VEGA FROM PWNTILLDOWN

whatsup guys, hope you hackers your gud, today i thought i should try some other sites of hacking, i used to see my friend **@saul** pwn machines from pwntilldown but i didn't get time to try it , and today my brother **@blackninja23** told me to try something new after i came from class, and which was **PwnTillDawn Online Battlefield** And that is how i got started official with pwntilldown online battlefield. let the hacking scenes begin vega is one of the machines rated medium (but really easy as i could think). here is my ip address (10.150.150.222) **STEP 1: SCANNING** after you have connect with the vpn you can try to test connectivity with pinging the ip address to see if the connection was successfull initiated. ![Screenshot from 2023-12-04 20-11-28](https://hackmd.io/_uploads/BJuL_Kor6.png) we got four open port over there port 22,80,8089 and 10000 **STEP 2: ENUMERATION** lets start enumerating one port after another one port 22 (ssh): we have no credential for the time being, so we need to move on on the other port port 80(http): running http web service ![Screenshot from 2023-12-04 20-15-51](https://hackmd.io/_uploads/r1bvFYjHa.png) lets do some simple googling here and see what is magento. ![Screenshot from 2023-12-04 20-17-22](https://hackmd.io/_uploads/Bk5hKKjra.png) as we can see magento is an open-source e-commerce platform written in php. With php i realized that this platform in one way or the other it must be using something like mysql if not mistaken, and if u have wappalyzer extension you can conclude that is **1** I mean true. what next now mhmmmm,while i will be studying the site endpoints let me run my ffuf at the background sound gud isn't ahahahah. **STEP 3: FOOTHOLDING** ![Screenshot from 2023-12-04 20-30-26](https://hackmd.io/_uploads/SkuJpFira.png) NB: some interesting directories /.bash_history /.cache /.profile /.bashrc /admin /home /category and etc lets start see one after another and what is there NB: something to know is that /.bash_history is hidden file that contains commands history being excuted inside the operating system(bash shell). If your browser to it you will find some of the interesting information but also flag ![WhatsApp Image 2023-12-04 at 8.44.34 PM](https://hackmd.io/_uploads/Sk8rg5iSa.jpg) and if your scroll down a little bit u will see some mysql creds username:vega password:REDACTED ![WhatsApp Image 2023-12-04 at 8.49.16 PM](https://hackmd.io/_uploads/ry3E-qjBp.jpg) **STEP 4: EXPLOITATION** since we got the username and password we can try to login via ssh and see if we can get remote access. ![Screenshot from 2023-12-04 20-52-26](https://hackmd.io/_uploads/rywxG5oHa.png) i tried like 10x times with the same password but didn't, what i thought my be i should brute force the ssh with the username(hydra -l vega -P /usr/share/wordlists/rockyou.txt ssh://10.150.150.222/) i decide to move on, with my endpoints while my hydra is running at the background. If you move on with the endpoit you will realize that the password used via mysql looks familia with one of the movie name over the site ![Screenshot from 2023-12-04 20-54-26](https://hackmd.io/_uploads/BkRBXqiH6.png) The only difference with the one we got earlier is that the position of one character is not the same, and if you change the mysql character there you get the ssh creds username:vega password:REDACTED ![Screenshot from 2023-12-04 21-03-12](https://hackmd.io/_uploads/rkruVcorp.png) **STEP 5: PRIVILEGE ESCALATION** root as mamasita easy as i thought men, ![Screenshot from 2023-12-04 21-04-53](https://hackmd.io/_uploads/ByjCNcjr6.png) just with **sudo -l** ![Screenshot from 2023-12-04 21-04-53](https://hackmd.io/_uploads/r1PeB9jrT.png) Time for root access niggro ![Screenshot from 2023-12-04 21-06-49](https://hackmd.io/_uploads/ryA7P9iHp.png) Happy hacking guys(hack the planet🏴‍☠️)