HTB: Easy Phish [OSINT]

The challenge states the following: Customers of have been receiving some very convincing phishing emails, can you figure out why?

HTB: Easy Phish [OSINT]

From the challenge text we can assume the following:
- it has something to do with
- it must be an email thing.

First thing I do when email is involved is to look at the domain SPF records.
So, let's fire a terminal and see what we go:

> dig txt
> ;; ANSWER SECTION:    0     IN    TXT     "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"

Aaand we got the first part of the flag: HTB{RIP_SPF_Always_2nd
Next we check DKIM and DMARC. I'll skip the DKIM query as I got nothing relevant back from it, but the DMARC had the second part of the flag.

> dig txt
> ;; ANSWER SECTION: 0    IN      TXT     "v=DMARC1;p=none;_F1ddl3_2_DMARC}"

And there you go. The flag is HTB{RIP_SPF_Always_2nd_F1ddl3_2_DMARC}

Mastodon Romania