Post

ZeroDay 2026 - Phisher-man Caught

ZeroDay 2026 - Phisher-man Caught

ZeroDay 2026 - Phisher-man Caught

🎯 Challenge Info

Type: Web Challenge – A realistic phishing email analysis challenge

Even though this is labeled as a phishing challenge, it is actually a blue teaming task. They gave us email files (.eml), and we need to locate the phishing site to find the flag. It is an email forensics challenge where we analyze the files for clues to retrieve the flag.

⚑ TLDR

They provided many email files, so I used an online tool to extract and analyze the content. I found some links in the emails leading to a phishing site.

πŸ“§ How I Analyzed the Emails

First, I uploaded all the .eml files to an online email parser to extract the content, looking for suspicious links or attachments.

Email Content

πŸ•΅οΈ Finding the Phishing Site

Among the 18 emails, I found links pointing to https://suzzonymous.github.io/webtechhhy/verify/. I visited the link.

Phishing Site

As you can see, it is a mock phishing site designed for the CTF challenge. I checked the page source code.

πŸ’» Source Code Analysis

Source Code

Interestingly, the Telegram API is used in the source code. Having some experience with the Telegram API helped me understand it quickly. Luckily, the developers left the TOKEN and CHAT_ID in the source code. I tried sending a message to the bot.

πŸ“¨ Send Message to the Bot or the Channel

Telegram Bot

I used the Telegram API to send a message to the bot, obtaining the URL from a JavaScript file in the source code, and received a response.

The response confirms it is a channel rather than a bot. The channel is named Webtechpass. Joining the channel seemed necessary to retrieve the flag, but searching for it on Telegram yielded no results. Since it is a private channel, I realized I could extract the messages directly via the API.

πŸ” Researching Telegram API

I did some research on the Telegram API to find out how to extract messages from a channel.

Telegram API Research

I needed to query the Telegram API to get the channel’s messages using the same TOKEN and CHAT_ID.

πŸ“₯ Retrieving the Messages

I used the Telegram API to retrieve messages from the channel:

https://api.telegram.org/bot360813543:AAEXff1pasBtUu6SYNwXvwUsujru8F15WKs/getChat?chat id=-1003863808356"

Get Messages Terminal

Get Messages WEB

I also used the terminal to query the API. Both responses were identical, returning a private channel invitation link. I clicked the link and joined the channel.

πŸŽ‰ Flag Found

Flag

In the channel, there was a message containing the flag. This is how I solved the challenge and obtained the flag.

ODAY{ph! shing_i$_the_dirtie$t_w@y!!!}

πŸ“ Conclusion

I enjoyed this challenge because it was different from typical web challenges. My prior experience with the Telegram API was helpful, the flow was excellent, and it was a great learning experience.

Thanks for reading! See you in the next challenge. πŸš€

This post is licensed under CC BY 4.0 by the author.