You Have Mail

Description

You Have Mail [Forensics]

This challenge is composed of an email, more specifically a .eml file. The email introduces the theme for the forensics group, which is a whistleblower announcing that alien life exists on Earth, and the government knows about it.

URGENT_Proof_of_UFO_Read_in_a_secure_location.eml

Solution

The most important stuff are embeds in emails:

--000000000000cd98100617e8acef
Content-Type: application/zip; name="evidence.zip"
Content-Disposition: attachment; filename="evidence.zip"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_lvx8qxe70
Content-ID: <f_lvx8qxe70>

UEsDBAoACQAAADewp1gfngtKRAAAADgAAAAMABwAZXZpZGVuY2UudHh0VVQJAAMZ6zpm6Oo6ZnV4
CwABBOgDAAAEAAAAADeIlKHufvfLJvJ/Ed32cRwF755eiG+bw1NAIL3UPKn+4WIMkSPXJInVFxLM
CrGuacbTdG6AcqrqzDiXWVhqKv6WuHlKUEsHCB+eC0pEAAAAOAAAAFBLAQIeAwoACQAAADewp1gf
ngtKRAAAADgAAAAMABgAAAAAAAEAAACkgQAAAABldmlkZW5jZS50eHRVVAUAAxnrOmZ1eAsAAQTo
AwAABAAAAABQSwUGAAAAAAEAAQBSAAAAmgAAAAAA
--000000000000cd98100617e8acef--

└─$ cat evidence.zip.base64 | base64 -d > evidence.zip

└─$ file evidence.zip
evidence.zip: Zip archive data, at least v1.0 to extract, compression method=store

└─$ unzip evidence.zip
Archive:  evidence.zip
[evidence.zip] evidence.txt password:
   skipping: evidence.txt            incorrect password

Well, the email also included the password but in hex so that's second most important piece of information from email

Recipe

└─$ unzip -P 'Secure_Code:Order_66' evidence.zip
Archive:  evidence.zip
 extracting: evidence.txt

└─$ cat evidence.txt
You found the evidence!

 SIVBGR{th3_ev1d3nc3_1s_h3r3}

Flag: SIVBGR{th3_ev1d3nc3_1s_h3r3}