Easy Phish is an Open Source Intelligence (OSINT) challenge on hackthebox.eu, which provides the challenge flag through publicity available information. This walk-through will be providing step by step instructions on how that flag can be obtained.

Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?

With the challenge brief above, three main points can be identified:

  1. The scope of the target is secure-startup.com domain and/or other related entities.
  2. The issue is related to emails.
  3. The type of attack at hand is phishing attack.

With the points above, one of the first steps is to google how email phishing can be prevented on a domain. Search term ‘prevent phishing domain’.

After clicking on the first link, Microsoft suggests implementing Domain Message Authentication, Reporting, and Conformance (DMARC) and mentions other related technologies such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Great, we now have some records which we can look up against the domain to see if they have been implemented properly.

After googling ‘DMARC record lookup’ I came across dmarcanalyzer.com which gave the following information:

With the information above, we can identify two valid tags, however there is an unknown tag that possibly looks like second half of a flag due to ‘}’ ending, we will store this for now in our notes. With no other information left to extract from DMARC results, we will now do a SPF record check and see what information may be available to use there.

Using similar google terms as DMARC, we will google ‘SPF record lookup’, which gives various tools, such as mxtoolbox.com, which gives the following output:

With the output above, we now have the first part of the flag, which if we combine with the second part in DMARC record, gives us the complete flag of:

This challenge encourages the users to look at publicly available information for intelligence gathering, in order to determine where a fault may lie in a system. This information can be used by the blue team to secure a system or by red team to try breach a system.