TryHackMe: Advent of Cyber 2022 (Day 3) Nothing escapes detective McRed

“As the elves are trying to recover the compromised santagift.shop website, elf Recon McRed is trying to figure out how it was compromised in the first place. Can you help him in gathering open-source information against the website?”

Question #1: What is the name of the Registrar for the domain santagift.shop?

If you use the website provided to look up WHOIS data, you can see the registrar information:

NAMECHEAP INC

Question #2: Find the website’s source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?

If you use the same search term on Github, you can find the website’s source code repository:

You can open the config.php file in the repo to get the flag:

{THM_OSINT_WORKS}

Question #3: What is the name of the file containing passwords?

In that same file you can see that a bunch of DB passwords are just laying here in plain text:

config.php

Question #4: What is the name of the QA server associated with the website?

You can find the answer to that under “Database hostname”.

qa.santagift.shop

Question #5: What is the DB_PASSWORD that is being reused between the QA and PROD environments?

Here you can see the QA environment:

And here you can see the PROD environment:

They are both using the same DB_PASSWORD, S@nta2022

S@nta2022