Hack the Box — Sequel

HTB Tags: #Linux #SQL #SQLi #MariaDB #WeakPassword

This is the second box in Tier 1, as part of the Starting Point series, with a focus on database access through an open port on a Linux target. As usual, let’s start by enumerating with the standard commands, ping and nmap and see where we get to.

ping

ping $IP -c 4

nmap

nmap -sC -sV -A $IP -p-

ports

Checking the port details on speedguide we see that this is normally an SQL port. It is showing as a MariaDB. One of the many applications/variants of MySQL, a service designed for database management: creating, modifying, and updating databases, changing and adding data, and much more.

We should try to see if we can access the database remotely. MySQL clients usually authenticate with the service with a username/password combination, however, we should test for password-less authentication, in-case there might be an intentional mis-configuration, which would database creators/managers to allow them to log into the service during the deployment stage of the project to easily interact with it before making it available to the rest of the community. Let’s try to log in as root, and see if we can get full privileges.

mysql

mysql -h $IP -u root

So now we have access to the MariaDB, we can start to enumerate the file. You can utilise help in this stage both for client and server either by:

\h

help contents

These commands are well outside the remit of this walk through, but worthwhile learning in the long run when you start to understand and appreciate the amount of databases on these vulnerable systems.

So let’s check out the database itself.

show databases

We can see four databases are visible. Let’s check out the htb as it seems to be appropriate! Let’s access a table by using it.

use htb

Now we have the two tables. Lets look at them in order. In this case the * is a wildcard for ALL, so in normal speech it would be select all from table config

select *  from config

OK we now have the flag which ends this challenge.

summary

This was a nice introduction into sql databases. The basic commands that we used to move between the online databases are well worth learning.

- SHOW databases; [Prints out the databases we can access.]
- USE {database_name}; [Set to use the database named {database_name}.]
- SHOW tables; [Prints out the available tables inside the current database.]
- SELECT * FROM {table_name}; [Prints out all the data from the table {table_name}.]

In the same way a basic sql online course will definitely be worth while as you progress through your hacking/pen-testing career.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store