Phreaky — HackTheBox

Description

"In the shadowed realm where the Phreaks hold sway"

The challenge provided a download link to a ZIP file containing a PCAP capture.

Analysis

Initial Analysis

Downloaded and extracted the challenge file (password: hackthebox), revealing phreaky.pcap - a network capture file.

PCAP Protocol Analysis

Analyzed the PCAP with tshark to identify protocols:

tshark -r phreaky.pcap -q -z io,phs

Key findings:

• SMTP traffic (337 frames)
• IMF (Internet Message Format) - 15 email messages
• Emails sent from [email protected] to [email protected]
• Subject: "Secure File Transfer"

Email Extraction

Exported email objects from the PCAP:

tshark -r phreaky.pcap -Y "smtp" --export-objects "imf,emails"

Found 15 unique emails (with duplicates totaling 30 files). Each email contained:

1. A text body with a password (e.g., "Password: S3W8yzixNoL8")
2. A base64-encoded ZIP attachment

Attachment Analysis

Each ZIP file contained a part of a PDF file:

• phreaks_plan.pdf.part1 through phreaks_plan.pdf.part15
• Each ZIP was password-protected with a unique password from its email

Passwords found:

Part	Password
1	S3W8yzixNoL8
2	r5Q6YQEcGWEF
3	TVm9aC1UycxF
4	jISlbC8145Ox
5	AdtJYhF4sFgv
6	j2SRRDraIvUZ
7	xh161WSXX7tB
8	yH5vqnkm7Ixa
9	tJPUTUfceO1P
10	2qKlZHZlBPQz
11	mbkUvLZ1koxu
12	ZN4yKAYrtf8x
13	0eA143t4432M
14	oea41WCJrWwN
15	gdOvbPtB0xCK

Solution

Python Extraction Script

Created a Python script to:

1. Parse all .eml files
2. Extract passwords from email bodies
3. Decode base64 ZIP attachments
4. Extract each part using its password
5. Combine all parts in order

...