https://blueteamlabs.online/home/challenge/10

What is the email service used by the malicious actor?

Open the email in your favourite text editor (VSCode). The Received field tells you which server an email came from.

Received: from localhost ([emkei.cz](<http://emkei.cz/>). [93.99.104.210])

What is the Reply-To email address?

Even easier. Look for the Reply-To field.

Reply-To: [[email protected]](<mailto:[email protected]>)

What is the filetype of the received attachment which helped to continue the investigation

At the bottom of the email we have some base64 encoded files. These are the attachments. Sure, I could open it with an email program, but that's too much hassle!

The first one (I've cropped the code to keep this article short):

Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64

SGkgV[...]J+SsA==
$ echo SGkgV[...]J+SsA== | base64 -d
Hi TheMajorOnEarth,

The abducted CoCanDians are with me including the President’s daughter. Dont worry. They are safe in a secret location.
Send me 1 Billion CoCanDs🤑 in cash💸 with a spaceship🚀 and my autonomous bots will safely bring back your citizens.

I heard that CoCanDians have the best brains in the Universe. Solve the puzzle I sent as an attachment for the next steps.

I’m approximately 12.8 light minutes away from the sun and my advice for the puzzle is

“Don't Trust Your Eyes”

Lol😂

See you Major. Waiting for the Cassshhhh💰

12.8 light minutes is 230,000,000km. Mars is about 228,000,000km. So they're likely on Mars.

Next one:

Content-Type: application/pdf; name="PuzzleToCoCanDa.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="PuzzleToCoCanDa.pdf"

UEsDB[...]AAAAA=
$ echo UEsDB[...]AAAAA=' | base64 -d > PuzzleToCoCanDa.pdf