Jasper Alblas
TryHackMe: The Greenholt Phish Walkthrough (SOC Level 1)
Welcome to this walkthrough of the The Greenholt Phish Room on TryHackMe. If you have been following along with my SOC Level 1 walkthroughs, you have learned a lot about phishing in the last couple of rooms. In this room we use this knowledge to analyze a malicious email in more detail.
Room URL:
https://tryhackme.com/room/phishingemails5fgjlzxc
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM. Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on! This is going to be a long one!
Table of Contents
Task 1: Just another day as a SOC Analyst
A Sales Executive at Greenholt PLC received an email that he didn’t expect to receive from a customer. He claims that the customer never uses generic greetings such as “Good day” and didn’t expect any amount of money to be transferred to his account. The email also contains an attachment that he never requested. He forwarded the email to the SOC (Security Operations Center) department for further investigation.
Investigate the email sample to determine if it is legitimate.
Deploy the machine attached to this task; it will be visible in the split-screen view once it is ready.
Tip: Open the EML file with Thunderbird. To do so, right-click on the challenge.eml file and select Open With Other Application. From there, scroll down to select Thunderbird Mail and click Open. It may take a few moments to open the application. You will then see the email and its contents appear in the app.
Let’s get started with The Greenholt Phish.
Questions
What is the Transfer Reference Number listed in the email’s Subject?
Go ahead and open the challenge.eml file, and open it with Thunderbird Mail. It should look like this:
The subject is visible on the window header and on the subject field line. Either way, the reference number is right there.
Answer: 09674321
Who is the email from?
Look at the “From” field. The email is from Mr. James Jackson.
Answer: Mr. James Jackson
What is his email address?
The email address is shown just after the name and between the brackets.
Answer: info@mutawamarine.com
What email address will receive a reply to this email?
This answer we can find in the “Reply To” field.
Answer: info.mutawamarine@mail.com
What is the Originating IP?
This is the first question that we can’t answer by looking the the regular email view. We need to look at the source code! We do this by going to View -> Select Message Source, or simply press Ctrl+U.
You should now see the source code:
There are two received fields, as you might have noticed. The answer we are looking for is the 192.119.71.157 address, the second one mentioned. Why not the earlier one?
Received: from 10.197.41.148 (EHLO sub.redacted.com) (x.x.x.x) by mta4212.mail.bf1.yahoo.com with SMTP; Wed, 10 Jun 2020 05:58:54 +0000
Great catch if you wondered the same. Reading email headers is like tracking a package in reverse, and it’s easy to get “internal” hops confused with the “true” source.
The reason 10.197.41.148 is not the originating IP is due to how private networking and mail relays work. Here is the breakdown:
The address 10.197.41.148 belongs to a Private IP range (specifically Class A, 10.0.0.0 to 10.255.255.255). These addresses are not routable on the public internet.
This hop represents an internal transfer within Yahoo’s (or the receiving ISP’s) own data center infrastructure. The IP is “internal” to the system that eventually handed the email to your inbox.
Anway, this was a sidetrack. We got the answer.
Answer: 192.119.71.157.
Who is the owner of the Originating IP? (Do not include the “.” in your answer.)
To find out about this we need to look another place. We can’t find the information in the email headers. But this does not mean it is difficult to find. We simply need to run:
whois 192.119.71.157
You are also able to use a site like https://www.whatismyip.com/ip-whois-lookup/
Anway, the owner is Hostwinds LLC.
Answer: Hostwinds LLC
What is the SPF record for the Return-Path domain?
If you followed along with the previous Phishing Prevention room, you will hopefully remember that we can read DPF records on sites such as this: https://dmarcian.com/spf-survey/. If you search for mutawamarine.com you will find the following answer:
Note that the headers also show a SPF “fail”, meaning the domain mutawamarine.com has not authorized this specific IP (192.119.71.157) to send emails on its behalf. This is a classic indicator of a spoofed or phishing email.
Answer: v=spf1 include:spf.protection.outlook.com -all
What is the DMARC record for the Return-Path domain?
Remember, DMARC records show whether an email has been tempered with. A great lookup tool we learned about earlier is https://dmarcian.com/domain-checker.
Search for mutawamarine.com again and you will get the answer:
The domain has a valid DMARC record.
Answer: v=DMARC1; p=quarantine; fo=1
What is the name of the attachment?
Take a look at the email source again:
——=NextPart_000_0012_BDB07B06.81B59493 Content-Type: application/octet-stream; name=”SWT#09674321____PDF__.CAB”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”SWT_#09674321____PDF__.CAB”
You can of course also look at the attachment in the regular email view:
Answer: SWT_#09674321____PDF__.CAB
What is the SHA256 hash of the file attachment?
Now, maybe you are considering downloading the attachment, and then using sha256sum or something similar. Well you shouldn’t.
Analyzing an .eml file without downloading the attachment is a smart move—it keeps the potentially malicious file contained within a text-based format. Since .eml files are essentially plain text, the attachment is usually “embedded” as a block of Base64 encoded data.
To get the SHA-256 hash without saving the file to your disk, you need to extract that specific block of text and decode it through a hashing tool, such as sha256sum.
Open the .eml file in a text editor (like Notepad++, VS Code, or Vim). Look for the Content-Transfer-Encoding: base64 header. Immediately following the headers for that section, you’ll see a long string of seemingly random characters, which is the base64. Copy it and echo it into a file.
echo "[Paste_Base64_String_Here]" > base64.txtFollowed by:
cat base64.txt | base64 --decode | sha256sumNow you will see the answer.
Answer: 2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
What is the attachments file size? (Don’t forget to add “KB” to your answer, NUM KB)
We got the SHA256 hash now, which we can use for more information on the file on VirusTotal. Search for it here:
https://www.virustotal.com/gui/home/search
And you will find:
https://www.virustotal.com/gui/file/2e91c533615a9bb8929ac4bb76707b2444597ce063d84a4b33525e25074fff3f
And voila, on the right side we will get the next two answers:
Answer: 400.26 KB
What is the actual file extension of the attachment?
Final question of the Greenholt Phish. This is an easy one!
See the above screenshot. The attachment is a RAR archive file.
Answer: RAR
Congratulations on completing The Greenholt Phish !!!
Congratulations on completing The Greenholt Phish. I found this to be a really great practice room for getting some experience with email analysis. I don’t know about you, but I learned a lot!
Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox, and other Cybersecurity discussions.
Find my other TryHackMe SOC Level 1 Path walkthrougs here.
Find my other walkthroughs here.
Like my articles?
You are welcome to comment on this post, or share my post with friends.I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
