[CyberDefenders] GrabThePhisher

Hello everyone!

If you're just starting out in the cyber world, don't worry. This write-up about CyberDefender's threat intel challenges is designed for beginners. Let's dive right in!

If you find this sort of content helpful in your learning process, follow me on Medium/LinkedIn/Twitter and let’s learn together.
More about myself and my activities can be found > HERE <
Cheers!

Here we have some details about the scenario + one zip archive to download with multiple files. We have a total of 12 questions and the difficulty is set as ‘easy’, so I assume this should not be a though one.

Q1
Which wallet is used for asking the seed phrase?

It’s easy to notice ‘metamask’ folder among others. Metamask is a popular cryptocurrency wallet.

When we run index.html inside we can see Metamask’s form page asking for walled seed. This is enough confirmation, so we can solve Q1 and move on to the next question.

Q2
What is the file name that has the code for the phishing kit?

When we go to ‘metamask’ folder, there is a ‘metamask.php’ file. We can have a look inside to confirm the presence of the code.

Q3
In which language was the kit written?

The screen from Q2 shows us the coding language and this is our answer for Q3. Easy.

Q4
What service does the kit use to retrieve the victim’s machine information?

This Q was a tricky one, as we could easily see the name of the API service on the previous screen — sypexgeo — but the suggested answer format was a bit confusing, and I was pretty sure the answer should have consisted of two words — [servicename] + API. After several attempts I found the correct answer was ‘sypex geo’.

Q5
How many seed phrases were already collected?

Go to the log.txt file, and you will see 3 sets of seed phrases.

Q6
Write down the seed phrase of the most recent phishing incident?

Answer within the same file — log.txt
Copy & paste the 3rd set of phrases to complete the question.

Q7
Which medium had been used for credential dumping?

Again, we need to check the code. I’m gonna use ‘Sublime Text’ appas it’s more user-friendly and can highlight syntax. And here we are — our medium used for credential dumping — Telegam channel

Q8
What is the token for the channel?

Also, copy the token part and paste as an answer to this question.

Q9
What is the chat ID of the phisher’s channel?

Same approach here. Copy the ID part.

Q10
What are the allies of the phish kit developer?

Scroll up, and you find the nickname

Q11
What is the full name of the Phish Actor?

Finally, something more OSINT-like :)
Ok, so we know the Telegram channel ID, token and bot API. We can try the easy way by log in to our Telegram’s account and try figure out the URL structure when visiting other channels. Perhaps, we can just swap the channel ID and land into our phisher’s channel.

I used Google to find some useful guidance. A phrase like “get channel info using telegram API took me to the page where I found a simple way to get members information by simply modify the link in this way:

When we use details found within the code, our link should look like this one:
https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564

Paste it into your browser, hit enter and that’s it. We’ve got him :)

Q12
What is the username of the Phish Actor?

Within the above results we can also see the username, and that’s it, we’re done! :)

If you find this sort of content helpful in your learning process, follow me on Medium/LinkedIn/Twitter and let’s learn together.
More about myself and my activities can be found > HERE <
Cheers!