Pulling Credentials from Memory

    Consider the following -- you have a mysql database and you want to periodically backup the database to the file system.  You setup a cronjob and you have a script that performs the following task:

    mysqldump --user root --password=Secretp4ssw0rd testing > testing.sql

    Simple, right?

    Obviously, there's probably more to it -- we backup a /var/www/html directory and we probably backup that DB to a location.  And maybe we even tar.gz it up to make a neat little package.  The point though is that we've now placed the password in memory.

    So how do we get it?

    We get the process ID for Mysql using gcore, we run strings on our output file and we redirect the readable into yet another file.




    When we open our readable text file, we find a bunch of noise:




    If we do a little hunting, we eventually find the password that was sitting in memory:




    I should mention that you need to be root or you need to be able to run gcore as root in order to pull this off.  Still, kind of fun though. 


    © 2020 sevenlayers.com