Written by Simon

TryHackMe Phishing Emails Module 1 Walkthrough

The TryHackMe Phishing Emails Module 1 is a free room available at https://tryhackme.com/room/phishingemails1tryoe

Introduction

Task 1 Question: No Answer Needed

The Email Address

The invention of email dates back to the 1970’s for ARPANET – https://en.wikipedia.org/wiki/ARPANET

Task 2 Question: Email dates back to what time frame?

Task 2 Answer: 1970s

Email Delivery

Task 3 Question 1: What port is classified as Secure Transport for SMTP?

Task 3 Answer 1: 465 – For more information – https://www.agari.com/email-security-blog/smtps-how-to-secure-smtp-with-ssl-tls-which-port-to-use/#:~:text=Port%20587%20and%20465%20are,upgrade%20the%20connection%20through%20TLS.

Task 3 Question 2: What port is classified as Secure Transport for IMAP?

Task 3 Answer 2: 993 – For more information – https://help.dreamhost.com/hc/en-us/articles/215612887-Email-client-protocols-and-port-numbers#:~:text=Secure%20IMAP%20incoming%20and%20outgoing%20configuration&text=This%20is%20secure%20because%20the,to%20use%20these%20secure%20ports.

Task 3 Question 3: What port is classified as Secure Transport for POP3?

Task 3 Answer 3: 995 – For more information: https://www.siteground.com/tutorials/email/protocols-pop3-smtp-imap/#:~:text=POP3%20ports,and%20works%20over%20TLS%2FSSL.

Email Headers

Task 4 Question 1: What email header is the same as “Reply-to”?

Task 4 Answer 1: Return-Path – For more information: https://www.mailgun.com/resources/learn/glossary/return-path/#:~:text=The%20return%2Dpath%20is%20used,separate%20from%20your%20sending%20address.

Task 4 Question 2: Once you find the email sender’s IP address, where can you retrieve more information about the IP?

Task 4 Answer 2: http://www.arin.net

Email Body

Task 5 Question 1: In the above screenshots, what is the URI of the blocked image?

Task 5 Answer 1: https://i.imgur.com/LSWOtDI.png – Look for a URL which include .png in the URL in the snippet of HTML code

Task 5 Question 2: In the above screenshots, what is the name of the PDF attachment?

Task 5 Answer 2: Payment-updateid.pdf – In the screenshot look for Content-Type application /pdf

Task 5 Question 3:
In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF?

Task 5 Answer 3: THM{BENIGN_PDF_ATTACHMENT} – Use CyberChef (https://gchq.github.io/CyberChef/) with the Input of the text and use From Base64 as the Recipe.

Types of Phising

Open up the email using Thunderbird to find the answers

Task 6 Question 1: What trusted entity is this email masquerading as?

Task 6 Answer 1: Home Depot

Task 6 Question 2: What is the sender’s email?

Task 6 Answer 2: support@teckbe.com

Task 6 Question 3: What is the subject line? 

Task 6 Answer 3: Order Placed : Your Order ID OD2321657089291 Placed Successfully

Task 6 Question 4: What is the URL link for – CLICK HERE? (Enter the defanged URL)

Task 6 Answer 4: hxxp[://]t[.]teckbe[.]com/p/?j3=EOowFcEwFHl6EOAyFcoUFV=TVEchwFHlUFOo6lVTTDcATE7oUE7AUET==

Replace each t with x and replace . with [.] to defang the url

Conclusion

Task 7 Question 1: What is BEC?

Task 7 Answer 1: Business Email Compromise