HackMD
whatsup guys, hope you hackers your gud, today i thought i should try some other sites of hacking, i used to see my friend @saul pwn machines from pwntilldown but i didn't get time to try it , and today my brother @blackninja23 told me to try something new after i came from class, and which was PwnTillDawn Online Battlefield And that is how i got started official with pwntilldown online battlefield.
let the hacking scenes begin
vega is one of the machines rated medium (but really easy as i could think).
here is my ip address (10.150.150.222)
STEP 1: SCANNING
after you have connect with the vpn you can try to test connectivity with pinging the ip address to see if the connection was successfull initiated.
we got four open port over there port 22,80,8089 and 10000
STEP 2: ENUMERATION
lets start enumerating one port after another one
port 22 (ssh): we have no credential for the time being, so we need to move on on the other port
port 80(http): running http web service
lets do some simple googling here and see what is magento.
as we can see magento is an open-source e-commerce platform written in php. With php i realized that this platform in one way or the other it must be using something like mysql if not mistaken, and if u have wappalyzer extension you can conclude that is 1 I mean true.
what next now mhmmmm,while i will be studying the site endpoints let me run my ffuf at the background sound gud isn't ahahahah.
STEP 3: FOOTHOLDING
NB: some interesting directories
/.bash_history
/.cache
/.profile
/.bashrc
/admin
/home
/category and etc
lets start see one after another and what is there
NB: something to know is that /.bash_history is hidden file that contains commands history being excuted inside the operating system(bash shell).
If your browser to it you will find some of the interesting information but also flag
and if your scroll down a little bit u will see some mysql creds
username:vega
password:REDACTED
STEP 4: EXPLOITATION
since we got the username and password we can try to login via ssh and see if we can get remote access.
i tried like 10x times with the same password but didn't, what i thought my be i should brute force the ssh with the username(hydra -l vega -P /usr/share/wordlists/rockyou.txt ssh://10.150.150.222/)
i decide to move on, with my endpoints while my hydra is running at the background.
If you move on with the endpoit you will realize that the password used via mysql looks familia with one of the movie name over the site
The only difference with the one we got earlier is that the position of one character is not the same, and if you change the mysql character there you get the ssh creds
username:vega
password:REDACTED
STEP 5: PRIVILEGE ESCALATION
root as mamasita easy as i thought men,
just with sudo -l
Time for root access niggro
Happy hacking guys(hack the planet🏴☠️)
