employeemanagementsystem

Making some assessment after gaining foldhold to the Docker container

www-data@4374220c10d0:/var/www/html$ ll
total 36K
8.0k drwxr-xr-x 1 www-data www-data 4.0k jun 20 05:50 oldmanagement
8.0K drwxr-xr-x 1 www-data www-data 4.0K May 31  2022 .
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 31  2022 employeemanagementsystem
8.0K drwxr-xr-x 1 www-data www-data 4.0K May 31  2022 mastermailer
8.0K drwxr-xr-x 1 root     root     4.0K Dec 11  2020 ..

There appears to be another web application; /var/www/html/employeemanagementsystem

www-data@4374220c10d0:/var/www/html/employeemanagementsystem$ ll
total 340K
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 31  2022 .
8.0K drwxr-xr-x 1 www-data www-data 4.0K May 31  2022 ..
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 assets
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 css
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 db
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 js
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 process
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 vendor
4.0K -rwxr-xr-x 1 www-data www-data 1.5K Apr  8  2022 aboutus.html
8.0K -rwxr-xr-x 1 www-data www-data 6.4K Apr  8  2022 addemp.php
   0 -rwxr-xr-x 1 www-data www-data    0 Apr  8  2022 adminstyle.css
4.0K -rwxr-xr-x 1 www-data www-data 1.1K Apr  8  2022 alogin.html
4.0K -rwxr-xr-x 1 www-data www-data 2.0K Apr  8  2022 aloginwel.php
4.0K -rwxr-xr-x 1 www-data www-data 4.0K Apr  8  2022 applyleave.php
4.0K -rwxr-xr-x 1 www-data www-data  398 Apr  8  2022 approve.php
4.0K -rwxr-xr-x 1 www-data www-data 3.6K Apr  8  2022 assign.php
4.0K -rwxr-xr-x 1 www-data www-data 1.9K Apr  8  2022 assignproject.php
4.0K -rwxr-xr-x 1 www-data www-data  399 Apr  8  2022 cancel.php
8.0K -rwxr-xr-x 1 www-data www-data 4.1K Apr  8  2022 changepassemp.php
4.0K -rwxr-xr-x 1 www-data www-data  934 Apr  8  2022 contact.html
4.0K -rwxr-xr-x 1 www-data www-data  323 Apr  8  2022 delete.php
8.0K -rwxr-xr-x 1 www-data www-data 7.0K Apr  8  2022 edit.php
4.0K -rwxr-xr-x 1 www-data www-data 1.1K Apr  8  2022 elogin.html
8.0K -rwxr-xr-x 1 www-data www-data 4.4K Apr  8  2022 eloginwel.php
4.0K -rwxr-xr-x 1 www-data www-data 2.6K Apr  8  2022 empleave.php
4.0K -rwxr-xr-x 1 www-data www-data 1.7K Apr  8  2022 empproject.php
136K -rwxr-xr-x 1 www-data www-data 134K Apr  8  2022 hero-banner.png
4.0K -rwxr-xr-x 1 www-data www-data  941 Apr  8  2022 index.html
8.0K -rwxr-xr-x 1 www-data www-data 7.0K Apr  8  2022 mark.php
8.0K -rwxr-xr-x 1 www-data www-data 6.9K Apr  8  2022 myprofile.php
8.0K -rwxr-xr-x 1 www-data www-data 4.4K Apr  8  2022 myprofileup.php
4.0K -rwxr-xr-x 1 www-data www-data  342 Apr  8  2022 psubmit.php
4.0K -rwxr-xr-x 1 www-data www-data  835 Apr  8  2022 readme.txt
4.0K -rwxr-xr-x 1 www-data www-data  231 Apr  8  2022 reset.php
4.0K -rwxr-xr-x 1 www-data www-data 1.8K Apr  8  2022 salaryemp.php
4.0K -rwxr-xr-x 1 www-data www-data 2.3K Apr  8  2022 style.css
 12K -rwxr-xr-x 1 www-data www-data  12K Apr  8  2022 styleapply.css
4.0K -rwxr-xr-x 1 www-data www-data 1.8K Apr  8  2022 styleemplogin.css
4.0K -rwxr-xr-x 1 www-data www-data 2.3K Apr  8  2022 styleindex.css
4.0K -rwxr-xr-x 1 www-data www-data 2.5K Apr  8  2022 stylelogin.css
4.0K -rwxr-xr-x 1 www-data www-data 1.3K Apr  8  2022 styleprofile.css
4.0K -rwxr-xr-x 1 www-data www-data 1.3K Apr  8  2022 styleview.css
4.0K -rwxr-xr-x 1 www-data www-data 2.5K Apr  8  2022 viewemp.php

While there’s a lot going on within the web app directory, I will check the /db directory first as it may contains a SQL connection string with a DB credential

db/ems.sql

www-data@4374220c10d0:/var/www/html/employeemanagementsystem$ cd db ; ll
total 16K
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 31  2022 ..
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 .
8.0K -rwxr-xr-x 1 www-data www-data 6.1K Apr  8  2022 ems.sql
 
www-data@4374220c10d0:/var/www/html/employeemanagementsystem/db$ cat ems.sql
-- phpMyAdmin SQL Dump
-- version 4.7.4
-- https://www.phpmyadmin.net/
--
-- Host: 127.0.0.1
-- Generation Time: Sep 10, 2020 at 02:48 PM
-- Server version: 10.1.30-MariaDB
-- PHP Version: 7.2.1
 
SET SQL_MODE = "NO_AUTO_VALUE_ON_ZERO";
SET AUTOCOMMIT = 0;
START TRANSACTION;
SET time_zone = "+00:00";
 
 
/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8mb4 */;
 
--
-- Database: `ems`
--
 
-- --------------------------------------------------------
 
--
-- Table structure for table `alogin`
--
 
CREATE TABLE `alogin` (
  `id` int(11) NOT NULL,
  `email` tinytext NOT NULL,
  `password` longtext NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 
--
-- Dumping data for table `alogin`
--
 
INSERT INTO `alogin` (`id`, `email`, `password`) VALUES
(1, 'admin@gmail.com', 'admin');
 
-- --------------------------------------------------------
 
--
-- Table structure for table `employee`
--
 
CREATE TABLE `employee` (
  `id` int(11) NOT NULL,
  `firstName` varchar(100) NOT NULL,
  `lastName` varchar(100) NOT NULL,
  `email` varchar(100) NOT NULL,
  `password` text NOT NULL,
  `birthday` date NOT NULL,
  `gender` varchar(10) NOT NULL,
  `contact` varchar(20) NOT NULL,
  `nid` int(20) NOT NULL,
  `address` varchar(100) DEFAULT NULL,
  `dept` varchar(100) NOT NULL,
  `degree` varchar(100) NOT NULL,
  `pic` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 
--
-- Dumping data for table `employee`
--
 
INSERT INTO `employee` (`id`, `firstName`, `lastName`, `email`, `password`, `birthday`, `gender`, `contact`, `nid`, `address`, `dept`, `degree`, `pic`) VALUES
(2, 'John', 'Smith', 'john@gmail.com', '1234', '2020-09-01', 'Male', '0999999999', 1, 'New York', 'IT', 'Waterboy', 'images/default.jpg'),
(6, 'test', 'test', 'test@gmail.com', '1234', '2020-09-06', 'Male', '09998383737', 4, 'test', 'test', 'test', 'images/d.jpg');
 
-- --------------------------------------------------------
 
--
-- Table structure for table `employee_leave`
--
 
CREATE TABLE `employee_leave` (
  `id` int(11) DEFAULT NULL,
  `token` int(11) NOT NULL,
  `start` date DEFAULT NULL,
  `end` date DEFAULT NULL,
  `reason` char(100) DEFAULT NULL,
  `status` char(50) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 
--
-- Dumping data for table `employee_leave`
--
 
INSERT INTO `employee_leave` (`id`, `token`, `start`, `end`, `reason`, `status`) VALUES
(2, 1, '2020-09-03', '2020-09-05', 'COVID-19', 'Approved'),
(2, 3, '2020-09-10', '2020-09-12', 'May Lagnat', 'Approved');
 
-- --------------------------------------------------------
 
--
-- Table structure for table `project`
--
 
CREATE TABLE `project` (
  `pid` int(11) NOT NULL,
  `eid` int(11) DEFAULT NULL,
  `pname` varchar(100) DEFAULT NULL,
  `duedate` date DEFAULT NULL,
  `subdate` date DEFAULT '0000-00-00',
  `mark` int(11) NOT NULL,
  `status` varchar(50) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 
--
-- Dumping data for table `project`
--
 
INSERT INTO `project` (`pid`, `eid`, `pname`, `duedate`, `subdate`, `mark`, `status`) VALUES
(1, 2, 'Junkyard', '2020-09-26', '2020-09-04', 1, 'Submitted');
 
-- --------------------------------------------------------
 
--
-- Table structure for table `rank`
--
 
CREATE TABLE `rank` (
  `eid` int(11) NOT NULL,
  `points` int(11) DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 
--
-- Dumping data for table `rank`
--
 
INSERT INTO `rank` (`eid`, `points`) VALUES
(2, 0),
(6, 0);
 
-- --------------------------------------------------------
 
--
-- Table structure for table `salary`
--
 
CREATE TABLE `salary` (
  `id` int(11) NOT NULL,
  `base` int(11) NOT NULL,
  `bonus` int(11) DEFAULT NULL,
  `total` int(11) DEFAULT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
 
--
-- Dumping data for table `salary`
--
 
INSERT INTO `salary` (`id`, `base`, `bonus`, `total`) VALUES
(2, 500, 0, 500),
(6, 1000, 0, 1000);
 
--
-- Indexes for dumped tables
--
 
--
-- Indexes for table `alogin`
--
ALTER TABLE `alogin`
  ADD PRIMARY KEY (`id`);
 
--
-- Indexes for table `employee`
--
ALTER TABLE `employee`
  ADD PRIMARY KEY (`id`),
  ADD UNIQUE KEY `email` (`email`);
 
--
-- Indexes for table `employee_leave`
--
ALTER TABLE `employee_leave`
  ADD PRIMARY KEY (`token`),
  ADD KEY `employee_leave_ibfk_1` (`id`);
 
--
-- Indexes for table `project`
--
ALTER TABLE `project`
  ADD PRIMARY KEY (`pid`),
  ADD KEY `project_ibfk_1` (`eid`);
 
--
-- Indexes for table `rank`
--
ALTER TABLE `rank`
  ADD PRIMARY KEY (`eid`);
 
--
-- Indexes for table `salary`
--
ALTER TABLE `salary`
  ADD PRIMARY KEY (`id`);
 
--
-- AUTO_INCREMENT for dumped tables
--
 
--
-- AUTO_INCREMENT for table `alogin`
--
ALTER TABLE `alogin`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=2;
 
--
-- AUTO_INCREMENT for table `employee`
--
ALTER TABLE `employee`
  MODIFY `id` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=7;
 
--
-- AUTO_INCREMENT for table `employee_leave`
--
ALTER TABLE `employee_leave`
  MODIFY `token` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=4;
 
--
-- AUTO_INCREMENT for table `project`
--
ALTER TABLE `project`
  MODIFY `pid` int(11) NOT NULL AUTO_INCREMENT, AUTO_INCREMENT=8;
 
--
-- Constraints for dumped tables
--
 
--
-- Constraints for table `employee_leave`
--
ALTER TABLE `employee_leave`
  ADD CONSTRAINT `employee_leave_ibfk_1` FOREIGN KEY (`id`) REFERENCES `employee` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
 
--
-- Constraints for table `project`
--
ALTER TABLE `project`
  ADD CONSTRAINT `project_ibfk_1` FOREIGN KEY (`eid`) REFERENCES `employee` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
 
--
-- Constraints for table `rank`
--
ALTER TABLE `rank`
  ADD CONSTRAINT `rank_ibfk_1` FOREIGN KEY (`eid`) REFERENCES `employee` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
 
--
-- Constraints for table `salary`
--
ALTER TABLE `salary`
  ADD CONSTRAINT `salary_ibfk_1` FOREIGN KEY (`id`) REFERENCES `employee` (`id`) ON DELETE CASCADE ON UPDATE CASCADE;
COMMIT;
 
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;

The SQL file contains the DB information. It appears to be a datadump

process/dbh.php

www-data@4374220c10d0:/var/www/html/employeemanagementsystem/process$ ll
total 36K
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 31  2022 ..
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 .
4.0K drwxr-xr-x 1 www-data www-data 4.0K May 11  2022 images
4.0K -rwxr-xr-x 1 www-data www-data 2.7K Apr  8  2022 addempprocess.php
4.0K -rwxr-xr-x 1 www-data www-data  524 Apr  8  2022 applyleaveprocess.php
4.0K -rwxr-xr-x 1 www-data www-data  498 Apr  8  2022 aprocess.php
4.0K -rwxr-xr-x 1 www-data www-data  515 Apr  8  2022 assignp.php
4.0K -rwxr-xr-x 1 www-data www-data  239 Apr  8  2022 dbh.php
4.0K -rwxr-xr-x 1 www-data www-data  722 Apr  8  2022 eprocess.php

The process directory contains another DB file; dbh.php

www-data@4374220c10d0:/var/www/html/employeemanagementsystem/process$ cat dbh.php
<?php
 
$servername = "localhost";
$dBUsername = "root";
$dbPassword = "2020bestyearofmylife";
$dBName = "ems";
 
$conn = mysqli_connect($servername, $dBUsername, $dbPassword, $dBName);
 
if(!$conn){
	echo "Databese Connection Failed";
}
 
?>

the dbh.php file contains the sql connection string with a db credential; root:2020bestyearofmylife

Validation

www-data@4374220c10d0:/var/www/html/employeemanagementsystem/process$ mysql -uroot -p2020bestyearofmylife
ERROR 1524 (HY000): Plugin 'auth_socket' is not loaded

While the DB credential fails to authenticate to the mysql instance, I should also test the credential for password reuse

www-data@4374220c10d0:/var/www/html/employeemanagementsystem/process$ su root
Password: 2020bestyearofmylife
 
su: Authentication failure

It fails to authenticate to the system as well

www-data@4374220c10d0:/var/www/html/employeemanagementsystem/process$ cat /etcat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
mysql:x:101:101:MySQL Server,,,:/nonexistent:/bin/false
mark:x:1000:1000:,,,:/var/www/html:/bin/bash

There is a single none default user; mark

www-data@4374220c10d0:/var/www/html/employeemanagementsystem/process$ su mark
Password: 2020bestyearofmylife
 
su: Authentication failure

Fails again.

However, it is entirely possible that the mark user is also present and valid in the host system. In which case, I could attempt to authenticate to the target SSH server

InfoSec LAB

Explorer

Seventeen_employeemanagementsystem

employeemanagementsystem

db/ems.sql

process/dbh.php

Validation

Interactive Graph View

Table of Contents

Backlinks