#7 Sequel - Starting Point - Hack The Box || Complete detailed Walkthrough

Table of Contents

Sequel is a vulnerable machine that contains a My SQL database. Hello everyone in this blog, we are going to enumerate the My SQL database and get into the database.




Enumeration

As you can see the IP address of our target machine.


Starting with the Nmap scan, so we can check what ports are open and what services are running on them:

  • -sC : Performs a script scan using the default set of scripts and hyphen 
  • -sV : enables version detection, which will detect what versions are running on what port.

┌──(mrdev㉿mrdev)-[~]
└─$ sudo nmap -sC -sV 10.129.57.183
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 14:00 IST
Nmap scan report for 10.129.57.183
Host is up (0.36s latency)
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
3306/tcp open  mysql?
| mysql-info:
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 66
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolOld, FoundRows, Speaks41ProtocolNew, SupportsTransactions, ConnectWithDatabase, InteractiveClient, DontAllowDatabaseTableColumn, LongColumnFlag, SupportsLoadDataLocal, IgnoreSigpipes, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsCompression, ODBCClient, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: gK$ks#M;~-a%0`r>{sQz
|_  Auth Plugin Name: mysql_native_password
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 226.36 seconds

┌──(mrdev㉿mrdev)-[~]
└─$ 
As you can see, we only found one open port that is 3306, which runs a service. MySQL is a service designed for database management to create, modify, and update databases, change and add data, and more.

Foothold

In order to communicate with the database, we need to install either MySQL or Maria DB on our local machine. To do that, you need to run the update command to update the dependencies.
Make sure you include the astrek (*) symbol at the end of the command to include all the related MySQL packages available. This will cover all of your needs for now.
┌──(mrdev㉿mrdev)-[~] 
└─$ sudo apt update && sudo apt install mysql*

After the installation is complete, you can run the help command to see how the service commands are used.

┌──(mrdev㉿mrdev)-[~]
└─$ mysql --help
mysql  Ver 15.1 Distrib 10.5.12-MariaDB, for debian-linux-gnu (x86_64) using  EditLine wrapper
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. 
Usage: mysql [OPTIONS] [database]
Default options are read from the following files in the given order:
/etc/my.cnf /etc/mysql/my.cnf ~/.my.cnf

The following groups are read: mysql mariadb-client client client-server client-mariadb

The following options may be given as the first argument:
  --print-defaults          Print the program argument list and exit.
  --no-defaults             Don't read default options from any option file. 

The following specify which files/extra groups are read (specified before remaining options):
  --defaults-file=#         Only read default options from the given file #.          
  --defaults-extra-file=#   Read this file after the global files are read.
  --defaults-group-suffix=# Additionally read default groups with # appended as a suffix.
        -?, --help          Display this help and exit.
        -I, --help          Synonym for -?
  --abort-source-on-error   Abort 'source filename' operations in case of errors
  --auto-rehash             Enable automatic rehashing. One doesn't need to use\

'rehash' to get table and field completion, but startup and reconnecting may take a longer time. Disable with
      --disable-auto-rehash.      (Defaults to on; use --skip-auto-rehash to disable.)
  -A, --no-auto-rehash            No automatic rehashing. One has to use 'rehash' to get table and field completion. This gives a quicker start of mysql and disables rehashing on reconnect.
      --auto-vertical-output      Automatically switch to vertical output mode if the result is wider than the terminal width.
  -B, --batch                     Don't use history file. Disable interactive behavior.(Enables --silent.)
      --binary-as-hex             Print binary data as hex 
      --character-sets-dir=name   Directory for character set files.
      --column-type-info          Display column type information.
  -c, --comments                  Preserve comments. Send comments to the server. The default is --skip-comments (discard comments), enable with --comments.
  -C, --compress                  Use compression in server/client protocol.
  -#, --debug[=#]                 This is a non-debug version. Catch this and exit.        
      --debug-check               Check memory and open file usage at exit.
  -T, --debug-info                Print some debug info at exit.
  -D, --database=name             Database to use.
   --default-character-set=name   Set the default character set.
      --delimiter=name            Delimiter to be used.
  -e, --execute=name              Execute command and quit. (Disables --force and history file.)
  -E, --vertical                  Print the output of a query (rows) vertically.
  -f, --force                     Continue even if we get an SQL error. Sets abort-source-on-error to 0
  -G, --named-commands            Enable named commands. Named commands mean this program's internal commands; see mysql> help . When enabled, the named commands can be used from any line of the query, otherwise only from the first line, before an enter. Disable with --disable-named-commands. This option is disabled by default.
  -i, --ignore-spaces             Ignore space after function names.
      --init-command=name         SQL Command to execute when connecting to MariaDB server. Will automatically be re-executed when reconnecting.
      --local-infile              Enable/disable LOAD DATA LOCAL INFILE.
  -b, --no-beep                   Turn off beep on error.
  -h, --host=name                 Connect to host.
  -H, --html                      Produce HTML output.
  -X, --xml                       Produce XML output.
      --line-numbers              Write line numbers for errors.(Defaults to on; use --skip-line-numbers to disable.)
  -L, --skip-line-numbers         Don't write line number for errors.
  -n, --unbuffered                Flush buffer after each query.
      --column-names              Write column names in results.(Defaults to on; use --skip-column-names to disable.)
  -N, --skip-column-names         Don't write column names in results.
      --sigint-ignore             Ignore SIGINT (CTRL-C).
  -o, --one-database              Ignore statements except those that occur while the default database is the one named at the command line.
      --pager[=name]              Pager to use to display results. If you don't supply an option, the default pager is taken from your ENV variable PAGER. Valid pagers are less, more, cat [> filename], etc. See interactive help (\h) also. This option does not work in batch mode. Disable with --disable-pager. This option is disabled by default.
  -p, --password[=name]           Password to use when connecting to server. If password is not given it's asked from the tty.
  -P, --port=#                    Port number to use for connection or 0 for default to, in order of preference, my.cnf, $MYSQL_TCP_PORT, /etc/services, built-in default (3306).
      --progress-reports          Get progress reports for long running commands (like ALTER TABLE)(Defaults to on; use --skip-progress-reports to disable.)  
      --prompt=name               Set the command line prompt to this value.
      --protocol=name             The protocol to use for connection (tcp, socket, pipe).
  -q, --quick                     Don't cache result, print it row by row. This may slow down the server if the output is suspended. Doesn't use history file.   
  -r, --raw                       Write fields without conversion. Used with --batch.       
      --reconnect                 Reconnect if the connection is lost. Disable with --disable-reconnect. This option is enabled by default.(Defaults to on; use --skip-reconnect to disable.)
  -s, --silent                    Be more silent. Print results with a tab as separator, each row on new line. 
  -S, --socket=name               The socket file to use for connection.
      --ssl                       Enable SSL for connection (automatically enabled with other flags). 
      --ssl-ca=name               CA file in PEM format (check OpenSSL docs, implies --ssl).
      --ssl-capath=name           CA directory (check OpenSSL docs, implies --ssl).
      --ssl-cert=name             X509 cert in PEM format (implies --ssl).                        
      --ssl-cipher=name           SSL cipher to use (implies --ssl).
      --ssl-key=name              X509 key in PEM format (implies --ssl).
      --ssl-crl=name              Certificate revocation list (implies --ssl).       
      --ssl-crlpath=name          Certificate revocation list path (implies --ssl).  
      --tls-version=name          TLS protocol version for secure connection. 
      --ssl-verify-server-cert    Verify server's "Common Name" in its cert against hostname used when connecting. This option is disabled by default. 
  -t, --table                     Output in table format.
      --tee=name                  Append everything into outfile. See interactive help (\h) also. Does not work in batch mode. Disable with --disable-tee. This option is disabled by default.
  -u, --user=name                 User for login if not current user. 
  -U, --safe-updates              Only allow UPDATE and DELETE that uses keys. 
  -U, --i-am-a-dummy              Synonym for option --safe-updates, -U.   
  -v, --verbose                   Write more. (-v -v -v gives the table output format).     
  -V, --version                   Output version information and exit.                         
  -w, --wait                      Wait and retry if connection is down.
      --connect-timeout=#         Number of seconds before connection timeout.
      --max-allowed-packet=#      The maximum packet length to send to or receive from server.
      --net-buffer-length=#       The buffer size for TCP/IP and socket communication.  
      --select-limit=#            Automatic limit for SELECT when using --safe-updates.  
      --max-join-size=#           Automatic limit for rows in a join when using --safe-updates.
      --secure-auth               Refuse client connecting to server if it uses old (pre-4.1.1) protocol.
      --server-arg=name           Send embedded server this as a parameter.  
      --show-warnings             Show warnings after every statement.
      --plugin-dir=name           Directory for client-side plugins.
      --default-auth=name         Default authentication client-side plugin to use.
      --binary-mode               By default, ASCII '\0' is disallowed and '\r\n' is translated to '\n'. This switch turns off both features, and also turns off parsing of all clientcommands except \C and DELIMITER, in non-interactive mode (for input piped to mysql or loaded using the 'source' command). This is necessary when processing output from mysqlbinlog that may contain blobs. 
      --connect-expired-password  Notify the server that this client is prepared to handle expired password sandbox mode even if --batch was specified. Variables (--variable-name=value) and boolean options {FALSE|TRUE}  Value (after reading options) 
--------------------------------- ----------------------------------------  
abort-source-on-error             FALSE 
auto-rehash                       TRUE
auto-vertical-output              FALSE
binary-as-hex                     FALSE   
character-sets-dir                (No default value)
column-type-info                  FALSE
comments                          FALSE    
compress                          FALSE 
debug-check                       FALSE
debug-info                        FALSE      
database                          (No default value)
default-character-set             auto  
delimiter                         ; 
vertical                          FALSE 
force                             FALSE
named-commands                    FALSE
ignore-spaces                     FALSE 
init-command                      (No default value)
local-infile                      FALSE
no-beep                           FALSE
host                              (No default value) 
html                              FALSE 
xml                               FALSE 
line-numbers                      TRUE
unbuffered                        FALSE
column-names                      TRUE
sigint-ignore                     FALSE 
port                              0    
progress-reports                  TRUE 
prompt                            \N [\d]>
protocol                         
quick                             FALSE   
raw                               FALSE 
reconnect                         TRUE 
socket                            /run/mysqld/mysqld.sock
ssl                               FALSE
ssl-ca                            (No default value)
ssl-capath                        (No default value)
ssl-cert                          (No default value)
ssl-cipher                        (No default value)
ssl-key                           (No default value)
ssl-crl                           (No default value)  
ssl-crlpath                       (No default value)  
tls-version                       (No default value)
ssl-verify-server-cert            FALSE 
table                             FALSE
user                              (No default value)
safe-updates                      FALSE   
i-am-a-dummy                      FALSE 
connect-timeout                   0
max-allowed-packet                16777216 
net-buffer-length                 16384 
select-limit                      1000   
max-join-size                     1000000
secure-auth                       FALSE 
show-warnings                     FALSE     
plugin-dir                        (No default value)    
default-auth                      (No default value) 
binary-mode                       FALSE 
connect-expired-password          FALSE    

Always remember, that MySQL clients usually authenticate with the service with a username and password combination. However, it is essential to test for password-less authentication, as there might be an intentional misconfiguration in the service, which would allow personnel to easily log into the service during the deployment stage of the project to easily interact with it before making it available to other colleagues. In the present situation, an initial attempt can be to attempt a log-in as the root user, naturally having the highest level of privileges on the system.

Now Use this command on your terminal:

  • -h: connect to host and 
  • -u: specify the user for log-in if not the current user.
┌──(mrdev㉿mrdev)-[~]
└─$ mysql -h 10.129.57.183 -u root  
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 74  
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.    
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>

As you can see it does not ask me for a password which means we have connected to the database without having a password.

We are placed in a MySQL service shell from where we can explore the tables and data therein that are available to us. If you need help with MySQL command syntax, you can refer to the cheat sheet provided by MySQL. The commands we are going to use are essential for navigation.

SHOW databases;

: Print out the databases we can access.

USE {database_name};

: Set to use the database named {database_name}.

SHOW tables;

: Print out the available tables inside the current database.

SELECT * FROM {table_name};

: Prints out all the data from the table {table_name}.

Our first command is Show database and specifies semicolon:

MariaDB [(none)]> SHOW databases;
+--------------------+
| Database           |  
+--------------------+
| htb                 | 
| information_schema | 
| mysql              | 
| performance_schema | 
+--------------------+
4 rows in set (0.347 sec)
MariaDB [(none)]> 

From the output, the HTB database seems to be of value to us. In order to see what rests inside it, we will need to "select" the HTB database. To achieve this, the use htb; command can be used.

MariaDB [(none)]> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A     
Database changed 
MariaDB [htb]>

We have successfully changed the database. The next step is to check what tables the " htb " database contains. We can achieve this by following up with the SHOW tables command.

MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |  
+---------------+ 
| config        | 
| users         | 
+---------------+
2 rows in set (0.747 sec)
MariaDB [htb]>

We have two tables that are config and users. These can be checked sequentially for their content by using the SELECT * FROM config command, where config is the exact name of the table you want to explore, taken from the output above.

MariaDB [htb]> SELECT * FROM config;  
+----+-----------------------+----------------------------------+
| id | name                  | value                            |
+----+-----------------------+----------------------------------+ 
|  1 | timeout               | 60s                              |
|  2 | security              | default                          | 
|  3 | auto_logon            | false                            |  
|  4 | max_size              | 2M                               |
|  5 | flag                  | 7******************************8 |
|  6 | enable_uploads        | false                            |
|  7 | authentication_method | radius                           |
+----+-----------------------+----------------------------------+ 
7 rows in set (0.470 sec)
MariaDB [htb]>
As you can see the flag is listed in this table. Copy that and paste it to tasks.


TASK Solution


TASK 1: What does the acronym SQL stand for?

Ans. Structured Query LanguageHide Answer


TASK 2: During our scan, which port running MySQL do we find?

Ans. 3306


TASK 3: What community-developed MySQL version is the target running?

Ans. MariaDB


TASK 4: What switch do we need to use in order to specify a login username for the MySQL service?

Ans. -u

TASK 5: Which username allows us to log into MariaDB without providing a password?

Ans. root


TASK 6: What symbol can we use to specify within the query that we want to display everything inside a table?

Ans. *


TASK 7: What symbol do we need to end each query with?

Ans. ;

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!