app-qatesting
www-data@yummy:~$ ll /var/www
total 6.6M
4.0K drwxr-xr-x 3 www-data www-data 4.0K Oct 6 19:47 .
6.5M -rw-rw-r-- 1 www-data www-data 6.5M Oct 6 19:47 backupapp.zip
4.0K drwxrwx--- 7 www-data qa 4.0K May 28 14:41 app-qatesting
4.0K drwxr-xr-x 14 root root 4.0K May 27 16:17 ..
0 lrwxrwxrwx 1 root root 9 May 27 06:17 .bash_history -> /dev/nullUpon making the lateral movement to the www-data account, I found an interesting directory in the web root directory; app-qatesting
www-data@yummy:~$ cd app-qatesting ; ll
total 40K
4.0K drwxr-xr-x 3 www-data www-data 4.0K Oct 6 19:48 ..
4.0K drwxrwx--- 7 www-data qa 4.0K May 28 14:41 .
4.0K drwxrwxr-x 6 qa qa 4.0K May 28 14:37 .hg
12K -rw-rw-r-- 1 qa qa 11K May 28 14:37 app.py
4.0K drwxr-xr-x 3 qa qa 4.0K May 28 14:26 config
4.0K drwxr-xr-x 3 qa qa 4.0K May 28 14:26 middleware
4.0K drwxr-xr-x 6 qa qa 4.0K May 28 14:26 static
4.0K drwxr-xr-x 2 qa qa 4.0K May 28 14:26 templatesWithin the directory, there is the .hg directory
.hg
The .hg directory is created by Mercurial, a distributed version control system used to manage source code changes. This hidden directory is typically found in the root of a project that is under Mercurial version control. Here’s a breakdown of its purpose and contents:
www-data@yummy:~/app-qatesting$ ll .hg
ll .hg
total 64K
4.0K drwxrwx--- 7 www-data qa 4.0K May 28 14:41 ..
4.0K drwxrwxr-x 2 qa qa 4.0K May 28 14:37 cache
4.0K drwxrwxr-x 6 qa qa 4.0K May 28 14:37 .
8.0K -rw-rw-r-- 1 qa qa 7.0K May 28 14:37 dirstate
4.0K -rw-rw-r-- 1 qa qa 34 May 28 14:37 last-message.txt
4.0K drwxrwxr-x 4 qa qa 4.0K May 28 14:37 store
4.0K -rw-rw-r-- 1 qa qa 9 May 28 14:37 undo.desc
4.0K drwxrwxr-x 2 qa qa 4.0K May 28 14:37 wcache
8.0K -rw-rw-r-- 1 qa qa 7.0K May 28 14:34 undo.backup.dirstate.bck
0 -rw-rw-r-- 1 qa qa 0 May 28 14:28 bookmarks
4.0K drwxrwxr-x 2 qa qa 4.0K May 28 14:28 strip-backup
4.0K -rw-rw-r-- 1 qa qa 57 May 28 14:26 00changelog.i
4.0K -rw-rw-r-- 1 qa qa 8 May 28 14:26 branch
4.0K -rw-rw-r-- 1 qa qa 11 May 28 14:26 requires
4.0K -rw-rw-r-- 1 qa qa 8 May 28 14:26 undo.backup.branch.bckWhile there are a lot of data within the .hg directory, the store directory in a Mercurial repository is a critical component that contains the actual data for the repository. It stores the contents of the files tracked by Mercurial, along with various other pieces of metadata.
.hg/store/data
www-data@yummy:~/app-qatesting/.hg$ ll store/data
ll store/data
total 32K
4.0K drwxrwxr-x 6 qa qa 4.0K May 28 14:37 .
4.0K drwxrwxr-x 4 qa qa 4.0K May 28 14:37 ..
8.0K -rw-rw-r-- 1 qa qa 4.8K May 28 14:37 app.py.i
4.0K drwxrwxr-x 3 qa qa 4.0K May 28 14:27 config
4.0K drwxrwxr-x 3 qa qa 4.0K May 28 14:26 middleware
4.0K drwxrwxr-x 6 qa qa 4.0K May 28 14:26 static
4.0K drwxrwxr-x 2 qa qa 4.0K May 28 14:26 templatesThe .hg/store/data directory contains the compiled version of the web application
CLEARTEXT Credential
www-data@yummy:~/app-qatesting/.hg/store/data$ strings app.py.i
strings app.py.i
`_ MO
\WQP]
Z:L*"
3F9]
(rN[9
_h=R
i+Bbq
Y*u-9
{<eO>
DL$Pb2a
>]*+E5
GM{b
^,&9
Qy_f
Ook2`
C*0T
O#qP8&8`tL
E=Y-;
`d30
7:C)c
,=11)CJ}
nVE}
Z`[(_
p~%+!
b6fX
`xlS
0G'W
ZD8H1
Ffa]
4bHQ
UO:H/
Vbm7piL
M~}{
d!Q0
w8 %
67*o
a*1^
DQkX
tvGq
|YC^,2
t[QRpn@/S
>ody
'app.secret_key = s.token_hex(32)
T sql = f"SELECT * FROM appointments WHERE_email LIKE %s"
#md5
9 'user': 'chef',
'password': '3wDo7gSRZIwIHRxZ!',
V([Q
>GQ$
6 'user': 'qa',
'password': 'jPAd!XQCtn8Oc@2B',
P8*p
kwJj
d[I})u
^+Wq@
$ JJKx8
D'<aThe compiled web app file contains the CLEARTEXT credential for the qa user; jPAd!XQCtn8Oc@2B
The credential must be validated