Skip to content

Latest commit

 

History

History
 
 

[Medium] Phreaky

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Assets
Assets
 
 
release
release
 
 
README.md
README.md
 
 

README.md

Phreaky

1st March 2024 / Document No. D24.102.XX

Prepared By: sebh24

Challenge Author(s): sebh24

Difficulty: Easy

Classification: Official

Synopsis

Phreaky is an easy forensics challenge involving detecting SMTP exfiltration and reconstructing the exfiltrated file to retrieve the flag.

Description

In the shadowed realm where the Phreaks hold sway, A mole lurks within leading them astray. Sending keys to the Talents, so sly and so slick, A network packet capture must reveal the trick. Through data and bytes, the sleuth seeks the sign, Decrypting messages, crossing the line. The traitor unveiled, with nowhere to hide, Betrayal confirmed, they'd no longer abide.

Skills Required

  • Familiarity with network protocol analyzers

Skills Learned

  • Detecting SMTP exfiltration
  • Analyzing the SMTP protocol
  • Reconstructing files

Enumeration

Enter the artifacts provided along with their file hash here.

  • phreaky.pcap

Analysis

We are provided with a pcap and a scenario to locate the insider threat within the Phreaks. As per any packet capture we import into the Brim tool initially to locate the conversations and hosts within the packet capture.

image-20240307210526796

image-20240307210539350

image-20240307210553102

We see a large array of traffic, particularly a large amount on port 25 (SMTP). Delving into the File Activity tab we locate numerous zip files, seemingly sent as hash values.

image-20240307210648805

Selecting the Wireshark symbol, we are open to locate the specific PCAPs within Wireshark and view the TCP stream.

image-20240307210826562

It seems the files themselves are files sent via emails from Caleb within the Phreaks to the resources email within The Talents. This looks like a potential insider threat to me. Interestingly they also have a password associated with the email.

Solution

We next import our PCAP into Network Miner, which extracts the email & zip files into a folder and we can import each of them into an email client.

image-20240307211242055

We are able to view each email is associated with a password and the password decompresses the relevant zip file. This indicates Caleb attempted to avoid detection by sending the specific file in zipped chunks.

image-20240307211425321

We now have unzipped all the zip files sent via email.

image-20240307211518078

The files look to be in 15 parts, which we can join utilizing fjoiner.exe:

image-20240307211611787

And the flag is located!

image-20240307211632474