Hack The Box Write-Up PhishNet
About PhishNet
In this post, I’m writing a write-up for the Sherlock challenge PhishNet from Hack The Box. Engage in thrilling investigative challenges that test your defensive security skills. With Sherlocks you will be asked to dive into the aftermath of a targeted cyber attack and unravel the dynamics behind them, based on the knowledge provided.
Sherlock Info
| Sherlock : | PhishNet |
| Difficulty: | Very Easy |
| Release Date: | 04 Sep 2025 |
| Creator: | OxAlpha4040 |
An accounting team receives an urgent payment request from a known vendor. The email appears legitimate but contains a suspicious link and a .zip attachment hiding malware. Your task is to analyze the email headers, and uncover the attacker’s scheme.
Resources
To start the investigation, we are provided with the file PhishNet.zip of 2kb. To solve this challenge we have to find the answers on 11 tasks.
After unzipping the file, we have a file called email.eml. An EML file is a plain-text file that holds a snapshot of a single email message, preserving its structure and content. This file can be opened and read in any email client software that supports the EML format. Opening this file in a text editor, for example, Visual Studio Code, we can perform a forensic analysis of the email headers of the specified email message. The email headers hold metadata of the email message that can reveal its origin and other digital footprints, like the digital path the email message had traveled before it has reached your inbox.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
Return-Path: <finance@business-finance.com>
Reply-To: <support@business-finance.com>
X-Mailer: Microsoft Outlook 16.0
X-Originating-IP: [45.67.89.10]
X-Priority: 1 (Highest)
X-MSMail-Priority: High
Received-SPF: Pass (protection.outlook.com: domain of business-finance.com designates 45.67.89.10 as permitted sender)
ARC-Seal: i=1; a=rsa-sha256; d=business-finance.com; s=arc-2025; t=1677416100; cv=pass;
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=business-finance.com; s=arc-2025;
X-AntiSpam: Passed
X-Organization: Business Finance Ltd.
X-Envelope-From: finance@business-finance.com
List-Unsubscribe: <mailto:unsubscribe@business-finance.com>
X-Sender-IP: 45.67.89.10
Received: from mail.business-finance.com ([203.0.113.25])
by mail.target.com (Postfix) with ESMTP id ABC123;
Mon, 26 Feb 2025 10:15:00 +0000 (UTC)
Received: from relay.business-finance.com ([198.51.100.45])
by mail.business-finance.com with ESMTP id DEF456;
Mon, 26 Feb 2025 10:10:00 +0000 (UTC)
Received: from finance@business-finance.com ([198.51.100.75])
by relay.business-finance.com with ESMTP id GHI789;
Mon, 26 Feb 2025 10:05:00 +0000 (UTC)
Authentication-Results: spf=pass (domain business-finance.com designates 45.67.89.10 as permitted sender)
smtp.mailfrom=business-finance.com;
dkim=pass header.d=business-finance.com;
dmarc=pass action=none header.from=business-finance.com;
Message-ID: <20250226101500.ABC123@business-finance.com>
Date: Mon, 26 Feb 2025 10:15:00 +0000 (UTC)
From: "Finance Dept" <finance@business-finance.com>
To: "Accounting Dept" <accounts@globalaccounting.com>
Subject: Urgent: Invoice Payment Required - Overdue Notice
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="boundary123"
--boundary123
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<title>Invoice Overdue</title>
</head>
<body>
<p>Dear Accounting Team,</p>
<p>This is a final notice regarding the outstanding invoice #INV-2025-0012. Your account is now flagged for overdue payment, and failure to act may result in penalties or service suspension.</p>
<p>Details of the invoice:</p>
<ul>
<li><b>Invoice Number:</b> INV-2025-0012</li>
<li><b>Amount Due:</b> $4,750.00</li>
<li><b>Due Date:</b> February 28, 2025</li>
</ul>
<p>Our records indicate that invoice #INV-2025-0012 is overdue for payment. Please process the payment immediately to avoid late fees.</p>
<p>For your convenience, you can download the full invoice and payment instructions from the link below:</p>
<p><a href="https://secure.business-finance.com/invoice/details/view/INV2025-0987/payment">Download Invoice</a></p>
<p>Alternatively, the invoice is also attached as a .zip file.</p>
<p>If you have already made the payment, kindly ignore this notice.</p>
<p>Best regards,<br>Finance Department<br>Business Finance Ltd.</p>
</body><p>For assistance, please contact our support team at <a href='mailto:support@business-finance.com'>support@business-finance.com</a> or call our helpline at +1-800-555-0199.</p>
<p>Thank you for your prompt attention to this matter.</p>
</html>
--boundary123
Content-Type: application/zip; name="Invoice_2025_Payment.zip"
Content-Disposition: attachment; filename="Invoice_2025_Payment.zip"
Content-Transfer-Encoding: base64
UEsDBBQAAAAIABh/WloXPY4qcxITALvMGQAYAAAAaW52b2ljZV9kb2N1bWVudC5wZGYuYmF0zL3ZzuzIsR18LQN+h62DPujWX0e7
--boundary123--
Investigation Tasks
What is the originating IP address of the sender?
To find the original IP address of the sender of this email message, we need to open this file in a text editor. I’m using Visual Studio Code for opening and reading email headers. It’s also possible to import the email headers into external message header analysis software, like Message Header Analyzer. But then you share maybe important information about your client or victim with an external website. That’s not my preferred way, and I prefer to do the investigation manually.
After opening this file in Visual Studio Code, we have to check the first IP address that is designated as the permitted sender. In this header, it’s the IP address 45.67.89.10. We can find this in the part of the email header below.
1
2
3
4
5
6
...
Authentication-Results: spf=pass (domain business-finance.com designates 45.67.89.10 as permitted sender)
smtp.mailfrom=business-finance.com;
dkim=pass header.d=business-finance.com;
dmarc=pass action=none header.from=business-finance.com;
...
Which mail server relayed this email before reaching the victim?
After the IP address 45.67.89.10, the email message is delivered to the email relay server relay.business-finance.com, followed by mail.business-finance.com, and then reaches the Exchange Online (protection.outlook.com) environment of the victim. The mail.business-finance.com has the IP address 203.0.113.25. See that part of the email header below.
1
2
3
4
5
6
7
8
9
10
11
12
13
...
Received-SPF: Pass (protection.outlook.com: domain of business-finance.com designates 45.67.89.10 as permitted sender)
ARC-Seal: i=1; a=rsa-sha256; d=business-finance.com; s=arc-2025; t=1677416100; cv=pass;
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=business-finance.com; s=arc-2025;
X-AntiSpam: Passed
X-Organization: Business Finance Ltd.
X-Envelope-From: finance@business-finance.com
List-Unsubscribe: <mailto:unsubscribe@business-finance.com>
X-Sender-IP: 45.67.89.10
Received: from mail.business-finance.com ([203.0.113.25])
by mail.target.com (Postfix) with ESMTP id ABC123;
Mon, 26 Feb 2025 10:15:00 +0000 (UTC)
...
What is the sender’s email address?
This question can be tricky. The sender visible in the email client is not necessarily the actual sender, as this may have been changed en route. To answer this question, it is important to look at the Return-Path address (not to be confused with the Reply-To email address). The Return-Path email address is technically the sender of the email message. In this case the email address finance@business-finance.com is the sender. We can find this answer in the part of the email header below.
1
2
Return-Path: <finance@business-finance.com>
...
What is the ‘Reply-To’ email address specified in the email?
The Reply-To address is the email address to which the email message is sent when you click Reply in your email client. This may also differ from the sender’s email address, so always check carefully before replying to an email message! This one is easy. Just reading, see below.
1
2
3
...
Reply-To: <support@business-finance.com>
...
What is the SPF (Sender Policy Framework) result for this email?
The SPF record stands for Sender Policy Framework and this record is placed in a TXT record in the public DNS of your email domain. In this record, you determine which email servers are allowed to send email messages on behalf of your email domain. This is a very important configuration to secure your email domain against spoofing. I have written a PowerShell Module that allows you to automatically check your SPF record configuration for one or more email domains, see Invoke-SpfDkimDmarc.
We see in the email header that the result of the SPF check is “Pass,” which means that the email message originates from an email server whose owner states that it is also permitted to send email messages on behalf of “business-finance.com” from this email server.
1
2
3
4
5
...
Received-SPF: Pass (protection.outlook.com: domain of business-finance.com designates 45.67.89.10 as permitted sender)
ARC-Seal: i=1; a=rsa-sha256; d=business-finance.com; s=arc-2025; t=1677416100; cv=pass;
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=business-finance.com; s=arc-2025;
...
What is the domain used in the phishing URL inside the email?
Below is a part of the body of the email message in HTML. We can clearly see the following URL https://secure.business-finance.com/invoice/details/view/INV2025-0987/payment with the domain name business-finance.com.
1
2
3
4
5
6
7
8
9
10
...
<p>Our records indicate that invoice #INV-2025-0012 is overdue for payment. Please process the payment immediately to avoid late fees.</p>
<p>For your convenience, you can download the full invoice and payment instructions from the link below:</p>
<p><a href="https://secure.business-finance.com/invoice/details/view/INV2025-0987/payment">Download Invoice</a></p>
<p>Alternatively, the invoice is also attached as a .zip file.</p>
<p>If you have already made the payment, kindly ignore this notice.</p>
<p>Best regards,<br>Finance Department<br>Business Finance Ltd.</p>
</body><p>For assistance, please contact our support team at <a href='mailto:support@business-finance.com'>support@business-finance.com</a> or call our helpline at +1-800-555-0199.</p>
<p>Thank you for your prompt attention to this matter.</p>
...
What is the fake company name used in the email?
The email body includes a signature that displays the company name, Business Finance Ltd.
1
2
3
...
<p>Best regards,<br>Finance Department<br>Business Finance Ltd.</p>
...
What is the name of the attachment included in the email?
At the bottom of the email message, it is clear that there is an attachment named Invoice_2025_Payment.zip.
1
2
3
4
5
6
7
8
9
10
...
--boundary123
Content-Type: application/zip; name="Invoice_2025_Payment.zip"
Content-Disposition: attachment; filename="Invoice_2025_Payment.zip"
Content-Transfer-Encoding: base64
UEsDBBQAAAAIABh/WloXPY4qcxITALvMGQAYAAAAaW52b2ljZV9kb2N1bWVudC5wZGYuYmF0zL3ZzuzIsR18LQN+h62DPujWX0e7
--boundary123--
...
What is the SHA-256 hash of the attachment?
Each file is identified by its filename, file type, and a unique hash or checksum based on its contents. This checksum allows us to verify the integrity of a file. By opening the file email.eml in our email client, we can download the attachment Invoice_2025_Payment.zip. We can then calculate the SHA-256 checksum of this file using the command below.
1
2
3
4
...
t13nn3s$ shasum -a 256 Invoice_2025_Payment.zip
8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a Invoice_2025_Payment.zip
...
We see that the SHA-256 checksum is 8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a.
What is the filename of the malicious file contained within the ZIP attachment?
Below the zip file, we see the contents of the file in base64 encoded format. We can decode this string, and then we see the file invoice_document.pdf.bat in a readable format.
1
2
t13nn3s$ echo "UEsDBBQAAAAIABh/WloXPY4qcxITALvMGQAYAAAAaW52b2ljZV9kb2N1bWVudC5wZGYuYmF0zL3ZzuzIsR18LQN+h62DPujWX0e7" | base64 -d
invoice_document.pdf.bat
Which MITRE ATT&CK techniques are associated with this attack?
The MITRE ATT&CK framework is a comprehensive knowledge base that categorizes and describes the tactics, techniques, and procedures (TTPs) used by cyber adversaries. It serves as a valuable resource for understanding how attacks are executed and for developing defensive strategies. On the website MITRE ATT&CK - T1566, we can explore the techniques related to phishing, where T1566 represents the phishing technique. In this scenario, the phishing message included an attachment, which corresponds to the sub-technique Phishing: Spearphishing Attachment with the ID T1566.001.
Thanks for reading this write-up! Did you enjoy reading this write-up? Or learned something from it? Please consider spending a respect point: https://app.hackthebox.com/profile/224856.com/profile/224856. Thanks!
Happy researching :-)