VULHUB ™

The `hue.ini` configuration file is by default **accessible to anyone** with the `other` permission set to `read`: ``` $ ls -al /etc/hue/conf/hue.ini -rw-rw-r-- 1 root root 22813 Nov 18 2015 /etc/hue/conf/hue.ini ``` Several account credentials can be found in that configuration file such as: * **Database account**: this might be the most interesting post-exploitation move to spoof an user identity on the datalake as [session cookies are stored in the database](../Session%20cookies%20stored%20in%20the%20database/) * LDAP bind account * SMTP service account * Kerberos keytab * Default user credentials * etc.

The `hue.ini` configuration file is by default **accessible to anyone** with the `other` permission set to `read`: ``` $ ls -al /etc/hue/conf/hue.ini -rw-rw-r-- 1 root root 22813 Nov 18 2015 /etc/hue/conf/hue.ini ``` Several account credentials can be found in that configuration file such as: * **Database account**: this might be the most interesting post-exploitation move to spoof an user identity on the datalake as [session cookies are stored in the database](../Session%20cookies%20stored%20in%20the%20database/) * LDAP bind account * SMTP service account * Kerberos keytab * Default user credentials * etc.