Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

Easy Phish [by greenwolf]
Customers of secure-startup.com have been recieving some very convincing phishing emails, can you figure out why?

The Challenge

When you read something about phishing emails appearing to come from legit domains, you should immediately think about MX, SPF, DKIM and DMARC DNS records as these records are important when setting up a mail server.

In short:

  • MX (Mail exchange record)
    Tells other mail servers where to find you domain’s mail server.
    e.g. sequr.be MX smtp1.mailfence.com0
  • SPF (Sender Policy Framework)
    Allow receiving mail server to check whether the sending mail server was authorized to send mail for that domain. This is usually configured with a TXT record. There used to be a SPF DNS record, but this has been discontinued because it was barely used.
    e.g. sequr.be TXT v=spf1 include:_spf.mailfence.com ~all
  • DKIM (DomainKeys Identified Mail)
    Allow a receiving mail server to validate the e-mail’s signature against the public key published in the DKIM record. This is (also) used to verify whether the sending mail server was authorized (as it has access to the private key) and whether parts of the mail have been modified
    e.g. 20191004-uypx._domainkey.sequr.be. DKIM v=DKIM1;k=rsa;p=MII[...]QAB;
  • DMARC (Domain-based Message Authentication, Reporting and Conformance)
    Extends SPF and DKIM records by telling receiving mail servers what to do with mail failing these check (reject, quarantine or ignore failure) and where to send failure reports.
    e.g. _dmarc.sequr.be. DMARC v=DMARC1;p=none;rua=mailto:stijncrevits-d@dmarc.report-uri.com;

We can easily get the values for these headers using dig or online tools like MX Toolbox or DNS Lookup.

Checking the SPF entry (which is contained in a TXT record).

$ dig TXT secure-startup.com
[...]
;; ANSWER SECTION:
secure-startup.com.     1800    IN      TXT     "v=spf1 a mx ?all - HTB{RIP_SPF_Always_2nd"
[...]

Checking the DMARC entry.

$ dig TXT _dmarc.secure-startup.com
[...]
_dmarc.secure-startup.com. 1800 IN      TXT     "v=DMARC1;p=none;_F1ddl3_2_DMARC}"
[...]

Combining these partial flags, we get: HTB{RIP_SPF_Always_2nd_F1ddl3_2_DMARC}