Carp Lab

An exciting mission awaits you! We have received a security notification from one of the companies we provide services for that there has been a phishing attack against the company. We only have the phishing email sent by the attackers. We need to identify who the attackers are and which employees’ information was stolen. We are looking for your help in conducting this investigation. We trust you to complete the task in the best way possible! Good luck!

Email content: Hello, We would like to share an important matter regarding your account. The IT department at our company has detected abnormal activity on your account. In order to ensure the security of your account, please complete the verification process by logging into your account via the link below: <TARGET_LINK> You have 24 hours for this verification process. If you do not complete the verification process within the specified period, your account will be temporarily frozen. If you have any questions or concerns, you can contact our IT support team. Best regards, IT Unit

---

What is the e-mail address of the employee whose e-mail information was stolen from “Hegmann Holdings”?

• Trước tiên tôi scan mục tiêu bằng nmap :

                    __  __           __         _               
                   / / / /___ ______/ /___   __(_)_______  _____
                  / /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
                 / __  / /_/ / /__/ ,<  | |/ / (__  )  __/ /    
                /_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/     
                                                                

┌─[root@hackerbox]─[~]
└──╼ #nmap -sC -sV -p- officemailcentral.hv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-03 03:30 CST
Nmap scan report for officemailcentral.hv (172.20.15.40)
Host is up (0.00024s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 30:1f:ac:6e:e1:a6:04:9d:01:d7:fb:ee:af:93:51:f3 (RSA)
|   256 34:f5:8b:36:5e:43:af:6d:72:b6:5e:66:ec:6a:14:e8 (ECDSA)
|_  256 18:f1:72:8c:3b:59:fa:52:ec:79:69:87:59:78:c9:1e (ED25519)
80/tcp    open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Sign in
3306/tcp  open  mysql   MySQL (unauthorized)
33060/tcp open  mysqlx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: 
|     Invalid message"
|     HY000
|   LDAPBindReq: 
|     *Parse error unserializing protobuf message"
|     HY000
|   oracle-tns: 
|     Invalid message-frame."
|_    HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port33060-TCP:V=7.94SVN%I=7%D=12/3%Time=6930035B%P=x86_64-pc-linux-gnu%
SF:r(NULL,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(GenericLines,9,"\x05\0\0\0\x
SF:0b\x08\x05\x1a\0")%r(GetRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(HTT
SF:POptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(RTSPRequest,9,"\x05\0\0\0\
SF:x0b\x08\x05\x1a\0")%r(RPCCheck,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSV
SF:ersionBindReqTCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(DNSStatusRequestTC
SF:P,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x
SF:0fInvalid\x20message\"\x05HY000")%r(Help,9,"\x05\0\0\0\x0b\x08\x05\x1a\
SF:0")%r(SSLSessionReq,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\
SF:x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000")%r(TerminalServerCoo
SF:kie,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TLSSessionReq,2B,"\x05\0\0\0\x0
SF:b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20messag
SF:e\"\x05HY000")%r(Kerberos,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(SMBProgNe
SF:g,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(X11Probe,2B,"\x05\0\0\0\x0b\x08\x
SF:05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message\"\x05
SF:HY000")%r(FourOhFourRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LPDStri
SF:ng,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(LDAPSearchReq,2B,"\x05\0\0\0\x0b
SF:\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1a\x0fInvalid\x20message
SF:\"\x05HY000")%r(LDAPBindReq,46,"\x05\0\0\0\x0b\x08\x05\x1a\x009\0\0\0\x
SF:01\x08\x01\x10\x88'\x1a\*Parse\x20error\x20unserializing\x20protobuf\x2
SF:0message\"\x05HY000")%r(SIPOptions,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(
SF:LANDesk-RC,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(TerminalServer,9,"\x05\0
SF:\0\0\x0b\x08\x05\x1a\0")%r(NCP,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(Note
SF:sRPC,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\x10\x88'\x1
SF:a\x0fInvalid\x20message\"\x05HY000")%r(JavaRMI,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(WMSRequest,9,"\x05\0\0\0\x0b\x08\x05\x1a\0")%r(oracle-tns,3
SF:2,"\x05\0\0\0\x0b\x08\x05\x1a\0%\0\0\0\x01\x08\x01\x10\x88'\x1a\x16Inva
SF:lid\x20message-frame\.\"\x05HY000")%r(ms-sql-s,9,"\x05\0\0\0\x0b\x08\x0
SF:5\x1a\0")%r(afp,2B,"\x05\0\0\0\x0b\x08\x05\x1a\0\x1e\0\0\0\x01\x08\x01\
SF:x10\x88'\x1a\x0fInvalid\x20message\"\x05HY000");
MAC Address: 52:54:00:5E:19:A9 (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.59 seconds
┌─[root@hackerbox]─[~]
└──╼ #

• Sau đó tôi lại dùng gobuster quét thư mục :

┌─[root@hackerbox]─[~]
└──╼ #gobuster dir -u http://officemailcentral.hv -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://officemailcentral.hv
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 285]
/.hta                 (Status: 403) [Size: 285]
/assets               (Status: 301) [Size: 329] [--> http://officemailcentral.hv/assets/]
/.htpasswd            (Status: 403) [Size: 285]
/database             (Status: 301) [Size: 331] [--> http://officemailcentral.hv/database/]
/index.php            (Status: 200) [Size: 2186]
/phpinfo.php          (Status: 200) [Size: 4283]
/server-status        (Status: 403) [Size: 285]
/webadmin             (Status: 301) [Size: 331] [--> http://officemailcentral.hv/webadmin/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
┌─[root@hackerbox]─[~]
└──╼ #

• Tôi thử từng lổ hỏng 1 , vì 1 trang web có đầu vào là cũng có thể dcos lỗ hỏng injection . ở trang ban đầu , tôi thử injection xxs bằng brute suite .