Onboarding Checklist - TAMUctf 2019
From: email@example.com Date: Feb 22, 2019 9:00 AM To: firstname.lastname@example.org Subject: New Employee Access Hello Some Guy, We need to begin sending requests for the new employee to get access to our security appliances. I believe they already know that you are authorized to make a new account request. Would you mind sending the new employee's email address to email@example.com so they can process the account request? Thank you, Important Person The new employee can be a little slow to respond.
So by reading through the challenge description there are 3 things that stand out to me:
- Our email: firstname.lastname@example.org
- The target's email: email@example.com
- We are supposed to send them an email containing an email address (the "new employee")
My first thought was to send the target an email from a throwaway email maker like Guerrilla and change the sender address to be someguy. This didn't work, we're met with an email from firstname.lastname@example.org that tells us of our failure :(
So this led me to believe that it's not just testing if there's "someguy" in the email address, so we should try to get the domain too!
After that, I googled around and came across the php mail function. Looking at the w3schools page on it we can see them setting
From in the headers. Interesting...
<?php $to = "email@example.com"; $subject = "My subject"; $txt = "Hello world!"; $headers = "From: firstname.lastname@example.org" . "\r\n" . "CC: email@example.com"; mail($to,$subject,$txt,$headers); ?>
Because I'm too lazy to set up smtp by myself, to quickly test it out, I set up a page on 000webhost , created a file called
mail.php, and edited w3schools' example to fit our needs.
Save the file, browse to it on your site, and now the best part! Waiting!
Admittedly, when I solved this it didn't take long at all to recieve the email, probably less than 10 mintes. I did see a lot of people saying that it took over 24 hours for them though. In TAMU's defense, they did say
The new employee can be a little slow to respond. :P
After waiting, you should recieve an email in the inbox of the address you supplied with the flag.