SANS Holiday Hack 2023
  • 🌴Overview
  • 🆙Linux PrivEsc
  • 🃏Na'an
  • 🎣Phish Detection Agency
  • 😼Hashcat
  • 🧝Elf Hunt
  • 🐚Certificate SSHenanigans
  • 📒Active Directory
  • 🚪Space Island Door Access Speaker
  • 📸Camera Access
  • 🚀Missile Diversion
  • 🏴‍☠️I'm Gonna be King of the Pirates!
Powered by GitBook
On this page
  • Challenge Description
  • Solution

Phish Detection Agency

Location - Film Noir Island: The Blacklight District

PreviousNa'anNextHashcat

Last updated 1 year ago

Challenge Description

The goal of this challenge is go through an inbox and mark emails as either phishing or safe!

Solution

To solve this challenge, we compare each email against the records that we have and mark those that are phishing as such.

This email for example, failed dmarc & we can see that it was actually sent from anotherdomain.com.

This phishing email, you can tell from the email headers that it fails dmark, is from "unauthorizedsource.com" AND has an invalid DKIM signature.

The next one is trickier. Even though the sender appears to be from geeseislands, the DKIM signature was altered and the email failed dmarc.

Here's another sneaky one. The email appears to pass dmarc, and has a b parameter in the DKIM section that looks the same as other legit emails. But, closer inspection shows the d parameter in DKIM to unauthorized.com & that the email was received from that domain.

We were provided organizational information regarding SPF, DMARC, and DKIM records. A good resource for these types of records can be found .

🎣
here