You've successfully subscribed to Antoinette Stevens
Great! Next, complete checkout for full access to Antoinette Stevens
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info is updated.
Billing info update failed.

Gone Phishing: Designing SecDSM December MiniCTF

Antoinette Stevens
Antoinette Stevens

Since I won last month's miniCTF challenge (here's the solution if you're wondering), it is my turn to design the miniCTF for December.

For this post, I'm going to try something a little bit different and chronicle my process to build this challenge in the week leading up to the December SecDSM meeting.

Friday, December 14 18:29 CST
I have a little bit under a week to build this thing, but I've been designing it for a while. My plan is to create a phishing challenge that begins with a pcap file. Participants will have to use the pcap to answer two questions:

  • How many people fell for the phish?
  • To what email address are the credentials being sent?

The first question can be answered with some basic Wireshark skills but the second question will be a little bit trickier. I'll be hosting the phishing site during the challenge for about an hour and then I'll take it down and show a suspended page to emulate what could happen during a real investigation. Once the page gets suspended, the participant won't be able to find out where the credentials are being sent because they will no longer have the ability to download the phishing kit from the site.

Today I purchased a domain from namecheap for about $2 for my challenge. I plan to use vms to emulate the clients and a docker container on a DigitalOcean droplet will run my phishing site.

The phishing site will contain a banner noting that the site is for educational purposes to avoid any real submission attempts and the submit button itself will also be disabled as a further precaution.

Monday, December 17 21:41pm
I've spent the past 2 hours getting my phishing website set up the way I want. I decided not to use the Docker container and just host it on the server directly in the webroot with Indexing enabled. Instead of a banner, the site is named something *pretty* obvious. I also downloaded a "Account Suspended" template to use when the phishing domain gets "suspended".

I've also decided to add another level of complexity because I think that a lot of the SOC analysts in the room will fly through this challenge. Here's what I'm thinking, roughly, the pcap will have some traffic that shows a connection to a port that sends back an encoded private key and the public key will be hidden in the web root.