Hack the Box: Easy Phish

Challenge Lab: OSINT

Difficulty: Easy

“Customers of secure-startup.com have been receiving some very convincing phishing emails, can you figure out why?”

Not knowing where to begin, I started by doing some research. I found a few good articles HERE, HERE, and then eventually HERE, which helped me understand how to capture the flag using the following command to retrieve the SPF record:

nslookup -type=text secure-startup.com

Hold on though, because that’s not the complete flag. I also queried the DMARC record to find the second half:

nslookup -type=txt_dmarc.secure-startup.com

Basically what is going on is that an attacker is spoofing emails to make it look like they are coming from a reputable source within the organization.

By using SPF and DMARC though (along with DKIM), organizations can combat that.

SPF works by helping servers verify that email being sent on behalf of their domain is legitimate. It does this by checking the RETURN-PATH value. This is only half of the equation though, which is why the flag was split into two pieces.

The second part, DMARC, works by validating the FROM domain, which was a major shortcoming of SPF before DMARC came around.

It is much more in-depth than this, so please check out the above links if you are interested in learning more.

I was also able to find THIS tool, which can verify both of these records (and do a lot more things) in-browser. It’s super simple to just use the command line for this after you know the proper syntax, but it’s good to have options.

Happy Hacking! ❤



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


CTF Writeups to facilitate cyber education.