Hack The Box – Easy Phish

Posted on by haxez
Hack The Box Easy Phish

Hello world, welcome to Haxez. Today I’m going to be looking at the retired Easy Phish OSINT challenge from Hack The Box. The challenge description explains:

“Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?”

Based on the information provided, it seems like this will have something to do with enumerating the DNS records on the domain.

Enumeration

In order to solve this challenge we need to understand how to look up the DNS records associated with a domain. Furthermore, we will need to know which records to query. Once we know that, we should be able to retrieve the flag from the DNS records of the domain. First, we can use NS lookup. Unfortunately, we only get the A record associated with the domain.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup secure-startup.com
Server:                     192.168.80.2
Address:   192.168.80.2#53
Non-authoritative answer:
Name:      secure-startup.com
Address: 34.102.136.180

Since we know we’re looking for a flag we could try to brute force subdomains, perhaps the flag is a subdomain. However, a more likely approach would be to look at the TXT records as TXT records can contain text and are likely going to be the hiding place of our flag.

First, I start off by performing a nslookup where the query type is set to TXT. This appears to give us the flag, well part of it anyway. As you can see below we have a partial flag claiming that SPF is dead and is always second.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup -q=txt secure-startup.com
Server:                     192.168.80.2
Address:   192.168.80.2#53
Non-authoritative answer:
secure-startup.com   text = "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"

Second to what? DMARC probably. SPF only checks the “envelope from” address, which can be easily circumvented by attackers who spoof the visible “from” address. DMARC, on the other hand, checks both the “envelope from” and visible “from” addresses to prevent unauthorized use of domain names. It also provides a mechanism for domain owners to receive reports on email authentication failures. DMARC is considered to be a more effective solution for email authentication than SPF alone.

Solving Hack The Box Easy Phish

So, we can now change our query to query the subdomain _dmarc for a TXT record. This value would usually contain information about the configuration of the mail server but in this case, it has the second half of the flag.

┌─[joe@parrot]─[/mnt/hgfs/MOUNT/HTBCHAL/web_weather_app]
└──╼ $nslookup -q=TXT _dmarc.secure-startup.com
Server:                     192.168.80.2
Address:   192.168.80.2#53
Non-authoritative answer:
_dmarc.secure-startup.com       text = "v=DMARC1;p=none;_F1ddl3_2_DMARC}"

Put them together and pow, we have the flag.