search

GrabThePhisher Write-up

:الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد

hashtag
Instructions:

hashtag
Scenario:

An attacker compromised a server and impersonated https://pancakeswap.finance/arrow-up-right, a decentralized exchange native to BNB Chain, to host a phishing kit at https://apankewk.soup.xyz/mainpage.phparrow-up-right. The attacker set it as an open directory with the file name “pankewk.zip”.

Provided the phishing kit, you as a soc analyst are requested to analyze it and do your threat intel homework.

Link: https://cyberdefenders.org/blueteam-ctf-challenges/grabthephisher/arrow-up-right

Medium: https://medium.com/@GLITCHGC/grabthephisher-write-up-b99849f18a73arrow-up-right

hashtag
Questions:

hashtag
1. Which wallet is used for asking the seed phrase?

After Download the zip file you will notice an index.html file open it

The answer will be the first wallet, and the answer depends on the folder named after it in the zip file

Answer: Metamask

hashtag
2. What is the file name that has the code for the phishing kit?

Answer: What is the file name that has the code for the phishing kit?

hashtag
3. In which language was the kit written?

Answer: PHP

hashtag
4. What service does the kit use to retrieve the victim’s machine information?

Answer: Sypex Geo

hashtag
5. How many seed phrases were already collected?

Answer: 3

hashtag
6. Write down the seed phrase of the most recent phishing incident?

Answer: father also recycle embody balance concert mechanic believe owner pair muffin hockey

hashtag
7. Which medium had been used for credential dumping?

Answer: Telegram

hashtag
8. What is the token for the channel?

Answer: 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10

hashtag
9. What is the chat ID of the phisher’s channel?

Answer: 5442785564

hashtag
10. What are the allies of the phish kit developer?

Answer: j1j1b1s@m3r0

hashtag
11. What is the full name of the Phish Actor?

Request the api to get the answers “https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564”arrow-up-right

Answer: Marcus Aurelius

hashtag
12. What is the username of the Phish Actor?

Answer: pumpkinboii

hashtag
You Can Find me Here!

Blog: https://g1it0h.gitbook.io/glitcharrow-up-right/

Linkedin: https://www.linkedin.com/in/glitchgc/arrow-up-right

Facebook: https://www.facebook.com/GLITC.GC/arrow-up-right

Tryhackme: https://tryhackme.com/p/GLITCH1GCarrow-up-right

PreviousAmadey Write-upNextBlackEnergy Write-up

Last updated