First week of December is drawing to end, and it’s time to open up the third mission in theAdvent of Cyber - OSINT.
What is the name of the Registrar for the domain santagift.shop?
Using my go-to site for all things WHOIS, https://who.is, we can easily find the registrar information
Find the website’s source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?
Going to GitHub and looking for “santasgiftshop” leads us to the repository muhammadthm/SantaGiftShop, and quick glance over the README points us towards config.php where we can find the flag for this question.
What is the name of the file containing passwords?
This would be the file we just opened.
What is the name of the QA server associated with the website?
Reading through the file we can find some extra credential information as well as the database hostname. The latter is the answer to this question.
What is the DB_PASSWORD that is being reused between the QA and PROD environments?
If we read further into the file, we can see that the settings are split into two: QA and PROD. Neither should have the credentials publicly available like this, but it’s even worse when the production environment credentials match the dev/QA environment credentials, like they do here.
And finally there’s a nudge towards the Google Dorking room, which is likely going to give useful information for use cases other than OSINT as well. I’ve used similar dorks many times when trying to look up something completely else, so it’s beneficial to learn how the tools you’ll likely use every single day work.
But that’s all for today, it was a quick and simple room that effectively shows why keeping confidential information confidential is of paramount importance.