Easy Phish
2 minutes to read
We have this challenge description:
Customers of secure-startup.com have been recieving some very convincing phishing emails, can you figure out why?
DNS enumeration
First, we can try to enumerate secure-startup.com using several DNS records (more information here) and dig.
The TXT record outputs a part of the flag:
$ dig secure-startup.com TXT
; <<>> DiG 9.10.6 <<>> secure-startup.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48771
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;secure-startup.com. IN TXT
;; ANSWER SECTION:
secure-startup.com. 1800 IN TXT "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"
;; Query time: 55 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Dec 21 12:15:00 CET 2022
;; MSG SIZE rcvd: 101
SPF and DMARC
We see that it is related to SPF (Sender Policy Framework). After reading some information in Wikipedia, we see that it is an email-authentication standard used to prevent spammers from sending messages that appear to come from a spoofed domain. There are other protocols related to SPF, which are DKIM and DMARC.
If we inspect for DMARC with a TXT DNS record, we will see the last part of the flag:
$ dig _dmarc.secure-startup.com TXT
; <<>> DiG 9.10.6 <<>> _dmarc.secure-startup.com TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53309
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_dmarc.secure-startup.com. IN TXT
;; ANSWER SECTION:
_dmarc.secure-startup.com. 1232 IN TXT "v=DMARC1;p=none;_F1ddl3_2_DMARC}"
;; Query time: 60 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Dec 21 12:30:10 CET 2022
;; MSG SIZE rcvd: 99
Flag
So, the flag is:
HTB{RIP_SPF_Always_2nd_F1ddl3_2_DMARC}