BlueTeamLabsOnline: Phishy
linux osintPhishy is a Linux-based investigation authored by BTLO.
The lab requrires you to investigate a phishing link, and perform typical investigation activities (attribution, IoC collection etc.)
Q. The HTML page used on securedocument.net is a decoy. Where was this webpage mirrored from, and what tool was used? (Use the first part of the tool name only)
Opening the phishing link in FireFox and selecting View Page Source doesn’t offer any obvious clues as to the where the original page was hosted. But if we navigate to the domain’s homepage at http://secure-document.net and view the source there, we can see a comment referencing the original page, as well as the tool that was used - 61.221.12.26/cgi-sys/defaultwebpage.cgi, HTTrack:
<!-- Mirrored from 61.221.12.26/cgi-sys/defaultwebpage.cgi by HTTrack Website Copier/3.x [XR&CO'2014], Thu, 18 Feb 2021 12:43:50 GMT -->
Q. What is the full URL of the background image which is on the phishing landing page?
Again we can use View Page Source to select the <body> element, and examine the css to reveal the background image URL as http://securedocument.net/secure/L0GIN/protected/login/portal/axCBhIt.png
Q. What is the name of the php page which will process the stolen credentials?
The page source
The page source indicates the form will submit stolen credentials to jeff.php:
<form action="jeff.php" method="post">..</form>
Q. What is the SHA256 of the phishing kit in ZIP format? (Provide the last 6 characters)
This question requires a bit of exploration of the phishing site to answer, as the ‘kit’ doesn’t appear on the main url. However if we traverse back up the directory tree to securedocument.net/secure we’re presented with a directory listing that includes a zip archive, 0ff1cePh1sh.zip. This file can be downloaded and the sha256 retrieved using sha256 sum, the last six characters of which are fa5b48:
ubuntu@ip-172-31-13-26:~/Downloads$ sha256sum 0ff1cePh1sh.zip
c778236f4a731411ab2f8494eb5229309713cc7ead44922b4f496a2032fa5b48 0ff1cePh1sh.zip
Q. What email address is setup to receive the phishing credential logs?
If we extract the zip to a local folder and open the form submission file, jeff.php in a text editor such as vim, we can see a number of details about the email, including its recipient being boris.smets@tfl-uk.co:
...
$message .= "======= Result ======="."\n";
$message .= "User : ".$_POST['user1']."\n";
$message .= "Password: " .$_POST['pass1']."\n";
$message .= "IP: ".$ip."\n";
$recipient = "boris.smets@tfl-uk.co";
...
Q. What is the function called to produce the PHP variable which appears in the index1.html URL?
Searching the source folder for references to index1.html returns details of how the url is constructed, which includes use of the getTime() function:
ubuntu@ip-172-31-13-26:~/Downloads/0ff1cePh1sh$ fgrep -ri 'index1'./*
./protected/login/portal/index.html:window.location='index1.html?'+new Date().getTime();
Q. What is the domain of the website which should appear once credentials are entered?
The final lines of jeff.php indicate that once the form is submitted, the user should be redirected to office.com:
<script language=javascript>
window.location='https://www.office.com/';
</script>
Q. There is an error in this phishing kit. What variable name is wrong causing the phishing site to break? (Enter any of 4 potential answers)
Comparing the form input fields in index.html against the php code in jeff.php, the discrepancies are easy to spot:
- the username is input as
userrr, but the processor expects it asuser1 - the password is input as
passss, but is expected aspass1
userrr, user1, passss and pass1 are all acceptable answers.