Try   HackMD

whatsup guys, hope you hackers your gud, today i thought i should try some other sites of hacking, i used to see my friend @saul pwn machines from pwntilldown but i didn't get time to try it , and today my brother @blackninja23 told me to try something new after i came from class, and which was PwnTillDawn Online Battlefield And that is how i got started official with pwntilldown online battlefield.

let the hacking scenes begin

vega is one of the machines rated medium (but really easy as i could think).

here is my ip address (10.150.150.222)

STEP 1: SCANNING
after you have connect with the vpn you can try to test connectivity with pinging the ip address to see if the connection was successfull initiated.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

we got four open port over there port 22,80,8089 and 10000

STEP 2: ENUMERATION

lets start enumerating one port after another one

port 22 (ssh): we have no credential for the time being, so we need to move on on the other port

port 80(http): running http web service

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

lets do some simple googling here and see what is magento.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

as we can see magento is an open-source e-commerce platform written in php. With php i realized that this platform in one way or the other it must be using something like mysql if not mistaken, and if u have wappalyzer extension you can conclude that is 1 I mean true.

what next now mhmmmm,while i will be studying the site endpoints let me run my ffuf at the background sound gud isn't ahahahah.

STEP 3: FOOTHOLDING

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

NB: some interesting directories
/.bash_history
/.cache
/.profile
/.bashrc
/admin
/home
/category and etc

lets start see one after another and what is there

NB: something to know is that /.bash_history is hidden file that contains commands history being excuted inside the operating system(bash shell).

If your browser to it you will find some of the interesting information but also flag

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

and if your scroll down a little bit u will see some mysql creds

username:vega
password:REDACTED

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

STEP 4: EXPLOITATION

since we got the username and password we can try to login via ssh and see if we can get remote access.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

i tried like 10x times with the same password but didn't, what i thought my be i should brute force the ssh with the username(hydra -l vega -P /usr/share/wordlists/rockyou.txt ssh://10.150.150.222/)

i decide to move on, with my endpoints while my hydra is running at the background.

If you move on with the endpoit you will realize that the password used via mysql looks familia with one of the movie name over the site

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The only difference with the one we got earlier is that the position of one character is not the same, and if you change the mysql character there you get the ssh creds

username:vega
password:REDACTED

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

STEP 5: PRIVILEGE ESCALATION

root as mamasita easy as i thought men,

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

just with sudo -l

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Time for root access niggro

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Happy hacking guys(hack the planet🏴‍☠️)