For full text search please use the '?' prefix. e.g. ? Onboarding

The Planet's Prestige

Message

Original Base64 encoded message:

SGkgVGhlTWFqb3JPbkVhcnRoLAoKVGhlIGFiZHVjdGVkIENvQ2FuRGlhbnMgYXJlIHdpdGggbWUg
aW5jbHVkaW5nIHRoZSBQcmVzaWRlbnTigJlzIGRhdWdodGVyLiBEb250IHdvcnJ5LiBUaGV5IGFy
ZSBzYWZlIGluIGEgc2VjcmV0IGxvY2F0aW9uLgpTZW5kIG1lIDEgQmlsbGlvbiBDb0NhbkRz8J+k
kSBpbiBjYXNo8J+SuCB3aXRoIGEgc3BhY2VzaGlw8J+agCBhbmQgbXkgYXV0b25vbW91cyBib3Rz
IHdpbGwgc2FmZWx5IGJyaW5nIGJhY2sgeW91ciBjaXRpemVucy4KCkkgaGVhcmQgdGhhdCBDb0Nh
bkRpYW5zIGhhdmUgdGhlIGJlc3QgYnJhaW5zIGluIHRoZSBVbml2ZXJzZS4gU29sdmUgdGhlIHB1
enpsZSBJIHNlbnQgYXMgYW4gYXR0YWNobWVudCBmb3IgdGhlIG5leHQgc3RlcHMuCgpJ4oCZbSBh
cHByb3hpbWF0ZWx5IDEyLjggbGlnaHQgbWludXRlcyBhd2F5IGZyb20gdGhlIHN1biBhbmQgbXkg
YWR2aWNlIGZvciB0aGUgcHV6emxlIGlzIAoK4oCcRG9uJ3QgVHJ1c3QgWW91ciBFeWVz4oCdCgpM
b2zwn5iCCgpTZWUgeW91IE1ham9yLiBXYWl0aW5nIGZvciB0aGUgQ2Fzc3NoaGho8J+SsA==

Decoded message:

Hi TheMajorOnEarth,

The abducted CoCanDians are with me including the President’s daughter. Dont worry. They are safe in a secret location.
Send me 1 Billion CoCanDs🤑 in cash💸 with a spaceship🚀 and my autonomous bots will safely bring back your citizens.

I heard that CoCanDians have the best brains in the Universe. Solve the puzzle I sent as an attachment for the next steps.

I’m approximately 12.8 light minutes away from the sun and my advice for the puzzle is

“Don't Trust Your Eyes”

Lol😂

See you Major. Waiting for the Cassshhhh💰

Solution

  1. What is the email service used by the malicious actor? (1 points)

    Answer: emkei.cz

  2. What is the Reply-To email address? (2 points)

    Answer: negeja3921@pashter.com

  3. What is the filetype of the received attachment which helped to continue the investigation? (1 points)

    First paste the attachment Base64 encoded content into CyberChef, then run From Base64 ~> Extract Files to get the three files. Only the first file matters.

    Answer: zip

  4. What is the name of the malicious actor? (2 points)

    Command: exiftool GoodJobMajor

    Answer: Pestero Negeja

  5. What is the location of the attacker in this Universe? (2 points)

    The Money.xlsx file contains a table with the following Base64-encoded data:

    VGhlIE1hcnRpYW4gQ29sb255LCBCZXNpZGUgSW50ZXJwbGFuZXRhcnkgU3BhY2Vwb3J0Lg==

    Translated to ASCII, this is:

    The Martian Colony, Beside Interplanetary Spaceport.

    Answer: The Martian Colony, Beside Interplanetary Spaceport

  6. What could be the probable C&C domain to control the attacker’s autonomous bots? (2 points)

    Performing a reverse lookup on the IP address on DomainTools did not net any useful information here.

    Answer: pashter.com

Tags

  1. retired (Private)
  2. easy (Private)
  3. 10 points (Private)