TryHackMe: Phishing Walkthrough
Learn what phishing is and why it’s important to a red team engagement. You will set up phishing infrastructure, write a convincing phishing email and try to trick your target into opening your email.
Hi everyone, this is Mrinal Prakash aka EMPHAY on TryHackMe and today I am going to take you all to the walkthrough of the room on TryHackMe called “Phishing” which is a pretty basic beginner friendly room and it falls into the category of easy rooms. So lets go ahead and dive in. You can access the room through this link: https://tryhackme.com/room/phishingyl
TASK 1: Brief
1. I’m ready to learn!
No Answers needed
TASK 2: Intro To Phishing Attacks
1. What type of psychological manipulation is phishing part of?
social engineering
2. What type of phishing campaign do red teams get involved in?
spear-phishing
TASK 3: Writing Convincing Phishing Emails
1. What tactic can be used to find brands or people a victim interacts with?
OSINT
2. What should be changed on an HTML anchor tag to disguise a link?
anchor text
TASK 4: Phishing Infrastructure
1. What part of a red team infrastructure can make a website look more authentic?
SSL/TLS certificates
2. What protocol has TXT records that can improve email deliverability?
DNS
3. What tool can automate a phishing campaign and include analytics?
GoPhish
TASK 5: Using GoPhish
This task will take you through setting up GoPhish, sending a phishing campaign and capturing user credentials from a spoof website.
Firstly launch the virtual machine by clicking the green Start Machine button on the right; once loaded, click the following URL to open the GoPhish login page
https://10-10-111-13.p.thmlabs.com:8443
(if you receive an Nginx error, wait another 30 seconds and try again).
You should be able to log in with the username: admin and password: tryhackme
Sending Profiles:
Sending profiles are the connection details required to actually send your Phishing emails; this is just simply an SMTP server that you have access to. Click the Sending Profiles link on the left-hand menu and then click the “New Profile” button.
Next, add in the following information as per the screenshot below:
Name: Local Server
From: noreply@redteam.thm
Host: 127.0.0.1:25
Then click Save Profile.
Landing Pages:
Next, we’re going to set up the landing page; this is the website that the Phishing email is going to direct the victim to; this page is usually a spoof of a website the victim is familiar with.
Click the Landing Pages link on the left-hand menu and then click the “New Page” button.
Give the Landing Page the name ACME Login, next in the HTML box; you’ll need to press the Source button to allow us to enter the HTML code as shown below:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>ACME IT SUPPORT - Admin Panel</title>
<style>
body { font-family: "Ubuntu", monospace; text-align: center }
div.login-form { margin:auto; width:300px; border:1px solid #ececec; padding:10px;text-align: left;font-size:13px;}
div.login-form div input { margin-bottom:7px;}
div.login-form input { width:280px;}
div.login-form div:last-child { text-align: center; }
div.login-form div:last-child input { width:100px;}
</style>
</head>
<body>
<h2>ACME IT SUPPORT</h2>
<h3>Admin Panel</h3>
<form method="post">
<div class="login-form">
<div>Username:</div>
<div><input name="username"></div>
<div>Password:</div>
<div><input type="password" name="password"></div>
<div><input type="submit" value="Login"></div>
</div>
</form>
</body>
</html>Click the Source button again, and you should see a login box with username and password fields as per the image below, also click the Capture Submitted Data box and then also the Capture Passwords box and then click the Save Page button.
Email Templates:
This is the design and content of the email you’re going to actually send to the victim; it will need to be persuasive and contain a link to your landing page to enable us to capture the victim’s username and password. Click the Email Templates link on the left-hand menu and then click the New Template button. Give the template the name Email 1, the subject New Message Received, click the HTML tab, and then the Source button to enable HTML editor mode. In the contents write a persuasive email that would convince the user to click the link, the link text will need to be set to
https://admin.acmeitsupport.thm
, but the actual link will need to be set to {{.URL}} which will get changed to our spoofed landing page when the email gets sent, you can do this by highlighting the link text and then clicking the link button on the top row of icons, make sure to set the protocol dropdown to <other>.
Your email should look similar to the screenshot below. Click Save Template once complete.
Users & Groups
This is where we can store the email addresses of our intended targets. Click the Users & Groups link on the left-hand menu and then click the New Group button. Give the group the name Targets and then add the following email addresses:
martin@acmeitsupport.thm
brian@acmeitsupport.thm
accounts@acmeitsupport.thm
Click the Save Template button; once completed, it should look like the below screenshot:
Campaigns
Now it’s time to send your first emails; click the Campaigns link on the left-hand menu and then click the New Campaign button. Set the following values for the inputs, as per the screenshot below:
Name: Campaign One
Email Template: Email 1
Landing Page: ACME Login
URL:
http://10.10.111.13
Launch Date: For this lab set it to 2 days ago just to make sure there is no complication with different timezones, in a real operation this would be set correctly.
Sending Profile: Local Server
Groups: Targets
Once completed, click the Launch Campaign button, which will produce an Are You Sure prompt where you can just press the Launch button.
You’ll then be redirected to the results page of the campaign.
Results
The results page gives us an idea of how the phishing campaign is performing by letting us know how many emails have been delivered, opened, clicked and how many users have submitted data to our spoof website.
You’ll see at the bottom of the screen a breakdown for each email address; you’ll notice that both Martin’s and Brian’s email has been sent successfully, but the account’s email has resulted in an error.
We can dig in the error more by clicking the dropdown arrow next to the account’s row, and by viewing the details or the error, we can see an error message saying the user is unknown.
After a minute and providing you’ve followed the instructions correctly, you should see the status of brian change to Submitted Data.
Expanding Brian’s details and then viewing the details for the submitted data, you should be able to see Brian’s username and password, which will help you answer the question below.
1. What is the password for Brian?
p4$$w0rd!
TASK 6: Droppers
1. Do droppers tend to be malicious?
Nay
TASK 7: Choosing A Phishing Domain
1. What is better, using an expired or new domain? (old/new)
old
2. What is the term used to describe registering a similar domain name with a spelling error?
Typosquatting
TASK 8: Using MS Office In Phishing
1. What can Microsoft Office documents contain, which, when executed can run computer commands?
macros
TASK 9: Using Browser Exploits
1. Which recent CVE caused remote code execution?
CVE-2021-40444
TASK 10: Phishing Practical
1. What is the flag from the challenge?
THM{I_CAUGHT_ALL_THE_PHISH}
This completes our room and that was it from me. If you enjoyed reading this, do give it a clap and follow me on substack. If you face any problem regarding any solution, feel free to reach me out. Hope you enjoyed reading my work. If you really liked this article, then follow me up on Twitter and connect with me on LinkedIn. Till then goodbye from my side and Happy Hacking.