InfoSec LAB

Sea_Database

Created: 2 min read

Database

Checking for the database credential after gaining the initial foothold

www-data@sea:/var/www/sea/data$ ll
total 48K
4.0K -rwxr-xr-x 1 www-data www-data 2.9K Aug 11 16:59 database.js
 32K -rwxr-xr-x 1 www-data www-data  29K Aug 11 16:40 cache.json
4.0K drwxr-xr-x 2 www-data www-data 4.0K Jul 31 15:17 files
4.0K drwxr-xr-x 3 www-data www-data 4.0K Feb 22 20:00 .
4.0K drwxr-xr-x 6 www-data www-data 4.0K Feb 22 03:06 ..

The /var/www/sea/data directory contains an interesting file; database.js

database.js

www-data@sea:/var/www/sea/data$ cat database.js
{
    "config": {
        "siteTitle": "Sea",
        "theme": "bike",
        "defaultPage": "home",
        "login": "loginURL",
        "forceLogout": false,
        "forceHttps": false,
        "saveChangesPopup": false,
        "password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
        "lastLogins": {
            "2024\/08\/11 16:59:27": "127.0.0.1",
            "2024\/08\/11 16:57:57": "127.0.0.1",
            "2024\/08\/11 16:56:27": "127.0.0.1",
            "2024\/08\/11 16:54:57": "127.0.0.1",
            "2024\/08\/11 16:53:26": "127.0.0.1"
[...REDACTED...]

The database.js file contains a DB credential hash; $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q Strange enough, there are \ characters in the hash. I will remove them.

Password Cracking

┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ hashcat -a 0 -m 3200 bike.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
 
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
 
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q:mychemicalromance
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM...DnXm4q
Time.Started.....: Sun Aug 11 19:20:57 2024 (34 secs)
Time.Estimated...: Sun Aug 11 19:21:31 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       90 H/s (5.30ms) @ Accel:8 Loops:8 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3072/14344385 (0.02%)
Rejected.........: 0/3072 (0.00%)
Restore.Point....: 3008/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidate.Engine.: Device Generator
Candidates.#1....: blessing -> dangerous
Hardware.Mon.#1..: Util: 75%
 
Started: Sun Aug 11 19:19:50 2024
Stopped: Sun Aug 11 19:21:33 2024

hashcat cracked the password hash; mychemicalromance While this is a password for the loginURL endpoint of the web application, it could have been reused by other users I will test that against the target SSH server

Interactive Graph View

Backlinks