08 Jan 2023
MySQL typically not the first point of call in a network, definitely unlikely as a path in a CTF. For purposes of this lesson, credentials were found while enumerating subdomains of a web server but they didn’t match up to an SSH user, so trying them with MySQL. If trying to use non-Metasploit tools:
https://nmap.org/nsedoc/scripts/mysql-enum.html
https://www.exploit-db.com/exploits/23081
Enumerate to get the information needed to exploit the victim, starting with nmap. In this case nmap -v -A target was enough to find the port MySQL was running on.
Connect to MySQL session with mysql -h [IP Address] -u [username] -p where -p prompts for a password. Exit session and begin Metasploit work.
Once in the console, search fullname:mysql_sql to find the full module name. Select with use #. set options. In this case, it doesn’t work unless username and password are set even though they’re not required options. Can change the sql option to show databases.
Taking stock:
MySQL specific terminology - Schema is synonymous with database. Create schema command == create database command. Some other database products draw a distinction, schema being only a part of a database: the tables and other objects owned by a single user. (Oracle)
Hashes, simply put, are product of a cryptographic algorithm to turn a variable length input into a fixed length output. MySQL hashes can also be used to index data in a hash table. Creates and index significantly smaller than the original data allowing for more efficient search and access.
In this case, hashes extracted will be just a way of storing passwords not in plaintext.
Dig around, get the flag.
Use mysql_schemadump module. Got list off tables and columns.
Use mysql_hashdump module. Reveals another non-standard username, and the password hash. Copy hash to a text file.
Run Jack the Ripper against it: john file.txt. Returns password for user.
Can try this password against other things in system because of potential password reuse, in this case SSH.
SSH connection led to flag retrieval.
https://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-en-4/ch-exploits.html
https://www.nextgov.com/cybersecurity/2019/10/nsa-warns-vulnerabilities-multiple-vpn-services/160456/
That finishes Network Services 2. Next up on the path is How Websites Work.