[+] Enter the port to use for the clone [80] : 8081 Now SET builds the clone and starts a (or php -S ) behind the scenes. It also prints the URL where the fake site is reachable, e.g.:
[1] Web Attack Vector [2] Metasploit Browser Exploit [3] Infectious Media Generator [4] Arduino-based Attack Vector [5] Back is the right choice because the target is a web login form.
/opt/setool2/logs/harvested_credentials.txt Open it:
[+] Enter the URL to clone: We input:
After selecting it, the next screen asks for the :
Challenge type: Web / Social‑Engineering Toolkit (SET) – 30 pts Difficulty: Easy‑Medium Category: Recon / Exploitation (CTF‑style) The challenge description (as shown in the CTF UI) simply said: “Use Setool2 Cracked”. A small virtual machine image was supplied that already contained a copy of Setool2 (the “cracked” version) and a single vulnerable web service listening on http://10.10.10.10:8080/ . Below is a step‑by‑step explanation of how the flag was obtained. 1. Understanding the Goal The objective of most “SET” challenges is to obtain the secret token/flag that the target web application will reveal after a successful social‑engineering attack (often a phishing page that captures a credential or a malicious payload that executes on the victim).
In practice, we may need to try a few guesses. Because the challenge only had a credential, a quick brute‑force (or simple wordlist) works. Setool2 can be instructed to repeat the attack automatically, but for this box a single manual attempt suffices. 8. Retrieving the Flag After the successful login the real server responded with the flag page. Visiting the original URL again (or watching the console output from Setool2) shows:
[+] Choose the IP address for the clone (default = 0.0.0.0): We press to accept 0.0.0.0 (bind to all interfaces). SET then asks for a port – default is 80, but the box already runs a web server on 8080, so we choose 8081 :
Use Setool2 Cracked Apr 2026
[+] Enter the port to use for the clone [80] : 8081 Now SET builds the clone and starts a (or php -S ) behind the scenes. It also prints the URL where the fake site is reachable, e.g.:
[1] Web Attack Vector [2] Metasploit Browser Exploit [3] Infectious Media Generator [4] Arduino-based Attack Vector [5] Back is the right choice because the target is a web login form.
/opt/setool2/logs/harvested_credentials.txt Open it: Use Setool2 Cracked
[+] Enter the URL to clone: We input:
After selecting it, the next screen asks for the : [+] Enter the port to use for the
Challenge type: Web / Social‑Engineering Toolkit (SET) – 30 pts Difficulty: Easy‑Medium Category: Recon / Exploitation (CTF‑style) The challenge description (as shown in the CTF UI) simply said: “Use Setool2 Cracked”. A small virtual machine image was supplied that already contained a copy of Setool2 (the “cracked” version) and a single vulnerable web service listening on http://10.10.10.10:8080/ . Below is a step‑by‑step explanation of how the flag was obtained. 1. Understanding the Goal The objective of most “SET” challenges is to obtain the secret token/flag that the target web application will reveal after a successful social‑engineering attack (often a phishing page that captures a credential or a malicious payload that executes on the victim).
In practice, we may need to try a few guesses. Because the challenge only had a credential, a quick brute‑force (or simple wordlist) works. Setool2 can be instructed to repeat the attack automatically, but for this box a single manual attempt suffices. 8. Retrieving the Flag After the successful login the real server responded with the flag page. Visiting the original URL again (or watching the console output from Setool2) shows: A small virtual machine image was supplied that
[+] Choose the IP address for the clone (default = 0.0.0.0): We press to accept 0.0.0.0 (bind to all interfaces). SET then asks for a port – default is 80, but the box already runs a web server on 8080, so we choose 8081 :