Welcome to Advent of Cyber 2021

クリスマスまでの25日間、毎日基本的な知識を学び、初心者向けの新しいセキュリティ演習を行うことで、サイバーセキュリティを始めることができます。

day19

本日のテーマはブルーチームです。

マシンに接続し、thinderbirdを開きます。

メールの情報を見ます。

attachment.txtを開きます。base64でデコードされた文字列をエンコードします。

Answer

Who was the email sent to? (Answer is the email address)
elfmcphearson[at]tbfc.com
Phishing emails use similar domains of their targets to increase the likelihood the recipient will be tricked into interacting with the email. Who does it say the email was from? (Answer is the email address)
customerservice[at]t8fc.info
Sometimes phishing emails have a different reply-to email address. If this email was replied to, what email address will receive the email response?
fisher[at]tempmailz.grinch
Less sophisticated phishing emails will have typos. What is the misspelled word?
stright
The email contains a link that will redirect the recipient to a fraudulent website in an effort to collect credentials. What is the link to the credential harvesting website?
http[://]89xgwsnmo5.grinch/out/fishing/
View the email source code. There is an unusual email header. What is the header and its value?
X-GrinchPhish: >;^)
You received other reports of phishing attempts from other colleagues. Some of the other emails contained attachments. Open attachment.txt. What is the name of the attachment?
password-reset-instructions.pdf
What is the flag in the PDF file?
THM{A0C_Thr33_Ph1sh1ng_An4lys!s}