The post provides an in-depth walkthrough of exploiting and enumerating MySQL Services as part of a penetration testing exercise, specifically focusing on techniques taught in TryHackMe’s Network Services 2 room.
COMPTIA Cyber Security Analyst (CySA+) Study Notes
Overview
Task 10: Automated exploitation using Metasploit modules.
Objective: Learn how to enumerate, exploit, and extract information from a MySQL database service.
Tasks Covered:
Task 8: MySQL Basics and Enumeration.
Task 9: Manual exploitation without Metasploit.
Key Topics and Techniques
1. Understanding MySQL
- What is MySQL?
- A relational database management system (RDBMS) used to host and manage structured data.
- Tables are interconnected through primary keys.
- Applications:
- Backend storage for applications.
- Examples: Facebook uses MySQL for analytics and data management.
2. Enumeration
Identify MySQL service running on port 3306 using Nmap:
Initial Port Scan:
nmap -sV -A -p 3306 <target_IP>
- Output:
- Confirms the MySQL version (e.g.,
5.7.29). - Verifies the service is active.
- Confirms the MySQL version (e.g.,
Login Credentials:
- If credentials are known (e.g.,
root:password), directly log in:
mysql -u root -p -h <host>
If credentials are unknown:
- Attempt brute force using tools like Hydra:
hydra -l root -P <wordlist> -s 3306 -f <host> mysql
3. Manual Exploitation
- Logging into MySQL:
- Use provided credentials (
root:password). - Verify version and variables:
- Use provided credentials (
SHOW VARIABLES LIKE 'version%';
Enumerating Databases and Tables:
- List databases:
SHOW DATABASES;
Select and list tables in a database:
USE mysql;
SHOW TABLES;
Query specific tables (e.g., user table):
cSELECT * FROM user;
Extract hashed passwords and usernames for further exploitation.
Hash Cracking:
- Save extracted hashes into a file:
echo "<hash>" > hash.txt
Use John the Ripper or Hashcat to crack hashes:
john --wordlist=<wordlist> hash.txt
4. Automated Exploitation with Metasploit
- Search for MySQL Modules:
- Use Metasploit to identify applicable modules:
search mysql
- Example modules:
auxiliary/scanner/mysql/mysql_version: Retrieves MySQL version.auxiliary/admin/mysql/mysql_schema_dump: Dumps MySQL schema.
Executing Exploits:
- Set options:
use auxiliary/admin/mysql/mysql_schema_dump
set RHOSTS <target_IP>
set USERNAME root
set PASSWORD <password>
run
Extract:
- Database names.
- Table structures.
- User credentials.
Practical Example
- Objective: Crack a user password and gain shell access via SSH.
- Extract user hashes from the
usertable. - Crack the hash using a wordlist (e.g.,
rockyou.txt). - SSH into the system using the cracked credentials:
ssh <username>@<host_IP>
Key Findings and Outputs
- MySQL Version:
- Retrieved via
SHOW VARIABLES.
- Retrieved via
- Databases:
- Enumerated databases include
information_schema,mysql, andtest.
- Enumerated databases include
- User Table:
- Extracted usernames and password hashes.
Summary
- Manual Method:
- Efficient for learning and small-scale testing.
- Commands provide granular control.
- Automated Method:
- Useful for testing multiple targets or saving time.
- Metasploit simplifies enumeration and exploitation.
Recommendations
- Defense:
- Use strong, unique passwords.
- Restrict access to MySQL services (bind to localhost or use firewalls).
- Regularly patch MySQL installations.
- Learning:
- Practice both manual and automated methods to understand the underlying process and tools.
Room Answers
What does SMB stand for?
What type of protocol is SMB?
What do clients connect to servers using?
What systems does Samba run on?
What ports is SMB running on?
Let’s get started with Enum4Linux, conduct a full basic enumeration. For starters, what is the workgroup name?
What comes up as the name of the machine?
What operating system version is running?
What share sticks out as something we might want to investigate?
Lets see if our interesting share has been configured to allow anonymous access, I.E it doesn’t require authentication to view the files. We can do this easily by:
– using the username “Anonymous”
– connecting to the share we found during the enumeration stage
– and not supplying a password.
Does the share allow anonymous access? Y/N?
What service has been configured to allow him to work from home?
Okay! Now we know this, what directory on the share should we look in?
This directory contains authentication keys that allow a user to authenticate themselves on, and then access, a server. Which of these keys is most useful to us?
Download this file to your local machine, and change the permissions to “600” using “chmod 600 [file]”.
Now, use the information you have already gathered to work out the username of the account. Then, use the service and key to log-in to the server.
What is the smb.txt flag?
What is Telnet?
What has slowly replaced Telnet?
How many ports are open on the target machine?
What port is this?
This port is unassigned, but still lists the protocol it’s using, what protocol is this?
Now re-run the nmap scan, without the -p- tag, how many ports show up as open?
Here, we see that by assigning telnet to a non-standard port, it is not part of the common ports list, or top 1000 ports, that nmap scans. It’s important to try every angle when enumerating, as the information you gather here will inform your exploitation stage.
Always keep a note of information you find during your enumeration stage, so you can refer back to it when you move on to try exploits.
Okay, let’s try and connect to this telnet port! If you get stuck, have a look at the syntax for connecting outlined above.
Great! It’s an open telnet connection! What welcome message do we receive?
Let’s try executing some commands, do we get a return on any input we enter into the telnet session? (Y/N)
Hmm… that’s strange. Let’s check to see if what we’re typing is being executed as a system command.
Start a tcpdump listener on your local machine.
If using your own machine with the OpenVPN connection, use:
sudo tcpdump ip proto \\icmp -i tun0
If using the AttackBox, use:
sudo tcpdump ip proto \\icmp -i ens5
This starts a tcpdump listener, specifically listening for ICMP traffic, which pings operate on.
Now, use the command “ping [local THM ip] -c 1″ through the telnet session to see if we’re able to execute system commands. Do we receive any pings? Note, you need to preface this with .RUN (Y/N)
Great! This means that we are able to execute system commands AND that we are able to reach our local machine. Now let’s have some fun!
We’re going to generate a reverse shell payload using msfvenom.This will generate and encode a netcat reverse shell for us. Here’s our syntax:
Perfect. We’re nearly there. Now all we need to do is start a netcat listener on our local machine. We do this using:
“nc -lvp [listening port]”
What would the command look like for the listening port we selected in our payload?
Great! Now that’s running, we need to copy and paste our msfvenom payload into the telnet session and run it as a command. Hopefully- this will give us a shell on the target machine!
Success! What is the contents of flag.txt?
Run an nmap scan of your choice.
How many ports are open on the target machine?
What port is ftp running on?
What variant of FTP is running on it?
Great, now we know what type of FTP server we’re dealing with we can check to see if we are able to login anonymously to the FTP server. We can do this using by typing “ftp [IP]” into the console, and entering “anonymous”, and no password when prompted.
What is the name of the file in the anonymous FTP directory?
could be?
Great! Now we’ve got details about the FTP server and, crucially, a possible username. Let’s see what we can do with that…
What is the password for the user “mike”?
Bingo! Now, let’s connect to the FTP server as this user using “ftp [IP]” and entering the credentials when prompted
What is ftp.txt?
