Hacking

HTB: Easy Phish [OSINT]

The challenge states the following: Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?

Bogdan Florea

1 min read
HTB: Easy Phish [OSINT]

From the challenge text we can assume the following:
- it has something to do with secure-startup.com
- it must be an email thing.

First thing I do when email is involved is to look at the domain SPF records.
So, let's fire a terminal and see what we go:

> dig secure-startup.com txt
> ;; ANSWER SECTION:
secure-startup.com.    0     IN    TXT     "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"

Aaand we got the first part of the flag: HTB{RIP_SPF_Always_2nd
Next we check DKIM and DMARC. I'll skip the DKIM query as I got nothing relevant back from it, but the DMARC had the second part of the flag.

> dig _dmarc.secure-startup.com txt
> ;; ANSWER SECTION:
_dmarc.secure-startup.com. 0    IN      TXT     "v=DMARC1;p=none;_F1ddl3_2_DMARC}"

And there you go. The flag is HTB{RIP_SPF_Always_2nd_F1ddl3_2_DMARC}

Sign up for more like this.

Enter your email
Subscribe
Mastodon Romania