~$ Advent of Cyber 2022 - Day 6
Question 1
What is the email address of the sender?
We look at the .eml
file for details, specifically the From:
header.
![Screenshot of the .eml file.](assets/images/walkthrough/thm/aoc-2022/day06/1.png)
Answer: chief.elf@santaclaus.thm
Question 2
What is the return address?
We look at the Return-Path:
header.
Answer: murphy.evident@bandityeti.thm
Question 3
On whose behalf was the email sent?
Once more, we look at the From:
header.
Answer: Chief Elf
Question 4
What is the X-spam score?
We look at the X-Pm-Spamscore:
header.
Answer: 3
Question 5
What is hidden in the value of the Message-ID field?
We get the value in the field, notice it is base64 encoded, and get the decoded string using echo -n "QW9DMjAyMl9FbWFpbF9BbmFseXNpcw==" | base64 -d
.
![Screenshot of a base64decode operation](assets/images/walkthrough/thm/aoc-2022/day06/5.png)
Answer: AoC2022_Email_Analysis
Question 6
Visit the email reputation check website provided in the task. What is the reputation result of the sender's email address?
![Screenshot of the email reputation website.](assets/images/walkthrough/thm/aoc-2022/day06/6.png)
Answer: RISKY
Question 7
Check the attachments. What is the filename of the attachment?
We process the .eml
file using emlAnalyzer
like so: emlAnalyzer -i Urgent\:.eml --header --html -u --text --extract-all
(make sure to be in the same directory as the .eml
file)
Then look under Attachment Extracting
.
![Screenshot of emlAnalyzer](assets/images/walkthrough/thm/aoc-2022/day06/7.png)
Answer: Division_of_labour-Load_share_plan.doc
Question 8
What is the hash value of the attachment?
We simply take the extracted file at $PWD/eml_attachments/Division_of_labour-Load_share_plan.doc
and use sha256sum
like so:
sha256sum eml_attachments/Division_of_labour-Load_share_plan.doc
![Screenshot of a SHA calculation.](assets/images/walkthrough/thm/aoc-2022/day06/8.png)
Answer: 0827bb9a2e7c0628b82256759f0f888ca1abd6a2d903acdb8e44aca6a1a03467
Question 9
Visit the Virus Total website and use the hash value to search. Navigate to the behaviour section. What is the second tactic marked in the Mitre ATT&CK section?
After pasting the hash in VT, we need to go to the BEHAVIOR
tab, and scroll down to find the MITRE ATT&CK Tactics and Techniques
![Screenshot of VirusTotal](assets/images/walkthrough/thm/aoc-2022/day06/9.png)
Answer: Defense Evasion
Question 10
Visit the InQuest website and use the hash value to search. What is the subcategory of the file?
After pasting the hash in InQuestLabs, we get a reference to the documentation for a malicious file. By clicking on this reference, we find the subcategory:
![Screenshot of InQuestLabs](assets/images/walkthrough/thm/aoc-2022/day06/10.png)
Answer: macro_hunter