HTB: Easy Phish [OSINT]
The challenge states the following: Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?
From the challenge text we can assume the following:
- it has something to do with secure-startup.com
- it must be an email thing.
First thing I do when email is involved is to look at the domain SPF records.
So, let's fire a terminal and see what we go:
> dig secure-startup.com txt
> ;; ANSWER SECTION:
secure-startup.com. 0 IN TXT "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"
Aaand we got the first part of the flag: HTB{RIP_SPF_Always_2nd
Next we check DKIM and DMARC. I'll skip the DKIM query as I got nothing relevant back from it, but the DMARC had the second part of the flag.
> dig _dmarc.secure-startup.com txt
> ;; ANSWER SECTION:
_dmarc.secure-startup.com. 0 IN TXT "v=DMARC1;p=none;_F1ddl3_2_DMARC}"
And there you go. The flag is HTB{RIP_SPF_Always_2nd_F1ddl3_2_DMARC}