4 box enum

www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ cat /var/www/bludit-3.9.2/bl-content/databases/users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
				 "role": "admin",
        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
        "salt": "5dde2887e7aca",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
    },
    "fergus": {
        "role": "author",
        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
        "salt": "jqxpjfnv",
        "tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
        "tokenAuthTTL": "2009-03-15 14:00",
}
Didnt crack using rockyou.txt

www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

faca404fd5c0a31cf1897b823c695c85cffeb98d:Password120

PEAS

[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -

[+] Users with console
hugo:x:1001:1001:Hugo,1337,07,08,09:/home/hugo:/bin/bash
root:x:0:0:root:/root:/bin/bash
shaun:x:1000:1000:blunder,,,:/home/shaun:/bin/bash
temp:x:1002:1002:,,,:/home/temp:/bin/bash

[+] Searching mysql credentials and exec
Found readable /etc/mysql/my.cnf

[+] Interesting Firefox Files
[i] https://book.hacktricks.xyz/forensics/basic-forensics-esp/browser-artifacts#firefox
Found /home/hugo/.mozilla
Found /home/shaun/.mozilla
/home/shaun/.mozilla/firefox/mhex3b0n.default-release/prefs.js

[+] Unexpected in root
/ftp

[+] Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found: /home/shaun/.cache/tracker/meta.db: SQLite 3.x database, last written using SQLite version 3029000
Found: /home/shaun/.mozilla/firefox/mhex3b0n.default-release/cert9.db: empty
Found: /home/shaun/.mozilla/firefox/mhex3b0n.default-release/storage/permanent/chrome/idb/3870112724rsegmnoittet-es.sqlite: SQLite 3.x database, user version 416, last written using SQLite version 3029000

Previous5 www-data > hugo > root Next3 bludit 3.9.2 file_upload RCE

Last updated 4 years ago