[Video] ‘Snapped “Phish”-ing Line’ Writeup – Tryhackme

Snapped “Phish”-ing Line

Apply learned skills to probe malicious emails and URLs, exposing a vast phishing campaign.
Task 1 Challenge Scenario

Based on real-world occurrences and past analysis, this scenario presents a narrative with invented names, characters, and events.
Please note: The phishing kit used in this scenario was retrieved from a real-world phishing campaign. Hence, it is advised that interaction with the phishing artefacts be done only inside the attached VM, as it is an isolated environment.

An Ordinary Midsummer Day…

As an IT department personnel of SwiftSpend Financial, one of your responsibilities is to support your fellow employees with their technical concerns. While everything seemed ordinary and mundane, this gradually changed when several employees from various departments started reporting an unusual email they had received. Unfortunately, some had already submitted their credentials and could no longer log in.

You now proceeded to investigate what is going on by:

  1. Analysing the email samples provided by your colleagues.
  2. Analysing the phishing URL(s) by browsing it using Firefox.
  3. Retrieving the phishing kit used by the adversary.
  4. Using CTI-related tooling to gather more information about the adversary.
  5. Analysing the phishing kit to gather more information about the adversary.

Connecting to the machine

Start the virtual machine in split-screen view by clicking the green Start Machine button on the upper right section of this task. If the VM is not visible, use the blue Show Split View button at the top-right of the page. Alternatively, using the credentials below, you can connect to the VM via RDP.

Username damianhall
Password Phish321
IP MACHINE_IP

Note: The phishing emails to be analysed are under the phish-emails directory on the Desktop. Usage of a web browser, text editor and some knowledge of the grep command will help.

Answer the questions below

Who is the individual who received an email attachment containing a PDF?

What email address was used by the adversary to send the phishing emails?

What is the redirection URL to the phishing page for the individual Zoe Duncan? (defanged format)

What is the URL to the .zip archive of the phishing kit? (defanged format)

What is the SHA256 hash of the phishing kit archive?

When was the phishing kit archive first submitted? (format: YYYY-MM-DD HH:MM:SS UTC)

When was the phishing domain that was used to host the phishing kit archive first registered? (format: YYYY-MM-DD)

What was the email address of the user who submitted their password twice?

What was the email address used by the adversary to collect compromised credentials?

The adversary used other email addresses in the obtained phishing kit. What is the email address that ends in “@gmail.com”?

What is the hidden flag?

Leave a Comment