWT_#09674321____PDF__.CAB

Question 10: What is the SHA256 hash of the file attachment?

Save the file to the desktop. Open terminal and type…

cd Desktop
sha256sum SWT_#09674321____PDF__.CAB

Answer: 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f

Question 11: What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)

I tried to do this using ls -l, but tryhackme didn’t like this answer. So I looked up the has we found earlier and searched for it on VirusTotal. From here we get the correct…

Answer: 400.26 KB

Question 12: What is the actual file extension of the attachment?

According to virustotal it is a RAR.

Answer: RAR