forensicsfreemedium

Phreaky

HackTheBox

"In the shadowed realm where the Phreaks hold sway"

$ ls tags/ techniques/
zippdfpcapemailsmtpfile_reassembly
pcap_analysisfile_carvingemail_extractionpassword_protected_zip

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Phreaky — HackTheBox

Description

"In the shadowed realm where the Phreaks hold sway"

The challenge provided a download link to a ZIP file containing a PCAP capture.

Analysis

Initial Analysis

Downloaded and extracted the challenge file (password: hackthebox), revealing phreaky.pcap - a network capture file.

PCAP Protocol Analysis

Analyzed the PCAP with tshark to identify protocols:

tshark -r phreaky.pcap -q -z io,phs

Key findings:

Email Extraction

Exported email objects from the PCAP:

tshark -r phreaky.pcap -Y "smtp" --export-objects "imf,emails"

Found 15 unique emails (with duplicates totaling 30 files). Each email contained:

  1. A text body with a password (e.g., "Password: S3W8yzixNoL8")
  2. A base64-encoded ZIP attachment

Attachment Analysis

Each ZIP file contained a part of a PDF file:

  • phreaks_plan.pdf.part1 through phreaks_plan.pdf.part15
  • Each ZIP was password-protected with a unique password from its email

Passwords found:

PartPassword
1S3W8yzixNoL8
2r5Q6YQEcGWEF
3TVm9aC1UycxF
4jISlbC8145Ox
5AdtJYhF4sFgv
6j2SRRDraIvUZ
7xh161WSXX7tB
8yH5vqnkm7Ixa
9tJPUTUfceO1P
102qKlZHZlBPQz
11mbkUvLZ1koxu
12ZN4yKAYrtf8x
130eA143t4432M
14oea41WCJrWwN
15gdOvbPtB0xCK

Solution

Python Extraction Script

Created a Python script to:

  1. Parse all .eml files
  2. Extract passwords from email bodies
  3. Decode base64 ZIP attachments
  4. Extract each part using its password
  5. Combine all parts in order

...

$ grep --similar

Similar writeups