Home >

Cyber Defense CTF > Email_Security

Back <> Next

A Goodcorp employee recently reported a phishing attempt to his company email address. We’ve provided the email headers for you to analyze. What country is the original sending server hosted in?

Here we are given a file to download: out_phishing.txt

From inspecting the email header, we note several strings encoded in base64. One of these:

U2V1IGxpbmsgdmFpIHZlbmNlciBlbSBicmV2ZSE=

decodes to:

Seu link vai vencer em breve!

which is Portugese, and translates to: “Your link will expire soon”

We also have an ipaddress from the original sender: 193[.]217.1.27, which we can check with Domain Dossier, and look at the network whois record to reveal the country code: LT, which can be googled to find the answer: Lithuania

Back <> Next