Phishing — Merry Clickmas | Advent of Cyber 2025 Day 2 | Writeup | kidnapshadow

kidnapshadowKidnapshadow -December 25, 2025

Access the room: https://tryhackme.com/room/phishing-aoc2025-h2tkye9fzU

This room simulates an authorized red team phishing engagement against The Best Festival Company (TBFC) to test employee security awareness and the organization’s defenses against phishing attacks. The exercise involves crafting a fake login portal, hosting it, and delivering it via the Social-Engineer Toolkit (SET) to harvest credentials.

Skills Required: Basic Linux navigation, understanding of social engineering concepts
Skills Learned: Phishing campaign planning, credential harvesting, Social-Engineer Toolkit (SET) usage, email spoofing techniques

Social Engineering Background

Phishing is a subset of social engineering where attackers manipulate users into making mistakes through deceptive messages. The attack leverages psychological triggers including urgency, curiosity, and authority to bypass technical controls by targeting the human element.

Anti-Phishing Framework (S.T.O.P.):

TBFC trains employees using two S.T.O.P. mnemonics:

Detection Questions:

Suspicious content?
Telling me to click something?
Offering an amazing deal?
Pushing for immediate action?

Response Actions:

Slow down (scammers rely on adrenaline)
Type URLs manually (don’t click links)
Open nothing unexpected (verify first)
Prove the sender (check real email address)

Phase 1: Building the Credential Harvester

The attack objective was to steal TBFC portal login credentials using a cloned login page.

Setting Up the Malicious Server:

I navigated to the pre-configured phishing script directory:

root@attackbox:~# cd ~/Rooms/AoC2025/Day02
root@attackbox:~/Rooms/AoC2025/Day02# ./server.py

This started a Python web server on port 8000 that hosts a fake TBFC login portal:

Starting server on http://0.0.0.0:8000

Verification:

I confirmed the fake portal appearance by browsing to http://CONNECTION_IP:8000 in Firefox on the AttackBox. The server listens on all interfaces (0.0.0.0), capturing any credentials submitted through the form.

Phase 2: Crafting the Phishing Campaign

Using the Social-Engineer Toolkit (SET), a powerful open-source framework developed by David Kennedy for social engineering attacks, I crafted a convincing phishing email.

Launching SET:

setoolkit

Campaign Configuration Steps:

Attack Vector Selection:

Selected option 1 - Social-Engineering Attacks

root@attackbox:~# setoolkit
[...]
 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit
     
set> 1

Selected option 5 - Mass Mailer Attack

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) PowerShell Attack Vectors
  10) Third-Party Modules

  99) Return back to the main menu.

set> 5

Selected option 1 - E-Mail Attack Single Email Address

   Social Engineer Toolkit Mass E-Mailer

   There are two options on the mass e-mailer: the first is to email one person. The second option
   will allow you to import a list and send it to as many people as
   you want within that list.

   What do you want to do:

    1. E-Mail Attack Single Email Address
    2. E-Mail Attack Mass Mailer

    99. Return to the main menu.
   
set:mailer> 1

2. Email Routing Configuration:

Target: [email protected]
Delivery method: Use own server/open relay
From address: [email protected] (spoofed trusted shipping partner)
From name: Flying Deer
SMTP server: MACHINE_IP (TBFC mail server)
Port: 25 (default SMTP)
Priority flag: no
Attachments: None

3. Social Engineering Content:

Based on reconnaissance showing regular communication between TBFC and Flying Deer shipping company, I crafted a pretext exploiting operational concerns:

Email Subject: Shipping Schedule Changes

Dear elves,
Kindly note that there have been significant changes to the 
shipping schedules due to increased shipping orders.
Please confirm the new schedule by visiting http://CONNECTION_IP:8000
Best regards,
Flying Deer

The message creates urgency around operational changes while impersonating a trusted business partner. The embedded link directs victims to the credential harvester.

Phase 3: Credential Harvesting Results

After sending the phishing email, I monitored the server.py terminal for captured credentials. Within 1-2 minutes, the TBFC employee fell victim to the attack.

Question 1: What is the password used to access the TBFC portal?
Answer: [Credentials captured in server.py terminal output]

This demonstrates a critical security gap — despite awareness training, realistic phishing attacks can still succeed when attackers properly research targets and craft convincing pretexts.

Phase 4: Post-Exploitation Assessment

With harvested credentials, I tested for credential reuse across TBFC systems — a common security weakness.

Testing Email Portal Access:

I browsed to http://MACHINE_IP from the AttackBox and attempted to authenticate to the factory user's mailbox using the previously captured admin password.