THM – Network Services – MySQL – Part 8

Byaghanim

Photo by Caspar Camille Rubin on Unsplash

Understanding MySQL 

What is MySQL?  

In its simplest definition, MySQL is a relational database management system (RDBMS) based on Structured Query Language (SQL).  

Database:  

A database is simply a persistent, organized collection of structured data.  

RDBMS:  

A software or service used to create and manage databases based on a relational model. The word “relational” just menas that the data stored in the dataset is organized as tables. Every table relates in some way to each others “primary key” or other “key” factors.  

SQL:  

MySQL is just a brand name for one of the most popular RDBMS software implementations. as we know, it uses a client-server model . The client and server communicate by using a language, specifically the Structured Query Language (SQL). 

How does MySQL work? 

MySQL, as an RDBMS, is made up of the server and utility programs that help in the administration of MySQL databases.

The server handles all database instructions like creating, editing and accessing data. It takes and manages these requests and communicates using the MySQL protocol. This whole process can be broken down into these stages: 

  1. MySQL creates a database for storing and manipulating data, defining the relationship of each table.  
  2. Clients make requests by making specific statements in SQL. 
  3. The server will respond to the client with whatever information has been requested. 

What runs MySQL? 

MySQL can run on various platforms, whether its Linux or windows. It is commonly used as a backend database for many prominent websites and forms an essential component of the LAMP stack, which includes Linux, Apache, MySQL and PHP.  

What type of software is MySQL? Relational database management system 

What language is MySQL based on? SQL 

What communcation model does MySQL use? Client-server 

What is common application of MySQL? Back end database 

Enumerating MySQL 

When would you begin attacking MySQL? 

MySQL is likely not going to be the first point of call when it comes to getting initial information about the server. In most CTF scenarios, this is unlikely to be the avenue you’re meant to peruse. 

The Scenario 

Typically, you will have gained some initial credentials from enumerating other services that you can use to enumerate and exploit MySQL service.  

For this scenario we would assume that we found the credential “root:password” while enumerating subdomains of a web server.  

Requirements 

Have MySQL installed on the system in order to connect to the remote MySQL server. Install by using “sudo apt install default-mysql-client.  

We’re going to use metasploit for this.  

Alternatives 

Worth noting that everything we’re going to be doing using Metasploit can also be done either manually or with a set of non-metasploit tools such as nmap’s mysql-enum script. https://nmap.org/nsedoc/scripts/mysql-enum.html 

Do a port scan against the target to find the service we’re trying to attack. What port is MySQL using? 3306. 

We have a set of creds. Lets check them by manually connecting to the MySQL server. Use command 

mysql -h IP –u username –p

Use Metasploit module “mysql_sql” and set the correct options.  

By default, this exploit will test with the “select version()” command. Whats the result?  

Change the “sql” options to “show databases”. How many databases?  

Exploit MySQL

What do we know?  

  1. MySQL server credential 
  2. The version of MySQL running 
  3. The number of databases, and their names 

Key Terminology 

In order to understand the exploits we’re going to use, we need to understand a few key terms.

Schema 

In MySQL, phyiscally, a schema is synonymous with a database. You can subsitute the keyword “SCHEMA” instead of DATABASE in MySQL SQL syntax, for example using “CREATE SCHEMA” instead of “CREATE DATABASE”.

In the Oracle Database product, a schema represents only a part of a database: the tables and other objects owned by a single user.  

Hashes 

Hashes are the product of a cryptographic algorithm to turn a variable length input into a fixed length output. 

In MySQL hashes can be used in different ways, for instance to index data into a hash table. Each hash a unique ID that servers as a pointer to the original data. This creates an index that is significantly smaller than the original data, allowing the values to be searched and accessed more efficiently.  

We are going to extract password hashes, which are simply a way of storing passwords not in a plaintext format.  

Start Metasploit and search for “mysql_schemadump” module. 

Set the relevant options and run the exploit. What’s the name of the last table that gets dumped? 

We have dumped the tables, and column names of the whole database. Search for and select the “mysql_hashdump” module. Set relevant options and run the exploit.  

What non-default user stands out? carl

 What is the userhash? See image above.  

Copy the hashstring in full, like bob:*HASH to a text file on local machine.  

Crack the password using john the ripper against “john hash.txt”. What is the password? doggie 

What is the MySQL.txt FLAG?? 

Similar Posts

  • THM – John The Ripper – Part 15

    Byaghanim

    This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsCracking Basic HashesCracking Windows authentication HashesCracking /etc/shadow HashesSingle Cracking ModeCustom RulesCracking Password Protected Zip FilesCracking Password Protected RAR FilesCracking SSH Keys…

  • THM – Common Linux Privilege Escalation – Part 20

    Byaghanim

    This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsDirection og Privilege EscalationEnumerationAbusing SUID/GUID FilesFinding SUID BinariesExploiting Wriitable /etc/passwdEscaping Vi EditorExploiting CrontabExploitning PATH Variable Direction og Privilege Escalation Two main…

  • THM – Active Directory Basics – Part 18

    Byaghanim

    This is a continued series where I document my path through different tryhackme courses. I recommend everyone that wants to learn cyber security to subscribe to tryhackme.com and take the courses there. Table Of ContentsIntroductionPhysical Active DirectoryThe ForestUsers + GroupsTrusts + PoliciesActive Directory Domain Services + Authentication Introduction Active Directory is the directory service for…

  • THM – Intro to pentesting – Fundamentals – Part 1

    Byaghanim

    This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsPenetration testing ethicsRules of Engagement (ROE)Penetration Testing MethodoligiesOSSTMMOWASPNIST Cybersecurity Framework 1.1NCSC CAFBlack box, White box, Grey box penetration testingBlack-Box testingGrey-box testingWhite-Box Testing Penetration testing ethics Hat Category Description…

  • THM – Network Services – SMB – Part 3

    Byaghanim

    Table Of ContentsUnderstanding SMB Enumerating SMB Exploiting SMB  Understanding SMB  SMB – Server Message Block Protocol – is a client-server communication protocol used for sharing access to files, printers, serial ports and other resources on a network.   Servers make file systems and other resources available to clients on the network. Client computers may have their own hard disks, but they also want access to the shared file systems and printers on the servers.   The SMB protocol is known as a response-request protocol, meaning that it transmits multiple messages…

  • THM – IDOR – Part 7

    Byaghanim

    This is my notes from the Junior Pentesting course at TryHackMe. This course takes you through the basics and some advanced topics regarding penetration testing. Table Of ContentsWhat is an IDOR?An IDOR ExampleFinding IDORs in Encoded IDsEncoded IDsFinding IDORs and Hashed IDsHashed IDsFinding IDORs in Unpredictable IDsUnpredictable IDsWhere are IDORs locatedWhere are they located?A Practical IDOR ExampleWhat…