THM – Network Services – MySQL – Part 8

Last Updated on January 25, 2022 by aghanim

Understanding MySQL 

What is MySQL?  

In its simplest definition, MySQL is a relational database management system (RDBMS) based on Structured Query Language (SQL).  

Database:  

A database is simply a persistent, organized collection of structured data.  

RDBMS:  

A software or service used to create and manage databases based on a relational model. The word “relational” just menas that the data stored in the dataset is organized as tables. Every table relates in some way to each others “primary key” or other “key” factors.  

SQL:  

MySQL is just a brand name for one of the most popular RDBMS software implementations. as we know, it uses a client-server model . The client and server communicate by using a language, specifically the Structured Query Language (SQL). 

How does MySQL work? 

MySQL, as an RDBMS, is made up of the server and utility programs that help in the administration of MySQL databases.

The server handles all database instructions like creating, editing and accessing data. It takes and manages these requests and communicates using the MySQL protocol. This whole process can be broken down into these stages: 

1. MySQL creates a database for storing and manipulating data, defining the relationship of each table.  
2. Clients make requests by making specific statements in SQL. 
3. The server will respond to the client with whatever information has been requested. 

What runs MySQL? 

MySQL can run on various platforms, whether its Linux or windows. It is commonly used as a backend database for many prominent websites and forms an essential component of the LAMP stack, which includes Linux, Apache, MySQL and PHP.  

What type of software is MySQL? Relational database management system 

What language is MySQL based on? SQL 

What communcation model does MySQL use? Client-server 

What is common application of MySQL? Back end database 

Enumerating MySQL 

When would you begin attacking MySQL? 

MySQL is likely not going to be the first point of call when it comes to getting initial information about the server. In most CTF scenarios, this is unlikely to be the avenue you’re meant to peruse. 

The Scenario 

Typically, you will have gained some initial credentials from enumerating other services that you can use to enumerate and exploit MySQL service.  

For this scenario we would assume that we found the credential “root:password” while enumerating subdomains of a web server.  

Requirements 

Have MySQL installed on the system in order to connect to the remote MySQL server. Install by using “sudo apt install default-mysql-client.  

We’re going to use metasploit for this.  

Alternatives 

Worth noting that everything we’re going to be doing using Metasploit can also be done either manually or with a set of non-metasploit tools such as nmap’s mysql-enum script. https://nmap.org/nsedoc/scripts/mysql-enum.html 

Do a port scan against the target to find the service we’re trying to attack. What port is MySQL using? 3306. 

We have a set of creds. Lets check them by manually connecting to the MySQL server. Use command 

mysql -h IP –u username –p

Use Metasploit module “mysql_sql” and set the correct options.  

By default, this exploit will test with the “select version()” command. Whats the result?  

Change the “sql” options to “show databases”. How many databases?  

Exploit MySQL

What do we know?  

1. MySQL server credential 
2. The version of MySQL running 
3. The number of databases, and their names 

Key Terminology 

In order to understand the exploits we’re going to use, we need to understand a few key terms.

Schema 

In MySQL, phyiscally, a schema is synonymous with a database. You can subsitute the keyword “SCHEMA” instead of DATABASE in MySQL SQL syntax, for example using “CREATE SCHEMA” instead of “CREATE DATABASE”.

In the Oracle Database product, a schema represents only a part of a database: the tables and other objects owned by a single user.  

Hashes 

Hashes are the product of a cryptographic algorithm to turn a variable length input into a fixed length output. 

In MySQL hashes can be used in different ways, for instance to index data into a hash table. Each hash a unique ID that servers as a pointer to the original data. This creates an index that is significantly smaller than the original data, allowing the values to be searched and accessed more efficiently.  

We are going to extract password hashes, which are simply a way of storing passwords not in a plaintext format.  

Start Metasploit and search for “mysql_schemadump” module. 

Set the relevant options and run the exploit. What’s the name of the last table that gets dumped? 

We have dumped the tables, and column names of the whole database. Search for and select the “mysql_hashdump” module. Set relevant options and run the exploit.  

What non-default user stands out? carl

 What is the userhash? See image above.  

Copy the hashstring in full, like bob:*HASH to a text file on local machine.  

Crack the password using john the ripper against “john hash.txt”. What is the password? doggie 

What is the MySQL.txt FLAG??