Swagshop

Disscussion Starting Point

I’ll just be sitting here praying this is another OSCP-like box (this guy has a great track record) and not another CTF “guess the box” shitfest like we’ve seen waaaaay too often recently. ~1hr to go!

Let’s get it guys! Im excited.

On free i can’t even run a gobuster…i guess i’ll wait…:confused:

anyone know if /js thing has anything to do with it

found a key and a password, not sure if its troll

Type your comment> @gokuKaioKen said:

found a key and a password, not sure if its troll

same here, in config files?

@EmmaSamms … right

Service Temporarily Unavailable, on index.php anyone else getting that

lol its nuked

Well I’m stuck, right after getting assumed creds and having the admin login panel. Guess I’ll wait/research until some hints pop up :))

Has anyone found valid admin credentials? Hydra found two but they’re both wrong, also I too found mysql root creds and some weird crypo key

Well, i found 2 admin session IDs but none of them work

Type your comment> @Informatiger said:

Has anyone found valid admin credentials? Hydra found two but they’re both wrong, also I too found mysql root creds and some weird crypo key

i think the pass is encryped and can be decrypted using that key but i dont know the syntax.

Spoiler Removed

Any nudge on from people who already got user on how to decrypt the m****** pass?

rooted.
hint for root: don’t overthink it, it’s obvious after basic enum

@AndreiPintea said:
Any nudge on from people who already got user on how to decrypt the m****** pass?
pm me

Great box :slight_smile: Glad I had opportunity to get familiar with pwning Magento :slight_smile:
User: not every password is a swag, make yours :slight_smile:
Root: basic enumeration and understanding of Linux system