[+] Enter the URL to clone: We input:
http://10.10.10.10:8080/ SET fetches the page and asks where to . Because the challenge box does not have any external DNS, we use the built‑in listener on the same host:
[1] Social-Engineering Attacks [2] Mass Mailer Attack [3] Payload Generator [4] Update Setool2 [5] Exit For a web‑login scenario we use → Credential Harvester . 4. Choosing the Correct Attack Vector From the menu:
Challenge type: Web / Social‑Engineering Toolkit (SET) – 30 pts Difficulty: Easy‑Medium Category: Recon / Exploitation (CTF‑style) The challenge description (as shown in the CTF UI) simply said: “Use Setool2 Cracked”. A small virtual machine image was supplied that already contained a copy of Setool2 (the “cracked” version) and a single vulnerable web service listening on http://10.10.10.10:8080/ . Below is a step‑by‑step explanation of how the flag was obtained. 1. Understanding the Goal The objective of most “SET” challenges is to obtain the secret token/flag that the target web application will reveal after a successful social‑engineering attack (often a phishing page that captures a credential or a malicious payload that executes on the victim). Use Setool2 Cracked
[1] Site Cloner [2] Credential Harvester Attack [3] Credential Harvester and Phishing Attack [4] Browser Exploit Attack [5] Back We pick – this will clone the original site and capture the posted credentials. 5. Configuring the Clone SET now asks for the target URL to clone:
/opt/setool2/logs/harvested_credentials.txt Open it:
Username: ______ Password: ______ [Login] No other pages were reachable ( /admin , /debug , etc.) – the only way to get the flag is to . 3. Setting up Setool2 The VM already contains Setool2 under /opt/setool2 . We start the interactive menu: [+] Enter the URL to clone: We input: http://10
In this particular box the web app is a tiny “login” portal that, when supplied with the , displays the flag. The catch is that we have no valid credentials – we must generate a credential via the Social‑Engineering Toolkit.
In practice, we may need to try a few guesses. Because the challenge only had a credential, a quick brute‑force (or simple wordlist) works. Setool2 can be instructed to repeat the attack automatically, but for this box a single manual attempt suffices. 8. Retrieving the Flag After the successful login the real server responded with the flag page. Visiting the original URL again (or watching the console output from Setool2) shows:
[*] Starting credential harvester on http://10.10.10.10:8081/ Since the challenge is self‑contained, we can directly visit the clone from the same VM (or from the attacker machine if you have network access). In a new terminal: Choosing the Correct Attack Vector From the menu:
$ cat /opt/setool2/logs/harvested_credentials.txt [+] 2026-04-17 12:34:56 - Credentials captured: Username: admin Password: p@55w0rd! When the clone forwards the login request to the real server, the server validates the supplied username/password against its own user database . The cloned page does not validate anything – it just relays the request. Thus the first time we guessed a credential pair that the server accepted, the server returned the flag page and Setool2 recorded what we sent.
$ curl -s http://10.10.10.10:8081/ The page looks to the original login screen.
After selecting it, the next screen asks for the :
[1] Web Attack Vector [2] Metasploit Browser Exploit [3] Infectious Media Generator [4] Arduino-based Attack Vector [5] Back is the right choice because the target is a web login form.