Vega PwnTillDawn Walkthrough

Astik Rawat
5 min readJun 10, 2021

--

Hi, I am Astik Rawat and I hope everyone is having a productive week so far. I finished the Vega Machine from PwnTillDawn last night and I wanted to share my experience. It is considered a Medium Linux machine with Host 222.

Vega has Fallen

For me, it took me a while as it has few servers running which may seem vulnerable at first but it didn’t turn out to be. So ignoring all the rabbit holes I will jump straight into the machine and make it look too easy for anyone even getting started in Cybersec or CTFs.

So let's get straight into the box, by first performing Nmap Scan on the target to look for open ports.

Nmap Open Ports

Now on these open ports, I will be using Version Detection and Script Scan to find more about the version it is running.

Version and Service on open ports

As we can see the port 80,8089 & 10000 running a Web Server. So I will be running gobuster to look for subdirectories on Port 80 with wordlists ‘common.txt’ from Seclists.

While It is being run we can check the Port 80 Web server on Browser to check for more information on the target.

Magento Web Server — Port 80

As we can it a shopping web server with movies and its price with a login portal. We won’t need to do anything with the Portal here to complete this machine.

As the gobuster is finished we can see the results as follows:

Gobuster — Port 80 with common.txt

We get few outputs but what interests me the most is the “.bash_history” as this is the history file of a Linux user and it is mostly present in the user directory of a Linux user in the home directory i.e. /home/user

Let’s see if we can find anything interesting on the ‘.bash_history’ file on the web server.

.bash_history

We managed to find our first FLAG and other than that we can also see that the user is ‘vega’ also we managed to find the SQL password and the dump output. So we can check for ‘dumpmagento.sql’.

So let’s check that file as well for the dumps.

dumpmagento.sql

As we can see the file seems to have 0 bytes in it. It is only possible if the databases don’t hold anything or maybe there was some error in the generation of the SQL dump. So if we check the line for mysqldump on the bash history we can see the password is ‘puplfiction1994’. There seems to be a Human error with the spelling as it happens a lot in the real world so maybe that’s why there are no bytes in the dump. That’s the only reason we went to the Web server as it has a Movie called ‘Pulp Fiction’, as not everyone might know it so I think it was better to understand that it could be an error in password spelling.

We can try to get into the user ‘vega’ with the password ‘pulpfiction1994’ via SSH.

SSH as User Vega

We got out initial shell as vega. Now we need to find out a way to get to the root and find the two remaining FLAGs.

FLAG41

We found a FLAG in the user directory itself. My first step toward Privilege Escalation is always checking the current user’s sudo rights.

Sudo lists

We can see the user ‘vega’ can run all commands as root. So let’s become root user.

Last FLAG and user as root

This is the end of this walkthrough and as you can see even a Medium Machine could be easy if you have the right information. This one took me around 1 hour just because I didn’t read the password. So the lesson I learned from this machine is it’s best to go slow and read everything than rushing into getting the Machine done.

This machine was possible with the help of PwnTillDawn from the Wizlynx group. I would suggest anyone getting into CTF’s to use their platform and learn as much as you can. This platform is totally free, so there are no monthly/annual subscription fees also the machines are up to date. I won't be surprised to compromise a 2020 exploit as well.

Here is my PwnTillDawn Account, so if anyone is interested in working on a machine together I would love to work and grow together. You can add me on LinkedIn.

In few months I will be posting my result and review on OSCP as I am going to start the labs in a week or two. I hope every one of you gets something to learn. Happy Hacking!!

--

--

Astik Rawat
Astik Rawat

Written by Astik Rawat

Security Consultant | OSCE3 | OSED | OSWE | OSEP | CRTO | OSCP | OSWA | OSWP | PNPT | eMAPT | PJPT | CPENT | eJPT | CEH Master | KLCP | CNSP | OSCC | 9xCVEs

No responses yet