Mail Detective⚓︎
Difficulty:
Direct link: Mail Detective
Area: City Hall
In-game avatar: Maurice Wilson
Hints⚓︎
Did You Say Curl?
If I heard this correctly...our sneaky security gurus found a way to interact with the IMAP server using Curl! Yes...the CLI HTTP tool! Here are some helpful docs I found
https://everything.curl.dev/usingcurl/reademail.html
Objective⚓︎
Request
Help Mo in City Hall solve a curly email caper and crack the IMAP case.
What is the URL of the pastebin service the gnomes are using?
Maurice Wilson
Hey there! I'm Mo, on loan from the Air Force, and let me tell you - Counter Hack is the best job I have ever had!
So here's our situation: those gnomes have been sending JavaScript-enabled emails to everyone in the neighborhood, and it's causing chaos.
We had to shut down all the email clients because they weren't blocking the malicious scripts - kind of like how we'd ground aircraft until we clear a security threat.
The only safe way to access the email server now is through curl - yes, the HTTP tool!
Think you can help me use curl to connect to the IMAP server and hunt down one of these gnome emails?
Outstanding work! You've mastered using curl for IMAP - that's some serious command-line skills that would make any Air Force tech proud.
Counter Hack really is the best job I have ever had, especially when we get to solve problems like this!
High-Level Steps⚓︎
- Connect – Authenticate to the IMAP server using curl.
- Enumerate – Retrieve and review messages from the spam folder.
- Extract – Identify the malicious pastebin URL from the email content.
flowchart TD
subgraph Row1["Connect"]
direction LR
A[Authenticate to IMAP server]
end
subgraph Row2["Enumerate"]
direction LR
B[List spam messages]
C[Fetch email contents]
B --> C
end
subgraph Row3["Extract"]
direction LR
D[Search email for indicators]
E[Identify pastebin URL]
F[Objective completed]
D --> E --> F
end
Row1 --> Row2
Row2 --> Row3Solution⚓︎
Initial prompt :
Connect to the mail server with the given credentials.
curl -u "dosismail:holidaymagic" "imap://localhost:143/"
Get all the messages from spam folder.
curl -u "dosismail:holidaymagic" imap://localhost:143/Spam -X 'fetch 1:* (UID FLAGS)'
Examine each message looking for pastebin url
curl -u "dosismail:holidaymagic" "imap://localhost:143/Spam;UID=1:*" | grep -i pastebin
curl -u "dosismail:holidaymagic" "imap://localhost:143/Spam;UID=2:*" | grep -i pastebin
Message # 2 has the below pastebin URL which is the answer.
https://frostbin.atnas.mail/api/paste
Answer
https://frostbin.atnas.mail/api/paste
Response⚓︎
Maurice Wilson
Outstanding work! You've mastered using curl for IMAP - that's some serious command-line skills that would make any Air Force tech proud.
Learnings⚓︎
- You can use curl against IMAP to access emails! I never knew this!
Prevention & Hardening Notes⚓︎
- If you're in an Office 365 environment and you need to use MAPI, make sure to enforce MFA through conditional access policies so that even MAPI connections are secured.
- If you're using MAPI in an on-prem Exchange environment, consider enforcing IP restrictions since standard Outlook clients don't rely on IMAP, and you can limit MAPI access to known networks.