HTB Starting Point - Tier 1 - Sequel

Introduction

Sequel is the 2nd machine in the Starting Point Tier 1 series. And maybe it’s because I’m drinking but I just realized it is likely called Sequel because the focus is SQL.

tl;dr

Spoiler!

1. MariaDB is running on the target. Connect with `mysql -h $target -u root`
2. `show databases;`, `use htb;`, then `show tables;`
3. Lastly, `select * from config;` for the flag
5.

Establishing a Connection & Initial Scan

Spawn the bastard and get vpn going.

I’ve confirmed the target is reachable with a ping.

Initiate the usual scan:

The Tasklist

Task 1

What does the acronym SQL stand for?

We covered this one before, SQL stands for Structured Query Language.

Task 2

During our scan, which port running mysql do we find?

According to the scan, mysql is running on port 3306.

Task 3

What community-developed MySQL version is the target running?

The server is running MariaDB.

Task 4

What switch do we need to use in order to specify a login username for the MySQL service?

The man page states that -u let’s us specify a login username when connecting.

Task 5

Which username allows us to log into MariaDB without providing a password?

root is the account.

Task 6

What symbol can we use to specify within the query that we want to display eveything inside a table?

The wildcard * character is widely used for matching anything in multiple languages. In spoken terms, it is read as all. As an example, the SQL statement SELECT * FROM table_name; would be read as SELECT ALL FROM table_name.

Task 7

What symbol do we need to end each query with?

The semicolon ; is used to end a query statement in SQL.

Task 8

Submit root flag

Capturing the Flag

Right, so now we have to use the above stuff to figure out how to get the flag.

1. We search the man page for the switch to specify our target. man mysql | grep host reveals that the -h flag will let us enter the IP/hostname of our target.
2. The full command should include the -u switch discovered earlier. This will allow us to try to connect as root. Default config for MariaDB allow the account to connect without a password. The command should read mysql -h $target -u root.
3. The command worked! Now to enter some mysql commands.

1. Now that we are connected, we want to run show databases;. This dumps the databases that are on the server.
2. There is a very promising DB listed- htb-, let’s take a look inside. We run the command use htb; to select the htb database as our active DB to query against.
3. Once the htb DB is selected, we dump the tables to see what’s viable. The command SELECT * FROM htb; will dump all tables located in the htb DB.
4. Two tables are inside. Both users and config seem promising.

1. We’ll start with the users table with the statement SELECT * FROM users;.
2. Said table contains some usernames and emails. All worth pillaging, but we still don’t have our flag.
3. We check the next table, config. The command is SELECT * FROM config;.
4. This is the ticket, our flag is in this table. Nice!

Lessons Learned

• footholds can be gained to mysql using mysql -h $target -u $user. Worth trying root.
• upon gaining foothold, enumerate databases with SHOW DATABASES; and tables by selecting a DB USE {DB_NAME}; and then SHOW TABLES;. See data with SELECT * FROM {TABLE_NAME};