BTLO — Phishy-v1
You have been sent a phishing link — It is your task to investigate this website and find out everything you can about the site, the actor responsible, and perform threat intelligence work on the operator(s) of the phishing site.
Phishy V1 requires the use of the Web Browser to explore the phishing website. Navigate to the site in the lab, which looks to be an Office365 login to access an Excel file.
securedocument.net/secure/L0GIN/protected/login/portal/index1.html?16145463196491. The HTML page used on securedocument.net is a decoy. Where was this webpage mirrored from, and what tool was used? (Use the first part of the tool name only)
Navigating to the root of the URL, securedocument.net we see a landing page. A lot of participants were reporting the lab was broken, but this looks to be a decoy. View Page Source has a HTML comment showing that the site was mirrored.
2. What is the full URL of the background image which is on the phishing landing page?
Right-clicking on the web page gives us a nice option to View Background Image. Doing so shows us that everything there is all a static image and definitely not dynamic links.
3. What is the name of the php page which will process the stolen credentials?
View Page Source shows us that there is a php script which will be called once the email and password has been entered.
4. What is the SHA256 of the phishing kit in ZIP format? (Provide the last 6 characters)
Traversing backwards through the URL we can find reference to Off1cePh1sh.zip. We’re able to download this from here and run sha256sum on the downloaded file.
5. What email address is setup to receive the phishing credential logs?
Returning to the jeff.php script which is called when submitting the form. Navigating to this shows us the $recipient who will receive the captured credentials.
6. What is the function called to produce the PHP variable which appears in the index1.html URL?
Inspecting the URL, we see that /index1.html is appended with a string that looks like an Epoch timestamp generated each time. Traversing backwards in the URL to view-source:http://securedocument.net/secure/LOGIN/portal/ shows us the function we’re looking for.
7. What is the domain of the website which should appear once credentials are entered?
Returning to jeff.php we see the redirection domain.
8. There is an error in this phishing kit. What variable name is wrong causing the phishing site to break? (Enter any of 4 potential answers)
There are several ways as to why the phishing kit is broken, mainly the variable names in jeff.php not matching up to the source code.
View Page Source is a valuable browser utility to enable us to investigate a suspicious-looking webpage and understand the attacker’s intentions.
