PwnTillDawn: Vega

CTF Challenge

4 min readJun 19, 2023

Task

Tools used

Steps

Based on the target IP address, I discovered that a website named ‘Magento’ is hosted there.

So, let us enumerate the web server for directories and files. I will be using DirBuster for the enumeration purpose on port 80. It will utilize the common.txt wordlist for reconnaissance enumerate the webserver for directories and files.

While DirBuster continues to search for additional directories and files, I will perform an Nmap scan using the “-sC” script option to gather more information.

Except for port 22, all the other open ports are running a web server. Since DirBuster takes a while to complete the scanning process, let’s take a look at the directories it has discovered so far by accessing them through the browser.

Result

Moving forward I was able to get a lot of interesting information from the bash history file.

AAs shown in the screenshot, we can observe information such as version details, usernames, and, most interestingly, the mysqldump file. A MySQL dump is a logical backup of a MySQL database. It essentially consists of a set of SQL queries that can recreate a specific database. To download the dump file, we need to provide the following details: username (vega), password (puplfiction1994), database name (magento2), and the desired output file name (dumpmagento.sql).
Let’s proceed with downloading the dump file to investigate its contents

Upon opening the dump file, I discovered that it was empty. The screenshot provided indicated that the file size was 0 bytes, confirming that there is no data contained within it.

There could be several reasons for the creation of an empty dump file. One possibility is that the database itself is empty, although this seems unlikely in the current scenario. Another possibility is that there was an issue with providing the correct input, such as the username, password, or database name.
To further investigate, let’s attempt a remote connection using the provided username and password.

While examining the password, I recalled a poster on the webpage that mentioned “Pulp Fiction.”

Here we can see that the password is “puplfiction,” which appears to be a potential typo.

By correcting the incorrect password from “puplfiction1994” to “pulpfiction1994,” we successfully gained access.

And by executing the commands “ls” to list the files and “cat” to display the contents of the “FLAG41.txt” file, we were able to obtain FLAG41.

After several attempts and trial and error, we realized that the “vega” user had complete privileges, allowing us to ultimately achieve root access.

Conclusion:

I successfully retrieved three flags from the target. I obtained these flags through directory enumeration on the target, and once I gained access to the remote machine, I discovered the remaining flags in the local directories of the target.