Hi, I am Astik Rawat and I hope everyone is having a productive week so far. I finished the Vega Machine from PwnTillDawn last night and I wanted to share my experience. It is considered a Medium Linux machine with Host 222.
For me, it took me a while as it has few servers running which may seem vulnerable at first but it didn’t turn out to be. So ignoring all the rabbit holes I will jump straight into the machine and make it look too easy for anyone even getting started in Cybersec or CTFs.
So let's get straight into the box, by first performing Nmap Scan on the target to look for open ports.
Now on these open ports, I will be using Version Detection and Script Scan to find more about the version it is running.
As we can see the port 80,8089 & 10000 running a Web Server. So I will be running gobuster to look for subdirectories on Port 80 with wordlists ‘common.txt’ from Seclists.
While It is being run we can check the Port 80 Web server on Browser to check for more information on the target.
As we can it a shopping web server with movies and its price with a login portal. We won’t need to do anything with the Portal here to complete this machine.
As the gobuster is finished we can see the results as follows:
We get few outputs but what interests me the most is the “.bash_history” as this is the history file of a Linux user and it is mostly present in the user directory of a Linux user in the home directory i.e. /home/user
Let’s see if we can find anything interesting on the ‘.bash_history’ file on the web server.
We managed to find our first FLAG and other than that we can also see that the user is ‘vega’ also we managed to find the SQL password and the dump output. So we can check for ‘dumpmagento.sql’.
So let’s check that file as well for the dumps.
As we can see the file seems to have 0 bytes in it. It is only possible if the databases don’t hold anything or maybe there was some error in the generation of the SQL dump. So if we check the line for mysqldump on the bash history we can see the password is ‘puplfiction1994’. There seems to be a Human error with the spelling as it happens a lot in the real world so maybe that’s why there are no bytes in the dump. That’s the only reason we went to the Web server as it has a Movie called ‘Pulp Fiction’, as not everyone might know it so I think it was better to understand that it could be an error in password spelling.
We can try to get into the user ‘vega’ with the password ‘pulpfiction1994’ via SSH.
We got out initial shell as vega. Now we need to find out a way to get to the root and find the two remaining FLAGs.
We found a FLAG in the user directory itself. My first step toward Privilege Escalation is always checking the current user’s sudo rights.
We can see the user ‘vega’ can run all commands as root. So let’s become root user.
This is the end of this walkthrough and as you can see even a Medium Machine could be easy if you have the right information. This one took me around 1 hour just because I didn’t read the password. So the lesson I learned from this machine is it’s best to go slow and read everything than rushing into getting the Machine done.
This machine was possible with the help of PwnTillDawn from the Wizlynx group. I would suggest anyone getting into CTF’s to use their platform and learn as much as you can. This platform is totally free, so there are no monthly/annual subscription fees also the machines are up to date. I won't be surprised to compromise a 2020 exploit as well.
In few months I will be posting my result and review on OSCP as I am going to start the labs in a week or two. I hope every one of you gets something to learn. Happy Hacking!!