Recently, a great hacker event took place in Ukraine, called HackIT. It is a cybersecurity forum with a large international Capture The Flag (CTF) competition. Being one of the speakers, I decided to donate a realistic CTF challenge to the “hacker battle”. As a result, my task appeared to be hard, probably because of the time constraints, though I still consider it as an easy but very interesting one. Below you can find the description:
Congrats, you are an awesome hacker! Your phishing email was successful. By pretending to be the Facebook’s support team, you managed to get account credentials, both login and password, of your target – famous Peter Parker. Though, could you successfully use this information and break into his account? Prove it!
This is the original response to the phishing email:
And this was the target’s account:
Finally, all participants were warned to use ONLY the provided URL when attempting to login to the account (not any of the original Facebook ‘s pages): http://the_actual_challenge_url
During the competition, the actual URL took hackers to the following dummy page:
Of course, just entering the credentials results in the same “Sorry…” message. Any guess, why?..
The solution goes below.