Subsonic stores user passwords in encrypted form in the program database, probably using salted BCrypt hashes, although the exact implementation has not been investigated in the context of this article. It is not technically feasible to decrypt these hashes and retrieve the original password strings.
However, current versions of Subsonic export the program settings to a text file each time the server is shut down, and they reimport this text file when it is started back up. This text file also includes the encrypted password hashes, and they can easily be replaced by substituting the corresponding line as follows:
- Open the Subsonic control panel and stop the service
- Open Windows Explorer and navigate to C:\subsonic\db (on Linux this may be under /var/subsonic/db or /usr/bin/subsonic/db)
- Open the file subsonic.script in a text editor
- Near the top of the file, find the following line:
INSERT INTO USER VALUES('admin','enc:xxxxxxxxxx',0,0,0,FALSE)
The xxxxxxxxxx value is a hexadecimal string that represents the encrypted hash of the user’s current password.
- Replace the line above with the following:
INSERT INTO USER VALUES('admin','enc:61646d696e',0,0,0,FALSE)
The value 61646d696e is the hash for the password "admin"
- Save the file
- Restart the service in the Subsonic control panel.
You can now log on with user name and password admin, which are also the default administrator credentials. Don’t forget to change the password to something else on the Settings screen right after logging on. Obviously, this technique works with any other user account as well.