/etc/hosts shows
172.17.0.3      mysql a5004fe641ca
172.17.0.5      3c371615b7aa

172.17.0.3 has port 3306 open.

Using chisel+mysql and the credentials found in DBConnection.php I can authenticate to port 3306.

/var/www/html/portal/classes/DBConnection.php

private $host = 'mysql';
private $username = 'portaldb';
private $password = RETRACTED
private $database = 'portal';

(June 25, 2022, 09:37 PM)Exa Wrote: /etc/hosts shows
172.17.0.3      mysql a5004fe641ca
172.17.0.5      3c371615b7aa

172.17.0.3 has port 3306 open.

Using chisel+mysql and the credentials found in DBConnection.php I can authenticate to port 3306.

What mysql command did you use ? mysql --host=localhost --port=3306 --user=portaldb --password=RETRACTED portal doesn't work

(June 25, 2022, 09:47 PM)Toto Wrote:

(June 25, 2022, 09:37 PM)Exa Wrote: /etc/hosts shows
172.17.0.3      mysql a5004fe641ca
172.17.0.5      3c371615b7aa

172.17.0.3 has port 3306 open.

Using chisel+mysql and the credentials found in DBConnection.php I can authenticate to port 3306.

What mysql command did you use ? mysql --host=localhost --port=3306 --user=portaldb --password=RETRACTED portal doesn't work

mysql -h 127.0.0.1 -u portaldb -p portal

You forgot the database name.

(June 25, 2022, 09:55 PM)Exa Wrote:

(June 25, 2022, 09:47 PM)Toto Wrote:

(June 25, 2022, 09:37 PM)Exa Wrote: /etc/hosts shows
172.17.0.3      mysql a5004fe641ca
172.17.0.5      3c371615b7aa

172.17.0.3 has port 3306 open.

Using chisel+mysql and the credentials found in DBConnection.php I can authenticate to port 3306.

What mysql command did you use ? mysql --host=localhost --port=3306 --user=portaldb --password=RETRACTED portal doesn't work

mysql -h 127.0.0.1 -u portaldb -p portal

You forgot the database name.

Thanks ! Even though I seem to have the wrong password, at least I don't get an error anymore, I'll keep looking

Seems like this is the same database as the one leaked from portal, didn't find much there. Maybe the trudesk ?

Anyone managed to get to user ?

172.17.0.5 (port 80) is a Docker container.
172.17.0.3 might be another Docker container as well.
There could be more IP addresses.

Running "env" shows MYSQL_ENV_MYSQL_ROOT_PASSWORD

This password can be used to connect as root user to port 3306.

I was trying to create files but I'm getting "The MySQL server is running with the --secure-file-priv option so it cannot execute this statement"
I also tried reading files with LOAD_FILE but no luck there.

64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.069 ms
64 bytes from 172.17.0.1: icmp_seq=0 ttl=64 time=0.089 ms
64 bytes from 172.17.0.3: icmp_seq=0 ttl=64 time=0.154 ms
64 bytes from 172.17.0.4: icmp_seq=0 ttl=64 time=0.070 ms
64 bytes from 172.17.0.5: icmp_seq=0 ttl=64 time=0.078 ms
64 bytes from 172.17.0.6: icmp_seq=0 ttl=64 time=0.039 ms

(June 25, 2022, 10:36 PM)cybertooth Wrote: 64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.069 ms
64 bytes from 172.17.0.1: icmp_seq=0 ttl=64 time=0.089 ms
64 bytes from 172.17.0.3: icmp_seq=0 ttl=64 time=0.154 ms
64 bytes from 172.17.0.4: icmp_seq=0 ttl=64 time=0.070 ms
64 bytes from 172.17.0.5: icmp_seq=0 ttl=64 time=0.078 ms
64 bytes from 172.17.0.6: icmp_seq=0 ttl=64 time=0.039 ms

Port 22,80 on 172.17.0.1
Port 21,80,443 on 172.17.0.2

(June 25, 2022, 10:41 PM)Exa Wrote:

(June 25, 2022, 10:36 PM)cybertooth Wrote: 64 bytes from 172.17.0.2: icmp_seq=0 ttl=64 time=0.069 ms
64 bytes from 172.17.0.1: icmp_seq=0 ttl=64 time=0.089 ms
64 bytes from 172.17.0.3: icmp_seq=0 ttl=64 time=0.154 ms
64 bytes from 172.17.0.4: icmp_seq=0 ttl=64 time=0.070 ms
64 bytes from 172.17.0.5: icmp_seq=0 ttl=64 time=0.078 ms
64 bytes from 172.17.0.6: icmp_seq=0 ttl=64 time=0.039 ms

Port 22,80 on 172.17.0.1
Port 21,80,443 on 172.17.0.2

Backdrop is running on 172.17.0.2

www-data@3c371615b7aa:/tmp$ ./nc 172.17.0.2 21
220 (vsFTPd 3.0.3)