Phishing Analysis 2 — BTLO Lab Solving
Assalamu Alaikum Wa Rahmatullah. How are you hackers?? May allah bless me and you.
Before Read this, Try to solve lab. If you stuck then come here for help.
Ok Now lets move on to the lab.
First Read the Scenario.Before Read this, Try to solve lab. If you stuck then come here for help.
Ok Now lets move on to the lab.
First Read the Scenario.Today I am writing this blog/article after solving Phishing Analysis 2. I wrote this based on How I Solve this lab.
First Read the Scenario,
Put your phishing analysis skils to the test by triaging and collecting information about a recent phishing campaign.
Before moveing to solve the lab,Let’s list the tool that used to solve this lab.
- Text Editor(Sublime Text)
- Thunderbird
- CyberChef
Now Let’s move on to the first question,
First download the assets and extract it. Password is : btlo.
What is the sending email address?
Answer :
amazon@zyevantoby.cnNote : Open the .eml file in a text editor. I used Subline. Now move to the answer. When I look to the question I saw email address. So I find for “@” and I got the answer. Or you can check for “from” and you will find the answer.
What is the recipient email address?
Answer :
saintington73@outlook.comNote : Look at the first answer. You will find the answer in the next line.
What is the subject line of the email?
Answer :
Your Account has been lockedNote : Search for “Subject” and you will get the answer.
What company is the attacker trying to imitate?
Answer :
AmaznNote : Look at the last answer. In the From, You will find the answer.
What is the date and time the email was sent? (As copied from a text editor)
Answer :
Wed, 14 Jul 2021 01:40:32 +0900Note : Look for “Date” and you will find the answer.
What is the URL of the main call-to-action button?
Answer :
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Famaozn.zzyuchengzhika.cn%2F%3Fmailtoken%3Dsaintington73%40outlook.com&data=04%7C01%7C%7C70072381ba6e49d1d12d08d94632811e%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637618004988892053%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=oPvTW08ASiViZTLfMECsvwDvguT6ODYKPQZNK3203m0%3D&reserved=0Note : To find the answer open the file on Thunderbird. In the email you will see a button “Review Account”. Right click on the button and click on “copy link location” and the link is the answer.
Look at the URL using URL2PNG. What is the first sentence (heading) displayed on this site? (regardless of whether you think the site is malicious or not)
Answer :
This web page could not be loaded.Note : First go the https://www.url2png.com/ webiste and past the malicious link or click on the Email’s “Review Account” button and you will find the answer.
When looking at the main body content in a text editor, what encoding scheme is being used?
Answer :
base64Note : Back to the Subline and search find for “Encoding” and you will find the answer.
What is the URL used to retrieve the company’s logo in the email?
Answer :
https://images.squarespace-cdn.com/content/52e2b6d3e4b06446e8bf13ed/1500584238342-OX2L298XVSKF8AO6I3SV/amazon-logo?format=750w&content-type=image%2FpngNote : For this answer I use CyberChef. Copy the base64 encoding text and past in the CyberChef website. And select “From Base64” and Decode it. After that search for “Logo” or you can copy the Decoded text and go to subline text editor. Create a file with .html extention and past the decoded text and search for “Logo” and got the answer.
For some unknown reason one of the URLs contains a Facebook profile URL. What is the username (not necessarily the display name) of this account, based on the URL?
Answer :
amir.boyka.7Note : Go back to the Base64 decode and find for “facebook.com” and look for “originalSrc” and you will find the answer.
Congratulation!!!!!!!!!!!!!!! You successfully Solve the lab.
Thanks for reading. Hope this article/blog will help you. If you have any question or doute feel free to ask. And please follow my medium it’s free and you can always change your mind.
Here is my social Link :
Linkedin : https://www.linkedin.com/in/r3dw4n4hm3d/
GitHub : https://github.com/r3dw4n48m3d
Website : https://r3dw4n48m3d.github.io/Portfolio/
YouTube : https://www.youtube.com/@R3DW4NA8M3D
