Challenges: A Bucket of Phish (TryHackMe)

Phishing remains one of the most common attack vectors used by threat actors to harvest user credentials. In this task, we investigated a phishing website hosted on Amazon S3, allegedly set up by “DarkInjector” to trick users into providing their login information. The objective was to analyze the site and extract the list of victim accounts that may have been compromised.

Void

DarkInjector has been using a Cmail phishing website to try to steal our credentials. We believe some of our users may have fallen for his trap. Can you retrieve the list of victim users?

Here's the link to the website: http://darkinjector-phish.s3-website-us-west-2.amazonaws.com

aws s3 ls s3://darkinjector-phish --region us-west-2 --no-sign-request

aws s3 cp s3://darkinjector-phish/captured-logins-093582390 ./victims.txt --region us-west-2 --no-sign-request

cat victims.txt

curl -I http://darkinjector-phish.s3-website-us-west-2.amazonaws.com/captured-login-093582390

cat victims.txt

By carefully examining the exposed S3 bucket and retrieving the captured login file, we successfully identified the victim user credentials stored by the attacker. This exercise highlights the importance of monitoring for phishing campaigns, enforcing user awareness, and securing cloud storage to prevent abuse.