BTLO PhishyV1 Walkthrough
The writeups will be a series to document how I solved each scenario on BTLO (Blue Team Labs Online), hope you will enjoy it :)
PhishyV1 Video Walkthrough
** You have been sent a phishing link - It is your task to investigate this website and find out everything you can about the site, the actor responsible, and perform threat intelligence work on the operator(s) of the phishing site. **
** Warning: The website and kit you see is the lab is REAL. Exercise caution when interacting with the malicious website and do not enter any sensitive information **
The HTML page used on securedocument.net is a decoy. Where was this webpage mirrored from, and what tool was used? (Use the first part of the tool name only) (4 points)
Look for the webroot for the phishy website, then open the HTML source page to look for the HTML comment.
What is the full URL of the background image which is on the phishing landing page?
On the landing page, right-click, and follow the background image link.
What is the name of the php page which will process the stolen credentials?
Lookup the HTML source code, we see the jeff.php is used to process the credentials.
What is the SHA256 of the phishing kit in ZIP format? (Provide the last 6 characters)
We will find the zip file, download it, and sha256sum on it.
What email address is setup to receive the phishing credential logs?
Look for the jeff.php source code.
What is the function called to produce the PHP variable which appears in the index1.html URL?
The timestamp is added after the URL, we can look for the index.html file in the unzipped file. There is a function used for producing the timestamp in PHP.
What is the domain of the website which should appear once credentials are entered?
There is an error in this phishing kit. What variable name is wrong causing the phishing site to break? (Enter any of 4 potential answers)
From the HTML source code, we see the variable are not the same compares to the PHP code, so we know there are errors with the PHP code. The variable should be the same as the HTML code.
That’s all for today, hope you enjoyed the walkthrough and learned something new! I will keep posting more BTLO writeups as I make progress on the platform. Thank you for stopping by :)