Local DB
Based on the network enumeration, I’d assume that mysqld is running on the port 3306
strapi@horizontall:~/myapi/config/environments/development$ cat database.json
{
"defaultconnection": "default",
"connections": {
"default": {
"connector": "strapi-hook-bookshelf",
"settings": {
"client": "mysql",
"database": "strapi",
"host": "127.0.0.1",
"port": 3306,
"username": "developer",
"password": "#J!:F9Zt2u"
},
"options": {}
}
}
}A DB credential was found at /opt/myapi/config/environments/development/database.json
strapi
strapi@horizontall:~/myapi/config/environments/development$ mysql -udeveloper -p
Enter password: #J!:F9Zt2u
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 34
Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| strapi |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql> use strapi;
use strapi;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedI have authenticated & connected to the mysqld process as a client
The strapi DB is available for enumeration
tables
mysql> show tables;
show tables;
+------------------------------+
| Tables_in_strapi |
+------------------------------+
| core_store |
| reviews |
| strapi_administrator |
| upload_file |
| upload_file_morph |
| users-permissions_permission |
| users-permissions_role |
| users-permissions_user |
+------------------------------+
8 rows in set (0.00 sec)
mysql> While there are some tables inside, the strapi.strapi_administrator table seems most promising to contain credentials
mysql> select * from strapi_administrator;
select * from strapi_administrator;
+----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+
| id | username | email | password | resetPasswordToken | blocked |
+----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+
| 3 | admin | admin@horizontall.htb | $2a$10$DNELnAGbNKbAsOzZk3pmF.f18GOZ9LBgVje0WHKUuLpu4HpiFBoj. | NULL | NULL |
+----+----------+-----------------------+--------------------------------------------------------------+--------------------+---------+
1 row in set (0.00 sec)It does indeed contain a credential for the admin user, but this must be the admin user that I have reset its password during the Exploitation phase
So this has no use.
I will check the other DB
mysql.user
mysql> use mysql;
use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select user,authentication_string from user;
select user,authentication_string from user;
+------------------+-------------------------------------------+
| user | authentication_string |
+------------------+-------------------------------------------+
| root | |
| mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | *864892F451E37073B4B4F3CE01C26A02C3EFE03B |
| developer | *FFE7D25121423869EB3DCC48D3E8C99C6E3530A7 |
+------------------+-------------------------------------------+
5 rows in set (0.00 sec)The developer user has a separate credential for the mysqld instance
While this is rather surprising, I will grab that hash and get it cracking
hashcat was unable to crack the hash
Unfortunately, this is a deadend.