Phishing Analysis — BTLO Lab Solving
Assalamu Alaikum Wa Rahmatullah. How are you hackers?? May allah bless me and you.
Before Read this, Try to solve lab. If you stuck then come here for help.
Ok Now lets move on to the lab.
First Read the Scenario.Before Read this, Try to solve lab. If you stuck then come here for help.
Ok Now lets move on to the lab.
First Read the Scenario.Today I am writing this blog/article after solving Phishing Analysis. I wrote this based on How I Solve this lab.
Before Read this, Try to solve lab. If you stuck then come here for help.
Ok Now lets move on to the lab.
First Read the Scenario.
A user has received a phishing email and forwarded it to the SOC. Can you investigate the email and attachment to collect useful artifacts?
First Download the asset and extract it. Password is : btlo.
When I look at the BTLO.txt file, There is nothing crazy.
Before moveing to solve the lab,Let’s list the tool that used to solve this lab.
Now lets Solve the Lab.
Q1 ) Who is the primary recipient of this email?
Answer :
kinnar1975@yahoo.co.ukNote : Open the .eml file in your text editor. I use subline text editor. And search (Ctrl + f ) for “@” becasuse it’s a email. After some matching you will find the answer.
What is the subject of this email?
Answer :
Undeliverable: Website contact form submissionNote : Searh for “Subject”. After some matching you will find the result.
What is the date and time the email was sent?
Answer :
18 March 2021 04:14Note : When I find question 2 I also find a send time, I though that that’s might be the answer and It was.
What is the Originating IP?
Answer :
103.9.171.10Note : Searh for “IP”. I add filture for Case Sensitive and I got the answer.
Perform reverse DNS on this IP address, what is the resolved host? (whois.domaintools.com)
Answer :
c5s2-1e-syd.hosting-services.net.auNote : Go to any whois website. I use this website : https://whois.domaintools.com/ .
Then Put the IP Address that I find and I got the answer.
What is the name of the attached file?
Answer :
Website contact form submission.emlNote : Just copy the asset file and past it. That’s the answer.
What is the URL found inside the attachment?
Answer :
https://35000usdperwwekpodf.blogspot.sg?p=9swghttps://35000usdperwwekpodf.blogspot.co.il?o=0hnd Note : For this task we need Thunderbird which is a email client like Gmail. Open the Website contact form submission.eml file and then you will see the answer. Or you can open the .eml file in subline and try to find it.
What service is this webpage hosted on?
Answer :
blogspotNote : If you look at the last answer you will find that answer.
Using URL2PNG, what is the heading text on this page? (Doesn’t matter if the page has been taken down!)
Answer :
Blog has been removedNote : For this answer I use https://www.url2png.com/ this website. Grab this questin’s answer What is the URL found inside the attachment? and paste that answer on the website. After that check for the result you will find the answer.
Congratulation!!!!!!!!!!!!!!! You successfully Solve the lab.
Thanks for reading. Hope this article/blog will help you. If you have any question or doute feel free to ask. And please follow my medium it’s free and you can always change your mind.
Here is my social Link :
Linkedin : https://www.linkedin.com/in/r3dw4n4hm3d/
GitHub : https://github.com/r3dw4n48m3d
Website : https://r3dw4n48m3d.github.io/Portfolio/
YouTube : https://www.youtube.com/@R3DW4NA8M3D
