Table of Contents
Sequel is a vulnerable machine that contains a My SQL database. Hello everyone in this blog, we are going to enumerate the My SQL database and get into the database.
Enumeration
As you can see the IP address of our target machine.
Starting with the Nmap scan, so we can check what ports are open and what services are running on them:
- -sC : Performs a script scan using the default set of scripts and hyphen
- -sV : enables version detection, which will detect what versions are running on what port.
┌──(mrdev㉿mrdev)-[~]
└─$
sudo nmap -sC -sV 10.129.57.183
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 14:00 IST
Nmap scan report for 10.129.57.183
Host is up (0.36s latency)
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
3306/tcp open mysql?
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 66
| Capabilities flags: 63486
| Some Capabilities: Speaks41ProtocolOld, FoundRows, Speaks41ProtocolNew, SupportsTransactions, ConnectWithDatabase, InteractiveClient, DontAllowDatabaseTableColumn, LongColumnFlag, SupportsLoadDataLocal, IgnoreSigpipes, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsCompression, ODBCClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
| Status: Autocommit
| Salt: gK$ks#M;~-a%0`r>{sQz
|_ Auth Plugin Name: mysql_native_password
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 226.36 seconds
┌──(mrdev㉿mrdev)-[~]
└─$
As you can see, we only found one open port that is 3306, which runs a service. MySQL is a service designed for database management to create, modify, and update databases, change and add data, and more.
Foothold
In order to communicate with the database, we need to install either MySQL or Maria DB on our local machine. To do that, you need to run the update command to update the dependencies.Make sure you include the astrek (*) symbol at the end of the command to include all the related MySQL packages available. This will cover all of your needs for now.
┌──(mrdev㉿mrdev)-[~]
└─$
sudo apt update && sudo apt install mysql*
After the installation is complete, you can run the help command to see how the service commands are used.
┌──(mrdev㉿mrdev)-[~]
└─$
mysql --help
mysql Ver 15.1 Distrib 10.5.12-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Usage: mysql [OPTIONS] [database]
Default options are read from the following files in the given order:
/etc/my.cnf /etc/mysql/my.cnf ~/.my.cnf
The following groups are read: mysql mariadb-client client client-server client-mariadb
The following options may be given as the first argument:
--print-defaults Print the program argument list and exit.
--no-defaults Don't read default options from any option file.
The following specify which files/extra groups are read (specified before remaining options):
--defaults-file=# Only read default options from the given file #.
--defaults-extra-file=# Read this file after the global files are read.
--defaults-group-suffix=# Additionally read default groups with # appended as a suffix.
-?, --help Display this help and exit.
-I, --help Synonym for -?
--abort-source-on-error Abort 'source filename' operations in case of errors
--auto-rehash Enable automatic rehashing. One doesn't need to use\
'rehash' to get table and field completion, but startup and reconnecting may take a longer time. Disable with
--disable-auto-rehash. (Defaults to on; use --skip-auto-rehash to disable.)
-A, --no-auto-rehash No automatic rehashing. One has to use 'rehash' to get table and field completion. This gives a quicker start of mysql and disables rehashing on reconnect.
--auto-vertical-output Automatically switch to vertical output mode if the result is wider than the terminal width.
-B, --batch Don't use history file. Disable interactive behavior.(Enables --silent.)
--binary-as-hex Print binary data as hex
--character-sets-dir=name Directory for character set files.
--column-type-info Display column type information.
-c, --comments Preserve comments. Send comments to the server. The default is --skip-comments (discard comments), enable with --comments.
-C, --compress Use compression in server/client protocol.
-#, --debug[=#] This is a non-debug version. Catch this and exit.
--debug-check Check memory and open file usage at exit.
-T, --debug-info Print some debug info at exit.
-D, --database=name Database to use.
--default-character-set=name Set the default character set.
--delimiter=name Delimiter to be used.
-e, --execute=name Execute command and quit. (Disables --force and history file.)
-E, --vertical Print the output of a query (rows) vertically.
-f, --force Continue even if we get an SQL error. Sets abort-source-on-error to 0
-G, --named-commands Enable named commands. Named commands mean this program's internal commands; see mysql> help . When enabled, the named commands can be used from any line of the query, otherwise only from the first line, before an enter. Disable with --disable-named-commands. This option is disabled by default.
-i, --ignore-spaces Ignore space after function names.
--init-command=name SQL Command to execute when connecting to MariaDB server. Will automatically be re-executed when reconnecting.
--local-infile Enable/disable LOAD DATA LOCAL INFILE.
-b, --no-beep Turn off beep on error.
-h, --host=name Connect to host.
-H, --html Produce HTML output.
-X, --xml Produce XML output.
--line-numbers Write line numbers for errors.(Defaults to on; use --skip-line-numbers to disable.)
-L, --skip-line-numbers Don't write line number for errors.
-n, --unbuffered Flush buffer after each query.
--column-names Write column names in results.(Defaults to on; use --skip-column-names to disable.)
-N, --skip-column-names Don't write column names in results.
--sigint-ignore Ignore SIGINT (CTRL-C).
-o, --one-database Ignore statements except those that occur while the default database is the one named at the command line.
--pager[=name] Pager to use to display results. If you don't supply an option, the default pager is taken from your ENV variable PAGER. Valid pagers are less, more, cat [> filename], etc. See interactive help (\h) also. This option does not work in batch mode. Disable with --disable-pager. This option is disabled by default.
-p, --password[=name] Password to use when connecting to server. If password is not given it's asked from the tty.
-P, --port=# Port number to use for connection or 0 for default to, in order of preference, my.cnf, $MYSQL_TCP_PORT, /etc/services, built-in default (3306).
--progress-reports Get progress reports for long running commands (like ALTER TABLE)(Defaults to on; use --skip-progress-reports to disable.)
--prompt=name Set the command line prompt to this value.
--protocol=name The protocol to use for connection (tcp, socket, pipe).
-q, --quick Don't cache result, print it row by row. This may slow down the server if the output is suspended. Doesn't use history file.
-r, --raw Write fields without conversion. Used with --batch.
--reconnect Reconnect if the connection is lost. Disable with --disable-reconnect. This option is enabled by default.(Defaults to on; use --skip-reconnect to disable.)
-s, --silent Be more silent. Print results with a tab as separator, each row on new line.
-S, --socket=name The socket file to use for connection.
--ssl Enable SSL for connection (automatically enabled with other flags).
--ssl-ca=name CA file in PEM format (check OpenSSL docs, implies --ssl).
--ssl-capath=name CA directory (check OpenSSL docs, implies --ssl).
--ssl-cert=name X509 cert in PEM format (implies --ssl).
--ssl-cipher=name SSL cipher to use (implies --ssl).
--ssl-key=name X509 key in PEM format (implies --ssl).
--ssl-crl=name Certificate revocation list (implies --ssl).
--ssl-crlpath=name Certificate revocation list path (implies --ssl).
--tls-version=name TLS protocol version for secure connection.
--ssl-verify-server-cert Verify server's "Common Name" in its cert against hostname used when connecting. This option is disabled by default.
-t, --table Output in table format.
--tee=name Append everything into outfile. See interactive help (\h) also. Does not work in batch mode. Disable with --disable-tee. This option is disabled by default.
-u, --user=name User for login if not current user.
-U, --safe-updates Only allow UPDATE and DELETE that uses keys.
-U, --i-am-a-dummy Synonym for option --safe-updates, -U.
-v, --verbose Write more. (-v -v -v gives the table output format).
-V, --version Output version information and exit.
-w, --wait Wait and retry if connection is down.
--connect-timeout=# Number of seconds before connection timeout.
--max-allowed-packet=# The maximum packet length to send to or receive from server.
--net-buffer-length=# The buffer size for TCP/IP and socket communication.
--select-limit=# Automatic limit for SELECT when using --safe-updates.
--max-join-size=# Automatic limit for rows in a join when using --safe-updates.
--secure-auth Refuse client connecting to server if it uses old (pre-4.1.1) protocol.
--server-arg=name Send embedded server this as a parameter.
--show-warnings Show warnings after every statement.
--plugin-dir=name Directory for client-side plugins.
--default-auth=name Default authentication client-side plugin to use.
--binary-mode By default, ASCII '\0' is disallowed and '\r\n' is translated to '\n'. This switch turns off both features, and also turns off parsing of all clientcommands except \C and DELIMITER, in non-interactive mode (for input piped to mysql or loaded using the 'source' command). This is necessary when processing output from mysqlbinlog that may contain blobs.
--connect-expired-password Notify the server that this client is prepared to handle expired password sandbox mode even if --batch was specified. Variables (--variable-name=value) and boolean options {FALSE|TRUE} Value (after reading options)
--------------------------------- ----------------------------------------
abort-source-on-error FALSE
auto-rehash TRUE
auto-vertical-output FALSE
binary-as-hex FALSE
character-sets-dir (No default value)
column-type-info FALSE
comments FALSE
compress FALSE
debug-check FALSE
debug-info FALSE
database (No default value)
default-character-set auto
delimiter ;
vertical FALSE
force FALSE
named-commands FALSE
ignore-spaces FALSE
init-command (No default value)
local-infile FALSE
no-beep FALSE
host (No default value)
html FALSE
xml FALSE
line-numbers TRUE
unbuffered FALSE
column-names TRUE
sigint-ignore FALSE
port 0
progress-reports TRUE
prompt \N [\d]>
protocol
quick FALSE
raw FALSE
reconnect TRUE
socket /run/mysqld/mysqld.sock
ssl FALSE
ssl-ca (No default value)
ssl-capath (No default value)
ssl-cert (No default value)
ssl-cipher (No default value)
ssl-key (No default value)
ssl-crl (No default value)
ssl-crlpath (No default value)
tls-version (No default value)
ssl-verify-server-cert FALSE
table FALSE
user (No default value)
safe-updates FALSE
i-am-a-dummy FALSE
connect-timeout 0
max-allowed-packet 16777216
net-buffer-length 16384
select-limit 1000
max-join-size 1000000
secure-auth FALSE
show-warnings FALSE
plugin-dir (No default value)
default-auth (No default value)
binary-mode FALSE
connect-expired-password FALSE
Always remember, that MySQL clients usually authenticate with the service with a username and password combination. However, it is essential to test for password-less authentication, as there might be an intentional misconfiguration in the service, which would allow personnel to easily log into the service during the deployment stage of the project to easily interact with it before making it available to other colleagues. In the present situation, an initial attempt can be to attempt a log-in as the root user, naturally having the highest level of privileges on the system.
Now Use this command on your terminal:
- -h: connect to host and
- -u: specify the user for log-in if not the current user.
┌──(mrdev㉿mrdev)-[~]
└─$
mysql -h 10.129.57.183 -u root
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 74
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
As you can see it does not ask me for a password which means we have connected to the database without having a password.
We are placed in a MySQL service shell from where we can explore the tables and data therein that are available to us. If you need help with MySQL command syntax, you can refer to the cheat sheet provided by MySQL. The commands we are going to use are essential for navigation.|
SHOW databases; |
: Print out the databases we can access. |
|
USE {database_name}; |
: Set to use the database named {database_name}. |
|
SHOW tables; |
: Print out the available tables inside the current database. |
|
SELECT * FROM {table_name}; |
: Prints out all the data from the table {table_name}. |
Our first command is Show database and specifies semicolon:
MariaDB [(none)]>
SHOW databases;
+--------------------+
| Database |
+--------------------+
|
htb
|
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.347 sec)
MariaDB [(none)]>
From the output, the HTB database seems to be of value to us. In order to see what rests inside it, we will need to "select" the HTB database. To achieve this, the use htb; command can be used.
MariaDB [(none)]>
use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [htb]>
We have successfully changed the database. The next step is to check what tables the " htb " database contains. We can achieve this by following up with the SHOW tables command.
MariaDB [htb]>
show tables;
+---------------+
| Tables_in_htb |
+---------------+
|
config
|
| users |
+---------------+
2 rows in set (0.747 sec)
MariaDB [htb]>
We have two tables that are config and users. These can be checked sequentially for their content by using the SELECT * FROM config command, where config is the exact name of the table you want to explore, taken from the output above.
MariaDB [htb]>
SELECT * FROM config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7******************************8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.470 sec)
MariaDB [htb]>
As you can see the flag is listed in this table. Copy that and paste it to tasks.
TASK Solution
TASK 1: What does the acronym SQL stand for?
Ans. Structured Query LanguageHide Answer
TASK 2: During our scan, which port running MySQL do we find?
Ans. 3306
TASK 3: What community-developed MySQL version is the target running?
Ans. MariaDB
TASK 4: What switch do we need to use in order to specify a login username for the MySQL service?
Ans. -uTASK 5: Which username allows us to log into MariaDB without providing a password?
Ans. root
TASK 6: What symbol can we use to specify within the query that we want to display everything inside a table?
Ans. *
TASK 7: What symbol do we need to end each query with?
Ans. ;
