DB
Although that I have already enumerated the Database through SQLi earlier, I still haven’t checked for the authenticated user’s credential Since I confirmed that the DB is running on the loopback address, I can try to extract the credential.
www-data@popcorn:/var/www/torrent$ cat config.php
cat config.php
<?php
//rename this file to config.php
/* turn on verbose error reporting (15) to see all warnings and errors */
error_reporting(15);
//include "forumdb.php";
//define a generic object to hold all the configuration variables
class object {};
//declare an instance of the generic object
$CFG = new object;
//declare root directory
$CFG->dirroot = dirname(__FILE__);
//Edit This For TORRENT HOSTER Database
//database configuration
$CFG->host = "localhost";
$CFG->dbName = "torrenthoster"; //db name
$CFG->dbUserName = "torrent"; //db username
$CFG->dbPassword = "SuperSecret!!"; //db password
[...REDACTED...]The DB credential is indeed hard-coded into a configuration file; /var/www/torrent/config.php
I already know the DB user is torrent from the earlier SQLi, but that password is new;SuperSecret!!
password-reuse returned negative for other users