Phishing — Merry Clickmas | Tryhackme | Day-2

Advent of Cyber 2025 | Walkthrough

Hey my dear readers_ Today, we are solving the TryHackMe Advent of Cyber Prep Track 2025. Advent of Cyber wasn’t just about theory — it was about hands-on learning, every single day. Each challenge pushed me to think like an attacker while also understanding defensive perspectives.

What Advent of Cyber Taught Me

Through daily labs and challenges, I got practical exposure to:

• Real-world attack scenarios
• Common vulnerabilities and misconfigurations
• Blue team vs Red team perspectives
• How small security mistakes are exploited in practice

Instead of just reading concepts, I was actively solving problems, which made learning stick.

In light of several recent cyber security threats against The Best Festival Company (TBFC), the local red team has scheduled several penetration tests. The red teamers proceeded to carry out a regular penetration test against their TBFC. Part of this exercise is to ensure that the employees are diligent when clicking links and that the company is well protected against the latest phishing attacks. This type of authorised phishing is a proven way to learn whether the cyber security awareness training has fruited.

In this task, you will be part of the TBFC local red team with the elves Recon McRed, Exploit McRed, and Pivot McRed. You will help them plan and execute their phishing campaign. It is time to see if more cyber security awareness training is required.

Learning Objectives

• Understand what social engineering is
• Learn the types of phishing
• Explore how red teams create fake login pages
• Use the Social-Engineer Toolkit to send a phishing email

Answer the questions below

Answer: no-answer-needed

Social Engineering

Social engineering refers to manipulating a user to make a mistake. Examples of such mistakes include sharing a password, opening a malicious file, and approving a payment. The term “social” means that the target of such an attack is human beings, not computer systems. Consequently, the attacker relies on psychological tricks to get the target user to cooperate. Some psychological factors that can play a key role in the success of such attacks are urgency, curiosity, and authority. This is why some would refer to social engineering as “human hacking”.

Social Engineering Background

Phishing is a subset of social engineering where attackers manipulate users into making mistakes through deceptive messages. The attack leverages psychological triggers including urgency, curiosity, and authority to bypass technical controls by targeting the human element.​

Anti-Phishing Framework (S.T.O.P.):

TBFC trains employees using two S.T.O.P. mnemonics:​

Detection Questions:

• Suspicious content?
• Telling me to click something?
• Offering an amazing deal?
• Pushing for immediate action?

Response Actions:

• Slow down (scammers rely on adrenaline)
• Type URLs manually (don’t click links)
• Open nothing unexpected (verify first)
• Prove the sender (check real email address)

After hours of periodic cyber security training, the red team checks to see if the TBFC staff can dodge “fishy” emails.

Building the Trap

You must sound very convincing as a penetration tester for a successful phishing attack. It’s not only how you write the phishing email or messages, but also how you set up the trap for the target. The trap can be anything, depending on your objectives and the research you conduct on the target. Sometimes, attackers aim to compromise the target’s machine, and they achieve this by attaching a malicious file to their phishing email. Attackers sometimes craft a web page that mimics a legitimate login page to steal the target’s credentials.

In this task, we aim to acquire the target user’s login credentials. Our trap would be a fake TBFC portal login page, which we attach to the phishing email and send to the target. But a login page itself is not enough. We need to host it and implement some logic to capture the credentials entered by the target. To facilitate your task, we have already set up a script that, when run, will host a fake login page. The phoney login page we created will capture all the credentials entered into the page.

The script is placed at ~/Rooms/AoC2025/Day02. To run the script, use ./server.py and it will start listening for any credentials. If the target gets trapped and enters the credentials, it will be shown on the same terminal.

AttackBox Terminal

root@attackbox:~# cd ~/Rooms/AoC2025/Day02
root@attackbox:~/Rooms/AoC2025/Day02# ./server.py
Starting server on http://0.0.0.0:8000

The above message indicates that the phishing web application is listening on port 8000; moreover, the 0.0.0.0 implies that it is bound to all interfaces. To confirm what the user will see, use Firefox on the AttackBox and browse to http://CONNECTION_IP:8000 or http://127.0.0.1:8000; either of these addresses will show you what the user will see. With this set, it is time to email this link to test our users’ vigilance.

Delivery via Social-Engineer Toolkit (SET)

As our phishing page is ready, we can now prepare and send the phishing email to our target users. Sending it from our personal email is the worst idea. Ideally, the email should appear to be coming from a legitimate-looking sender; for example, we can pretend to be somebody the target user trusts or expects to get such an email from them. The more a phishing email appears realistic, the more likely it is for the target user to believe it and get phished. The question is how we can send a realistic-looking email that contains our fake login page.

One solution is to use the Social-Engineer Toolkit (SET). It is an open-source tool primarily designed by David Kennedy for social engineering attacks. It offers a wide range of features. In particular, it lets you compose and send a phishing email. In the current scenario, we will use this tool to create and send a phishing email to the target user.

Let’s start creating the phishing email through the SET tool. Before you use this tool, please remember that it will involve multiple steps, each asking different questions about the phishing email you intend to send. So, please be patient and follow along the process.

To start the tool, type setoolkit into the terminal, and it will present you with a menu containing multiple options. At the bottom, you will see set>, where you can input your desired option number. For our case, we would select option 1, i.e., Social-Engineering Attacks. If you choose the wrong option at any stage, the option 99 will take you back to the main menu, where you can start again. However, if you commit any mistake while writing the phishing email, you would have to press Ctrl + C to return to the main menu. The social engineering attacks cover various attacks from spear-phishing and mass mailer attacks to wireless access point attacks.

Choosing 1 will display another menu with the type of social engineering attack we want to use in our attack. In this case, we will pick Mass Mailer Attack by typing 5.

Now, we would be asked to select between two options. One option allows us to send the phishing email to a single address, while the other option enables us to send an email to many people. Here, we would select option 1, i.e., E-Mail Attack Single Email Address.

Now, we will have several questions to answer and various fields to fill out. The first set of questions concerns the email addresses and how the email will be routed and delivered. After each input provided, we can press Enter to get to the next question.

• Send email to: Let’s begin by targeting [email protected]
• How to deliver the email: We will choose Use your own server or open relay
• From address: We know that the guys at the toy factory communicate regularly with Flying Deer, the shipping company, so that we will use [email protected] as the source email address
• From name: Let’s use the name Flying Deer
• Username for open-relay: We will leave it blank and just hit the Enter key
• Password for open-relay: We will leave it blank and just hit the Enter key
• SMTP email server address: We will deliver directly to the TBFC mail server by entering 10.49.160.197.
• Port number for the SMTP server: We leave the default value of 25 and just hit the Enter key

The next set of questions will ask if you want to send it as a high priority or attach a file.

• Flag this message as high priority: The choice is entirely up to you, depending on your knowledge of the circumstances, but we will answer with no
• Do you want to attach a file: We will answer with n
• Do you want to attach an inline file: Again, let’s answer with n

Finally, we pick an email subject and enter the message contents in plaintext or HTML.

• Email subject: We need to think of something convincing, for example, “Shipping Schedule Changes”
• Send the message as HTML or plain: We will keep the default choice of plaintext and just hit the Enter key
• Enter the body of the message, and type END (capitals) when finished: Create and type any convincing message. Make sure to include the URL http://CONNECTION_IP:8000 to check if the target will fall for this trick.

Now, the phishing email has been sent to the target. The “Press <return> to continue” button is just the Enter button to restart the tool. Open the terminal where our server.py script is running to see if the user gets trapped and enters their credentials.

Answer the questions below

What is the password used to access the TBFC portal?

Answer: unranked-wisdom-anthem

What is the total number of toys expected for delivery?

Answer: 1984000

Answer the questions below

Answer: no-answer-needed

Phishing — Merry Clickmas | Tryhackme | Day-2 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.