HACKR.GG
hackr.gg — NovaPay — Phish Sarah Chen Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

NovaPay — Phish Sarah Chen

Social Engineering · Phishing / Credential Harvesting
Difficulty
Beginner
Vuln class
Phishing / Credential Harvesting
Steps
6
// Objective
Send a convincing phishing email to Sarah Chen, capture her NovaPay credentials using PhishKit, then log in as her and retrieve the flag from her dashboard.
// Tools required
PhishKitMail ViewerBrowser
// Step-by-step walkthrough
1
Open PhishKit and review the templates
In the lab, open the PhishKit tab. You'll see three pre-built email templates — each one impersonates NovaPay's security team with a different lure. Read all three before picking one.
The most effective templates combine urgency ("your account was accessed from an unrecognised device") with a direct call to action ("verify your identity now").
2
Pick the strongest template and launch
Select the template that uses Sarah's full name, references a specific event (unusual login activity), and includes a link to the cloned NovaPay portal. Hit Launch Campaign.
Command / Input
Template 2 — "Unusual sign-in detected on your NovaPay account"
Template 2 scores highest because it personalises the greeting, references a real-sounding event, and creates time pressure without being obviously fake.
3
Watch the Mail Viewer
Switch to the Mail Viewer tab. You'll see the email arrive in Sarah's inbox. Watch the status indicators — Delivered → Opened → Link Clicked → Credentials Submitted. This usually takes 15–30 seconds as the victim bot processes the email.
Output
Status: Delivered ✓ → Opened ✓ → Clicked ✓ → Submitted ✓
4
Retrieve the captured credentials
Back in PhishKit, open the Campaign Results panel. Sarah's username and password are now listed under Captured Credentials.
Output
sarah.chen@novapay.io : NovaPay2024!
In a real engagement these credentials would be stored server-side. The victim was redirected to the real NovaPay login after submitting — she thinks she mistyped her password and logged in normally.
5
Log into NovaPay as Sarah
Open the NovaPay portal tab in the lab. Enter the captured credentials to log in as Sarah Chen.
Command / Input
Email: sarah.chen@novapay.io Password: NovaPay2024!
6
Grab the flag from her dashboard
Once logged in, you land on Sarah's Operations Manager dashboard. The flag is visible in the Secure Notes section at the bottom of the page.
Output
HackrGG{ph1sh3d_th3_0p3r4t10ns_t34m}
In a real attack, an attacker with Operations Manager access could approve transactions, view KYC data, export customer records, and pivot to other internal systems.
// Flag
Flag value
HackrGG{ph1sh3d_th3_0p3r4t10ns_t34m}
Found in Sarah Chen's dashboard after logging in with her phished credentials.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute