Mail Detective⚓︎
Difficulty:
Direct link: Mail Detective
Objective⚓︎
Request
Help Mo in City Hall solve a curly email caper and crack the IMAP case. What is the URL of the pastebin service the gnomes are using?
Maurice Wilson
Solution⚓︎
According to Maurice, the gnomes have been sending JavaScript-enabled emails to the neighborhood, and the only safe way to access the email server is through curl. Maurice asked me to connect to the IMAP server and hunt down one of the gnomes' emails.
I started by listing the available mailboxes with a basic IMAP connection using the command:
| List mailboxes | |
|---|---|
1 | |
This showed that the mailbox contains: Spam, Sent, Archives, Drafts and Inbox.
I decided to check the inbox. I used the following command to check the number of emails and their status:
| Select INBOX | |
|---|---|
2 | |
The response showed the inbox had seven emails and one unseen.
I pulled the header of the first message using the command:
| Read INBOX message headers | |
|---|---|
3 | |
The email was sent from a local neighborhood address, so it did not need further investigation.
Next, I checked the Spam folder:
| Examine Spam | |
|---|---|
4 | |
The output showed three spam messages, two unseen.
I reviewed the second spam message headers:
| Read Spam message headers | |
|---|---|
5 | |
The message came from an external address frost-command.mysterymastermind.mail and needed closer review.
I opened the body of the spam message:
| Read Spam message body | |
|---|---|
6 | |
The email contained a crypto miner JavaScript function. This confirmed what Maurice said.
I looked through the rest of the email and found the paste bin URL.
The URL was: https://frostbin.atnas.mail/api/paste.
The objective was added to the achievements list.
Answer
https://frostbin.atnas.mail/api/paste
Response⚓︎
Maurice Wilson
Outstanding work! You've mastered using curl for IMAP - that's some serious command-line skills that would make any Air Force tech proud.