Monday, 17 January 2022

MySQL Enumeration and Exploitation

 


This is the last lab from TryHackMe Network Services 2 module. It can be accessed only by the premium users.

MySQL, as an RDBMS, is made up of the server and utility programs that help in the administration of MySQL databases.

The server handles all database instructions like creating, editing, and accessing data. It takes and manages these requests and communicates using the MySQL protocol. This whole process can be broken down into these stages:

  1. MySQL creates a database for storing and manipulating data, defining the relationship of each table.
  2. Clients make requests by making specific statements in SQL.
  3. The server will respond to the client with whatever information has been requested.

MySQL can run on various platforms, whether it's Linux or windows. It is commonly used as a back-end database for many prominent websites and forms an essential component of the LAMP stack, which includes Linux, Apache, MySQL, and PHP.

Enumeration

Typically, you will have gained some initial credentials from enumerating other services that you can then use to enumerate and exploit the MySQL service. As this room focuses on exploiting and enumerating the network service, for the sake of the scenario, we're going to assume that you found the credentials: "root:password" while enumerating subdomains of a web server. After trying the login against SSH unsuccessfully, you decide to try it against MySQL.

By knowing the Default credentials, we can login using the mysql client.  Let's double check that by manually connecting to the MySQL server. We can do this using the command

"mysql -h [IP] -u [username] -p"





We're going to be using the "mysql_sql" module using MetaSploit.  






By using this Metasploit module we can see many databases present in the MySQL DBMS. By default it will test with the "select version()" command. Change the "sql" option to "show databases" we can see 4 databases present in the DBMS.

Exploitation

Exploit the database fully and gain more sensitive information than just database names. We know:

1. MySQL server credentials

2. The version of MySQL running

3. The number of Databases, and their names.







Let's search for and select the "mysql_schemadump" module. Set the relevant options, run the exploit. You have now dumped the tables, and column names of the whole database. But we can do one better... search for and select the "mysql_hashdump" module. 





Hashes are, very simply, the product of a cryptographic algorithm to turn a variable length input into a fixed length output. We can see in the output that there are different credentials. The password for the other user is hashed. Use the below provided command to crack the password.

“john hash.txt”





Using the cracked password login to the ssh of the machine and access the flag.











 


Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)