Hack The Box Starting Point: Sequel
Sequel is a machine located in Hack The Box's Starting Point Tier 1. By leveraging the inadequately configured SQL (Structured Query Language) service on this machine, we can acquire access to all the databases and tables it contains.
Project information
- Title: Sequel
- Organizer: Hack The Box
- Project date: June, 2023
- URL: www.hackthebox.com
To obtain the VPN profile for connecting to Hack The Box, please follow these steps:
- Click on the "HTB" button located in the top right corner.
- From the options, select "Starting Point".
- Choose "OpenVPN" and click on it.
- Finally, click on the "Download VPN" button to acquire the VPN profile.
To connect to HTB, for Windows users, download and install OpenVPN Connect and load the VPN profile into the application. Linux users can connect by opening a Terminal and entering the provided command below. Please allow a few minutes for the HTB website to acknowledge the connection.
Begin by initiating a connection to the Starting Point VPN.
sudo openvpn [filename].ovpn
Launch a new tab on your Kali Linux terminal while keeping the current tab connected to your lab session.
Click the green "Spawn Machine" button to start the target machine's spawning process. Remember that the IP address for the target machine is 10.129.174.147. However, use the IP address you have received, as it may differ from the provided one.
The presence of tags such as "Vulnerability Assessment", "Databases", "MySQL", and "SQL" suggests that we may be involved in conducting an evaluation of potential vulnerabilities within a database, particularly focusing on weak credentials.
As the webpage remains unresponsive, a successful ping to the target machine indicates its connectivity. A nmap scan was conducted using the command
nmap -sV -sC 10.129.174.147 to obtain information about the services and their versions running on the specified IP address.
Task 1 inquires, “During our scan, which port do we find serving MySQL?”
The answer is 3306.
Task 2 inquires, “What community-developed MySQL version is the target running?
The nmap scan revealed that the service running on the specified IP address is MariaDB.
Task 3 inquires, “When using the MySQL command line client, what switch do we need to use in order to specify a login username?”
-u.
Task 4 inquires, "Which username allows us to log into this MariaDB instance without providing a password?"
root
Task 5 inquires, “In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?"
Answer is asterisk (*) symbol. The presence of the asterisk symbol in the query indicates our intention to show all the contents within a table.
Task 6 inquires, “In SQL, what symbol do we need to end each query with?"
The semicolon symbol (;) is essential as a command delimiter, serving to separate and differentiate individual commands.
Task 7 inquires, “There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that's unique to this host?”
The correct answer is htb.
Finally, "Submit root flag".
By conducting a basic Google search and consulting online communities, I found the command mysql -h <hostname> -u root for logging in as the root user without a password on a MariaDB or MySQL database hosted on a specific hostname.
Attempt to gain access to the target machine with root privileges.
To view the list of databases, we can employ the show databases command.
To select a specific database, we can utilize the use <database name> command.
To retrieve a list of tables, we can employ the show tables command.
The data from the 'config' and 'users' tables can be retrieved using the
select * from <table name>
select * from <table name>
Finally, I located the flag, successfully compromising the Sequel box.
Flag : 7b4bec00d1a39e3dd4e021ec3d915da8
