Sequel - Linux

Ping and Nmap the target Ip using sudo nmap -sC -sV {target Ip}

We find port 3306/tcp open running MySQL 5.5.5-10.3.27-MariaDB0+deb10u1. MySQL is a service for database management including functions like creating, modifying, and updating databases, changing and adding data, and more.

Next download MySQL to your local machine to be able to communicate with the database using sudo apt update && sudo apt install mysql* after we can run mysql –help to see a list of commands and how they’re used.

MySQL clients usually authenticate with a username/password combination, but we should test for password-less authentication as there might be an intentional misconfiguration in the service for personnel to easily log-in during the deployment stage. To do this we run mysql -h {target Ip} -u root where -h specifies the host we want to connect to, and -u is the username for log-in. In this case I also had to use –skIp-ssl to gain entry which basically skips encryption of the data between endpoints.

We are able to gain access to the database using the root username and no password. SHOW databases; prints out the databases we can access. We find 4 databases, but 3 of them common across all MySQL instances (information_schema, mysql, and performance_schema) so the one we are interested in is the htb database.

Next, we’ll run the USE htb; command which opens the specified database, and SHOW tables; which prints out the available tables inside the current database.

Finally, we use SELECT FROM config; which prints out all the data from the table ( stands for all in MySQL) doing this will allow us to read the value of the flag and capture it.