who is it

Figure 1: The challenge description.

The context is that of a suspected phishing attack from an adversary impersonating Larry Page.

After downloading the .eml file with wget, the content shows the following information supporting the suspicion of it being a scam:

The message shown between line 68 to line 72 promises a reward too-good-to-be-true to the recipient, Francis Manzi. All the he has to do is conveniently open an attachment. (Figure 2)

Figure 2: The email content.

The email was sent from the address with the domain name of lpage@onionmail.org. This immediately raises red flags, as Rocketreach reveals that the real Larry Page might possibly only use email with domains of @google.com, @cs.standford.edu, @yahoo.com and @gmail.com. [1]

On top of this, OnionMail is a mail service related to the Onion Search Engine project, its aim is to provide private, anonymous emails accounts. This is a sign that the true sender of this email might be abusing the service for illicit activities, but also pose a problem for tracking down the adversary.

The Onionmail info site explains that all OnionMail servers are configured as TOR hidden services. TOR is famous as a privacy technology that utilize the concept of onion routing where request must go through an entry node, various proxies and an exit node before reaching the destination. The entry node does not know the IP of the destination, whilst the exit node does not know the IP of the source of the message. [2]

This might be a reason why the hint suggests WHOIS IP lookup instead of WHOIS domain lookup, the IP address in line 29 of the .eml file might help narrow the sender down to an IP range. (Figure 3)

Figure 3: The IP address of the onion email server protecting the attacker.
Figure 4: Results from reverse lookup.

After performing whois on the IP address 173.249.33.206, WHOIS found a referral in its RIPE database pointing to the IP range of 173.249.32.0 – 173.249.63.255.

The remarks here seem to validate WHOIS findings as it’s stating that IP address within the range are known to be associated with “Spam, hacking or scans” to the point of raising complaints, and that the attacker’s true email may be abuse@contabo.de. (Figure 5).

Figure 5: Zoom in of whois reverse lookup result, showing malicious IP range.

The sender’s full name is Wilhelm Zwalina. (Figure 6)

Figure 6: Zoom in of whois reverse lookup result, showing full name of adversary.

The correct flag is picoCTF{WilhelmZwalina}.

References

[1] “Larry Page email address & phone number | Google Founder contact information,” RocketReach. https://rocketreach.co/larry-page-email_69657426

[2] “What is OnionMail?,” en.onionmail.info. https://en.onionmail.info/what.html.