{"id":1970,"date":"2026-02-11T16:20:35","date_gmt":"2026-02-11T21:20:35","guid":{"rendered":"https:\/\/www.peteonsoftware.com\/?p=1970"},"modified":"2026-02-11T16:20:35","modified_gmt":"2026-02-11T21:20:35","slug":"hack-the-box-walkthrough-phishnet","status":"publish","type":"post","link":"https:\/\/www.peteonsoftware.com\/index.php\/2026\/02\/11\/hack-the-box-walkthrough-phishnet\/","title":{"rendered":"Hack the Box Walkthrough: PhishNet"},"content":{"rendered":"

\"HTBThis time, we’re taking a look at another Sherlock from Hack the Box called PhishNet<\/a>. We can probably already guess by the name that this is going to be some Blue Team work around investigating emails or a phishing attack or the like and it turns out that this is a fun little adventure into entry-level email header research. If we take a look at the scenario, we get this: “An accounting team receives an urgent payment request from a known vendor. The email appears legitimate but contains a suspicious link and a .zip attachment hiding malware. Your task is to analyze the email headers, and uncover the attacker’s scheme.”<\/p>\n

So there we have it. To start off, we download the .zip file attached to the lab and unzip it using the provided password hacktheblue<\/em>. Inside, we find one file called email.eml<\/em>.<\/p>\n

Task 1: What is the originating IP address of the sender?<\/strong><\/p>\n

To start off and answer a few of these questions, we can just open the .eml file in plain text viewer of our choice. The answer to this one is right near the top. These headers both agree, so this is definitely the answer.<\/p>\n

\r\nX-Originating-IP: [45.67.89.10]\r\n...\r\nX-Sender-IP: 45.67.89.10\r\n<\/pre>\n
Task 1 Answer: 45.67.89.10<\/strong><\/em><\/p>\n
Task 2: Which mail server relayed this email before reaching the victim?<\/strong><\/p>\n
Looking at the headers again, we see the following.  The last server to touch it was mail.business-finance.com.  HTB didn’t want that, but the IP instead.<\/p>\n
\r\nReceived: from mail.business-finance.com ([203.0.113.25])\r\n\tby mail.target.com (Postfix) with ESMTP id ABC123;\r\n\tMon, 26 Feb 2025 10:15:00 +0000 (UTC)\r\nReceived: from relay.business-finance.com ([198.51.100.45])\r\n\tby mail.business-finance.com with ESMTP id DEF456;\r\n\tMon, 26 Feb 2025 10:10:00 +0000 (UTC)\r\nReceived: from finance@business-finance.com ([198.51.100.75])\r\n\tby relay.business-finance.com with ESMTP id GHI789;\r\n\tMon, 26 Feb 2025 10:05:00 +0000 (UTC)\r\n<\/pre>\n
Task 2 Answer: 203.0.113.25<\/strong><\/em><\/p>\n
Task 3: What is the sender’s email address?<\/strong><\/p>\n
I wasn’t sure if this was a trick or not, but nothing here appears too crazy and these items all agree, so this is definitely the answer.<\/p>\n
\r\nReturn-Path: <finance@business-finance.com>\r\n...\r\nX-Envelope-From: finance@business-finance.com\r\n...\r\nFrom: "Finance Dept" <finance@business-finance.com>\r\n<\/pre>\n
Task 3 Answer: finance@business-finance.com<\/strong><\/em><\/p>\n
Task 4: What is the ‘Reply-To’ email address specified in the email?<\/strong><\/p>\n
This is at the top (second line).  This might seem shady at first, but it is pretty common for emails to be sent from one mailbox that’s unmonitored and to have replies directed to a monitored box.<\/p>\n
\r\nReply-To: <support@business-finance.com>\r\n<\/pre>\n
Task 4 Answer: support@business-finance.com<\/strong><\/em><\/p>\n
Task 5: What is the SPF (Sender Policy Framework) result for this email?<\/strong><\/p>\n
Headers again.<\/p>\n
\r\nReceived-SPF: Pass (protection.outlook.com: domain of business-finance.com designates 45.67.89.10 as permitted sender)\r\n<\/pre>\n
Task 5 Answer: Pass<\/strong><\/em><\/p>\n
Task 6: What is the domain used in the phishing URL inside the email?<\/strong><\/p>\n
Reading the email, we find a link coded as follows:<\/p>\n
\r\n<a href=\"https:\/\/secure.business-finance.com\/invoice\/details\/view\/INV2025-0987\/payment\">Download Invoice<\/a>\r\n<\/pre>\n
Task 6 Answer: secure.business-finance.com<\/strong><\/em><\/p>\n
Task 7: What is the fake company name used in the email?<\/strong><\/p>\n
Check and see how the rogues signed their email.<\/p>\n
\r\n<p>Best regards,<br>Finance Department<br>Business Finance Ltd.</p>\r\n<\/pre>\n
Task 7 Answer: Business Finance Ltd.<\/strong><\/em><\/p>\n
Task 8: What is the name of the attachment included in the email?<\/strong><\/p>\n
Down at the very bottom, under where it starts --boundary123<\/em><\/p>\n
\r\nContent-Type: application/zip; name="Invoice_2025_Payment.zip"\r\n
Content-Disposition: attachment; filename="Invoice_2025_Payment.zip"\r\n<\/pre>\n
Task 8 Answer: Invoice_2025_Payment.zip<\/strong><\/em><\/p>\n
Task 9: What is the SHA-256 hash of the attachment?<\/strong><\/p>\n
There are probably a lot of ways to do this.  In this case, I’m using ripmime<\/em> (sudo apt install ripmime<\/em>)<\/p>\n
\r\n$ ripmime -i email.eml \r\n$ ls\r\nemail.eml  Invoice_2025_Payment.zip  textfile0  textfile1\r\n$ sha256sum Invoice_2025_Payment.zip \r\n8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a  Invoice_2025_Payment.zip\r\n<\/pre>\n
Task 9 Answer: 8379c41239e9af845b2ab6c27a7509ae8804d7d73e455c800a551b22ba25bb4a<\/strong><\/em><\/p>\n
Task 10: What is the filename of the malicious file contained within the ZIP attachment?<\/strong><\/p>\n
When I try to use unzip to unzip this, I get an error.  When I use 7Zip, it yells at me, but extracts a file, giving us the answer.<\/p>\n
\r\n$ unzip Invoice_2025_Payment.zip \r\nArchive:  Invoice_2025_Payment.zip\r\n  End-of-central-directory signature not found.  Either this file is not\r\n  a zipfile, or it constitutes one disk of a multi-part archive.  In the\r\n  latter case the central directory and zipfile comment will be found on\r\n  the last disk(s) of this archive.\r\nunzip:  cannot find zipfile directory in one of Invoice_2025_Payment.zip or\r\n        Invoice_2025_Payment.zip.zip, and cannot find Invoice_2025_Payment.zip.ZIP, period. \r\n\r\n$ 7z x Invoice_2025_Payment.zip \r\n\r\n7-Zip 25.01 (x64) : Copyright (c) 1999-2025 Igor Pavlov : 2025-08-03\r\n 64-bit locale=en_US.UTF-8 Threads:128 OPEN_MAX:1024, ASM\r\n\r\nScanning the drive for archives:\r\n1 file, 75 bytes (1 KiB)\r\n\r\nExtracting archive: Invoice_2025_Payment.zip\r\n\r\nERRORS:\r\nUnexpected end of archive\r\n\r\n--\r\nPath = Invoice_2025_Payment.zip\r\nType = zip\r\nERRORS:\r\nUnexpected end of archive\r\nPhysical Size = 75\r\nCharacteristics = Local\r\n\r\nERROR: Data Error : invoice_document.pdf.bat\r\n                               \r\nSub items Errors: 1\r\n\r\nArchives with Errors: 1\r\n\r\nOpen Errors: 1\r\n\r\nSub items Errors: 1        \r\n<\/pre>\n
Doing a little research, I also apparently could have used exiftool<\/em> and found the information like this<\/p>\n
\r\n$ exiftool Invoice_2025_Payment.zip \r\nExifTool Version Number         : 13.44\r\nFile Name                       : Invoice_2025_Payment.zip\r\nDirectory                       : .\r\nFile Size                       : 75 bytes\r\nFile Modification Date\/Time     : 2026:02:11 15:52:58-05:00\r\nFile Access Date\/Time           : 2026:02:11 15:52:58-05:00\r\nFile Inode Change Date\/Time     : 2026:02:11 15:52:58-05:00\r\nFile Permissions                : -rw-------\r\nWarning                         : Format error reading ZIP file\r\nFile Type                       : ZIP\r\nFile Type Extension             : zip\r\nMIME Type                       : application\/zip\r\nZip Required Version            : 20\r\nZip Bit Flag                    : 0\r\nZip Compression                 : Deflated\r\nZip Modify Date                 : 2025:02:26 15:56:48\r\nZip CRC                         : 0x2a8e3d17\r\nZip Compressed Size             : 1249907\r\nZip Uncompressed Size           : 1690811\r\nZip File Name                   : invoice_document.pdf.bat\r\n<\/pre>\n
Task 10 Answer: invoice_document.pdf.bat<\/strong><\/em><\/p>\n
Task 11: Which MITRE ATT&CK techniques are associated with this attack?<\/strong><\/p>\n
So this information isn’t located in the file.  I also searched our SHA256 on VirusTotal and there were a ton of MITRE ATT&CK techniques associated with the file, so I had to think broader.  What kind of attack is this?  This is a phishing attack.  Specifically, it seems like a targeted phishing attack making it likely spearphishing<\/em>.  However, it doesn’t qualify as whaling<\/em> because this isn’t a single high-value individual being targeted.  When we look up Phishing on the MITRE ATT&CK pages, we see this category and sub-categories.<\/p>\n
\"MITRE<\/p>\n
Given that this was phishing with an attachment, I tried T1566.001 and that is what they wanted.<\/p>\n
Task 11 Answer: T1566.001<\/strong><\/em><\/p>\n
\"HTB<\/p>\n","protected":false},"excerpt":{"rendered":"
This time, we’re taking a look at another Sherlock from Hack the Box called PhishNet. We can probably already guess by the name that this is going to be some Blue Team work around investigating …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[153],"tags":[159,141,142],"class_list":["post-1970","post","type-post","status-publish","format-standard","hentry","category-capture-the-flag","tag-blue-team","tag-information-security","tag-infosec"],"_links":{"self":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1970","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/comments?post=1970"}],"version-history":[{"count":7,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1970\/revisions"}],"predecessor-version":[{"id":1977,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/posts\/1970\/revisions\/1977"}],"wp:attachment":[{"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/media?parent=1970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/categories?post=1970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.peteonsoftware.com\/index.php\/wp-json\/wp\/v2\/tags?post=1970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}