2024 Cyber Apocalypse: Urgent

#htb #ctf #forensics #email #base64 #url-encoding #phishing

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryForensics
ChallengeUrgent
DifficultyVery Easy

Summary

Urgent is a forensics challenge involving a phishing email (.eml file). The email contains multiple base64-encoded sections requiring decoding. The challenge involves identifying email sender/receiver information, extracting attachments, and decoding multiple layers of encoding (base64 and URL encoding) to recover the flag.

Analysis

The email structure reveals:

  1. Email Sender: anonmember1337@protonmail.com
  2. Email Receiver: factiongroups@gmail.com
  3. Content Blocks: Two base64-encoded MIME parts
    • Block 1: HTML email body content
    • Block 2: HTML attachment named “onlineform.html”
  4. Encoding Layers: Base64 → URL encoding → plaintext
  5. Payload Type: Phishing form designed to capture credentials

Solution

Step 1: Extract Email Headers

Open the .eml file and identify:

From: anonmember1337@protonmail.com
To: factiongroups@gmail.com
Subject: [Phishing Subject]

Step 2: Decode First Base64 Block

First Content-Type block has:

  • Content-Transfer-Encoding: base64
  • This is the HTML email body

Extract and decode using CyberChef or command line:

Terminal window
echo "base64_encoded_content" | base64 -d > email_body.html

This reveals the phishing email body/conversation context.

Step 3: Decode Attachment

Second Content-Type block with:

  • Content-Transfer-Encoding: base64
  • Content-Disposition: attachment; filename="onlineform.html"

Extract the attachment content and decode:

Terminal window
echo "base64_encoded_attachment" | base64 -d > onlineform.html

Step 4: URL Decode the Payload

The decoded HTML file contains URL-encoded content. Use CyberChef to:

  1. Paste the decoded HTML
  2. Add “URL Decode” recipe
  3. Execute to reveal plaintext flag

Alternatively, using Python:

from urllib.parse import unquote


encoded_content = "URL%20encoded%20string..."
decoded = unquote(encoded_content)
print(decoded)

Tool Usage: CyberChef

  1. Navigate to CyberChef website
  2. Input the encoded content
  3. Drag “From Base64” recipe
  4. Drag “URL Decode” recipe
  5. Output reveals the flag

Investigation Steps

  1. Open .eml file in text editor
  2. Identify “From”, “To”, and “Subject” fields
  3. Find Content-Type headers
  4. Extract first base64 block
  5. Decode first block with Base64
  6. Extract second base64 block (attachment)
  7. Decode attachment with Base64
  8. Analyze HTML content
  9. Apply URL decoding
  10. Extract flag from decoded content

Email Structure Reference

MIME email structure for phishing:

  • Headers (From, To, Subject, etc.)
  • Content-Type: text/html (body)
  • Boundary markers (separating MIME parts)
  • Base64-encoded content
  • Attachments with Content-Disposition

Key Takeaways

  • Email files contain plaintext MIME structure that’s manually readable
  • Multiple encoding layers are common in phishing campaigns
  • Base64 is often used for email content encoding (not encryption)
  • URL encoding hides suspicious characters in payloads
  • CyberChef is invaluable for chaining multiple decode operations
  • Always scrutinize email attachments regardless of apparent legitimacy
  • Phishing emails often mimic legitimate services to appear trustworthy