Phishing for Passwords! – A Simple Walkthrough of Day 2 (Advent of Cyber)

Today’s challenge focused on one of the most common cyber-attacks out there: phishing. The Best Festival Company (TBFC) recently faced several security threats, so their internal red team stepped in to test whether employees could recognize a suspicious email — before a real attacker tries the same.

LeadHand

12/6/20252 min read

What We Did

In this exercise, we stepped into the shoes of a red teamer and carried out a safe, authorized phishing test against TBFC staff. The goal was simple:
✔️ Build a convincing fake login page
✔️ Send it to a target employee
✔️ See whether anyone would enter their credentials

This helps the company understand whether more training is needed — and reminds staff how easy it is to be fooled by a realistic message.

How the Trap Was Set

First, we hosted a fake TBFC login page using a pre-built script. The page looked real, but instead of logging people in, it quietly collected whatever username and password they typed.

After starting the server, the page became accessible on a simple web address that we could share in an email.

Sending the Phishing Email

To deliver the trap, we used a popular social-engineering tool called the Social-Engineer Toolkit (SET). SET allows attackers (and ethical testers!) to craft realistic emails that appear to come from trusted senders.

We:

  • Pretended to be a familiar shipping company

  • Wrote a believable message about “Shipping Schedule Changes”

  • Included the link to our fake login page

  • Sent it directly to the target’s inbox

Then we waited.

What Happened

Before long, the server showed a set of login credentials — meaning someone fell for the message and entered their password. This is exactly why phishing tests are important: even trained staff can still make mistakes under pressure.

From there, we also checked whether the same password had been reused in the employee’s email account, revealing just how damaging real-world phishing can be.

Technical Tools Used (Explained Simply)

  • Social Engineering Toolkit (SET) – used to build and send a realistic phishing email

  • Fake login page & capture script – a simple web server that collects typed credentials

  • Email spoofing techniques – making the email look like it came from a trusted sender

  • Basic hosting – running a local webpage reachable from the target’s machine

Bonus: Fixing Tool Installation Issues

If SET or other Python tools complained about missing packages (like the old pycrypto), the fix was to install modern replacements (pycryptodome) or run everything inside a safe virtual environment, avoiding system-level errors and preventing operating-system conflicts.

https://tryhackme.com/room/phishing-aoc2025-h2tkye9fzU?utm_campaign=social_share&utm_medium=social&utm_content=room&utm_source=copy&sharerId=68628169cd72a065895b7f0a

Stay secure. Stay informed. Stay ahead

Empowering you to navigate online safely today.

Guide

Alert

info@lnsentinel.com

© 2025. All rights reserved.