Backup
/Practice/UC404/4-Post_Enumeration/attachments/{899902D6-8005-4506-B8E9-56B0AC9010C7}.png)
PEAS has identified an interesting file located at the /var/backups directory; sendmail.php.bak
www-data@UC404:/var/backups$ cat sendmail.php.bak
<?php
if(isset($_POST['submit']))
{
$connect=mysql_connect("localhost","brian","BrianIsOnTheAir789") or die("Could not connect to database");
mysql_select_db("uc404") or die(mysql_error());
$email = $_POST['email'];
$sql= "SELECT `password` FROM `register` WHERE `email` ='.$email.'";
$query = mysql_query($sql);
if(!$query)
{
die(mysql_error());
}
if(mysql_affected_rows() != 0)
{
$row=mysql_fetch_array($query);
$password=$row["password"];
$email=$row["email"];
$subject="UC404 - Password Reset";
$header="From: webmaster@uc404.local";
$content="Your password is ".$password;
mail($email, $subject, $content, $header);
print "An email containing the password has been sent to you";
}
else
{
echo("User not found.");
}
}
?>The sendmail.php.bak file contains a SQL connection string with a DB credential; brian:BrianIsOnTheAir789
Although there isn’t any MySQL instance present in the target system, brian is a valid system user
Testing it for credential reuse