Mail Detective

Retro Recovery

Difficulty: ❄ ❄ ❄ ❄ ❄
Help Mo in City Hall solve a curly email caper and crack the IMAP case. What is the URL of the pastebin service the gnomes are using?

Hints

Did You Say Curl?

If I heard this correctly…our sneaky security gurus found a way to interact with the IMAP server using Curl! Yes…the CLI HTTP tool! Here are some helpful docs I found https://everything.curl.dev/usingcurl/reademail.html

motd

=======================================================================
🎄 Mail Detective: Curly IMAP Investigation 🎄
=======================================================================

⚠️  ALERT! Those gnomes have been sending JavaScript-enabled emails
to everyone in the neighborhood, and it's causing absolute chaos!
We had to shut down all the email clients because they weren't blocking
the malicious scripts—kind of like how we'd ground aircraft until we clear
a security threat.

The only safe way to access the email server now is through curl,
the trusty HTTP tool. Yes, we're using curl to connect to IMAP!
It's unconventional, but it's secure.

🕵️  YOUR MISSION: Use curl to safely connect to the IMAP server
and hunt down one of these gnome emails. Find the malicious email
that wants to exfiltrate data to a pastebin service and submit the URL
of that pastebin service in your badge.

📡 Server Info:
   The IMAP server is running locally on TCP port 143
   Backdoor credentials: dosismail:holidaymagic

🎅 Good luck, Holiday Hacker! 🎅

=======================================================================

Solution

I started by listing the available mailboxes on the local IMAP server using the provided credentials:

dosismail @ Neighborhood Mail ~$ curl "imap://dosismail:holidaymagic@localhost:143/"          
* LIST (\HasNoChildren) "." Spam
* LIST (\HasNoChildren) "." Sent
* LIST (\HasNoChildren) "." Archives
* LIST (\HasNoChildren) "." Drafts
* LIST (\HasNoChildren) "." INBOX

Since the objective was to identify a pastebin service, I decided to search for that specific keyword across all available folders. I wrote a quick loop to iterate through the mailbox list and execute a SEARCH command on each one:

dosismail @ Neighborhood Mail ~$ imap='imap://dosismail:holidaymagic@localhost:143/'; for i in $(curl -sS $imap | tr -d '\r' | cut -d " " -f 5); do result=$(curl -s "$imap$i" -X 'SEARCH BODY "pastebin"'); echo "$i --> $result"; done
Spam --> * SEARCH 2
Sent --> * SEARCH
Archives --> * SEARCH
Drafts --> * SEARCH
INBOX --> * SEARCH

The search returned a hit in the Spam folder: message UID 2. I retrieved the content of the suspicious email using its UID:

dosismail @ Neighborhood Mail ~$ curl "imap://dosismail:holidaymagic@localhost:143/Spam;UID=2"
Return-Path: <frozen.network@mysterymastermind.mail>
Delivered-To: dosis.residents@dosisneighborhood.mail
Received: from frost-command.mysterymastermind.mail (frost-command [10.0.0.15])
        by mail.dosisneighborhood.mail (Postfix) with ESMTP id GHI789
        for <dosis.residents@dosisneighborhood.mail>; Mon, 16 Sep 2025 12:10:00 +0000 (UTC)
From: "Frozen Network Bot" <frozen.network@mysterymastermind.mail>
To: "Dosis Neighborhood Residents" <dosis.residents@dosisneighborhood.mail>
Cc: "Jessica and Joshua" <siblings@dosisneighborhood.mail>, "CHI Team" <chi.team@counterhack.com>
Subject: Frost Protocol: Dosis Neighborhood Freezing Initiative
Date: Mon, 16 Sep 2025 12:10:00 +0000
Message-ID: <gnome-js-3@mysterymastermind.mail>
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit

<html>
<body>
<h1>Perpetual Winter Protocol Activated</h1>
<p>The mysterious mastermind's plan is proceeding... Dosis neighborhood will never thaw!</p>
<script>
function initCryptoMiner() {
    var worker = {
        start: function() {
            console.log("Frost's crypto miner started - mining FrostCoin for perpetual winter fund");
            this.interval = setInterval(function() {
                console.log("Mining FrostCoin... Hash rate: " + Math.floor(Math.random() * 1000) + " H/s");
            }, 5000);
        },
        stop: function() {
            clearInterval(this.interval);
        }
    };
    worker.start();
    return worker;
}

function exfiltrateData() {
    var sensitiveData = {
        hvacSystems: "Located " + Math.floor(Math.random() * 50) + " cooling units",
        thermostatData: "Temperature ranges: " + Math.floor(Math.random() * 30 + 60) + "°F",
        refrigerationUnits: "Found " + Math.floor(Math.random() * 20) + " commercial freezers",
        timestamp: new Date().toISOString()
    };
    
    console.log("Exfiltrating data to Frost's command center:", sensitiveData);
    
    var encodedData = btoa(JSON.stringify(sensitiveData));
    console.log("Encoded payload for Frost: " + encodedData.substr(0, 50) + "...");

    // pastebin exfiltration
    var pastebinUrl = "https://frostbin.atnas.mail/api/paste";
    var exfilPayload = {
        title: "HVAC_Survey_" + Date.now(),
        content: encodedData,
        expiration: "1W",
        private: "1",
        format: "json"
    };
    
    console.log("Sending stolen data to FrostBin pastebin service...");
    console.log("POST " + pastebinUrl);
    console.log("Payload: " + JSON.stringify(exfilPayload).substr(0, 100) + "...");
    console.log("Response: {\"id\":\"" + Math.random().toString(36).substr(2, 8) + "\",\"url\":\"https://frostbin.atnas.mail/raw/" + Math.random().toString(36).substr(2, 8) + "\"}");
}

function establishPersistence() {
    // Service worker registration
    if ('serviceWorker' in navigator) {
        console.log("Attempting to register Frost's persistent service worker...");
        console.log("Frost's persistence mechanism deployed");
    }
    
    localStorage.setItem("frost_persistence", JSON.stringify({
        installDate: new Date().toISOString(),
        version: "gnome_v2.0",
        mission: "perpetual_winter_protocol"
    }));
}

var miner = initCryptoMiner();
exfiltrateData();
establishPersistence();

document.title = "Frost's Gnome Network - Temperature Control";
alert("All cooling systems in Dosis neighborhood are now property of Frost!");
document.body.innerHTML += "<p style='color: cyan;'>❄️ FROST'S DOMAIN ❄️</p>";

// Cleanup after 30 seconds
setTimeout(function() {
    miner.stop();
    console.log("Frost's operations going dark... tracks covered");
}, 30000);
</script>
</body>
</html>

Analyzing the JavaScript code embedded in the email body, I found the exfiltration function exfiltrateData(). It clearly defined the target URL as https://frostbin.atnas.mail/api/paste.

Dissecting the attack

graph TD
    subgraph Infiltration [1. Delivery]
        A["Phishing Campaign
        (Spoofed Sender)"]
        B["Email Gateway
        (Spam Filter Analysis)"]
        style A fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff
        style B fill:#9a3412,stroke:#f97316,stroke-width:2px,color:#fff
    end

    subgraph Storage [2. Storage & Discovery]
        C["Mailbox Delivery
        (Quarantined in 'Spam')"]
        D["Forensic Discovery
        (IMAP Search via Curl)"]
        style C fill:#9a3412,stroke:#f97316,stroke-width:2px,color:#fff
        style D fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff
    end

    subgraph Impact [3. Payload Impact]
        E["Data Exfiltration
        (POST to External Pastebin)"]
        style E fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff
    end

    %% Flow Connections
    A -->|Inbound SMTP| B
    B -->|Flagged as Spam| C
    C -->|Investigator Finds| D
    D -->|Analyze Source| E

Phase	Vulnerability (CWE)	Mitigation
1. Delivery	CWE-20 Improper Input Validation (Malicious Script Accepted by MTA)	Content Disarm (Strip Active Content / Strict Filtering)
2. Impact	CWE-200 Exposure of Sensitive Information to an Unauthorized Actor (Exfiltration to Pastebin)	Egress Filtering (Block Untrusted Destinations)

Fixing the Email Security (CWE-20)

Vulnerability: The Mail Transfer Agent (MTA) accepted an email containing active content (HTML <script> tags) and delivered it to the user’s mailbox (specifically the Spam folder). While the spam filter correctly categorized it, the malicious payload remained intact and accessible to the end-user, posing a risk if opened in a vulnerable client.
Fix: Implement Content Disarm and Reconstruction (CDR) or strict MIME Sanitization at the gateway level. The email server should actively strip dangerous HTML tags (like <script>, <object>, <embed>) before the message is ever written to the disk.
Secure Configuration (Concept for Postfix/Milter):

# Example logic for a content filter rule
if contains_tag(body, ["<script>", "javascript:"]):
    # FIX: Sanitize the body or reject the message entirely
    action = REJECT "Active content detected in email body."
    # OR
    body = regex_replace(body, "<script.*?>.*?</script>", "[SCRIPT REMOVED]")

Impact: Even if a user opens the email from the Spam folder, the payload is inert, neutralizing the threat.

Fixing the Data Leakage (CWE-200)

Vulnerability: The script within the email was designed to collect sensitive environmental data (HVAC systems, thermostat ranges) and exfiltrate it via an HTTP POST request to an external service (https://frostbin.atnas.mail/api/paste).
Fix: Implement Egress Filtering and Content Security Policy (CSP) for webmail clients. Network firewalls should block connections to uncategorized or known pastebin sites from the email server segment. Additionally, email clients should enforce a CSP that disallows connect-src to arbitrary external domains.
Impact: Prevents the gathered data from leaving the internal network, rendering the reconnaissance attempt successful locally but failing to report back to the C2 server.