Hack the Box – Sequel

# Information:

Platform Name: Hack the Box

Machine Challenge: Sequel

Machine Status: Starting Point

Challenge Level: Very Easy

# Used Tools:

  • Linux
  • nmap
  • MariaDB

# Challenge Description:

This challenge has a list of questions that need to be answered in order to retrieve the flag. We will answer every question.

# Writeup:

Task 1:

During our scan, which port do we find serving MySQL?

Answer: We find port 3306.


Task 2:

What community-developed MySQL version is the target running?

Answer: The target is running MariaDB.


Task 3:

When using the MySQL command line client, what switch do we need to use in order to specify a login username?

Answer: The switch is -u.

If you enter on your terminal the command “man mysql” you will have access to the manual of mysql. This manual will tell you all the switches that you can use with mysql.


Task 4:

Which username allows us to log into this MariaDB instance without providing a password?

Answer: The username is root.

I searched on google to find out which username doesn’t require a password for MariaDB and I discovered that the username is root.

After knowing all this, I tried to login and for that I used the following command:

mysql -h <your_IP_here> -u root

In the command above, we already know that the switch -u is to specify the username. The switch -h specify the host and the switch -P specify the port number.

You can see the login in the image below.

Image 1

Task 5:

In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?

Answer: The symbol is *.


Task 6:

In SQL, what symbol do we need to end each query with?

Answer: The symbol is ;

After you log in, if you enter the command “help” you’ll see a lot of information about commands that you can use in MariaDB and you will see that you need to end each query with the symbol ;

You can see this in the image below:

Image 2

Task 7:

There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that’s unique to this host?

Answer: The name of the fourth that’s unique to this host is htb.

To answer this I had to familiarize myself with this Database. To do that I inserted the “help” command and saw what options I had to display all the databases in this MySQL instance. You can see this in the image below:

Image 3

As you can see in image 3 we don’t have any command that displays all the databases. So, as you can see in image 3 we have a command that is “help contents” and I used this command to see what other options I had. You can see the result in image 4.

Image 4

As you can see in image 4, we have a lot of categories and we can try and see every single one. But for your sake I just will tell you that the command that we need is in the “Administration” category.

To see the command you just need to enter the following command:

help Administration;

The image below is the output:

Image 5

As you can see, know we have a lot of commands that we can use and we have the command that will list the databases. That command is:

SHOW DATABASES;
Image 6

In image 6 we have the answer to this task.

Now that we know that the “htb” database is the one that we want to use, we just need to use the command:

USE htb;

I know that this is the command because if you see image 3 you’ll see that the command “USE” is the command used to access a database.

As you can see in image 7, MariaDB didn’t had any argument:

Image 7

But after we entered the command “USE htb;”, MariaDB gained htb as a argument:

Image 8

Now, we just need to see what tables are inside of htb database. To do that we can insert the following command:

SHOW TABLES;

The outputs is:

Image 9

In image 9 we can see that we have 2 tables and to see where the flag was, I listed everything inside of both tables. To do that I used the following command:

SELECT * FROM <table_name_here>

Note: Remember (from task 5) that we use the “*” to print all columns from the table that you choose to see. The command above can be found by following this steps:

help contents; -> help Data Manipulation; -> help Select;


You can see the output of the command “SELECT * FROM <table_name_here>” in image 10.

Image 10

You can see in the image above that I choose to see what was inside of the “users” table and there is no flag here.

So, we know that the one that has the flag is the “config” table. To see it’s contents we use the same command that we used to list the contents of the “users” table.

The output was the following:

Image 11

And we have our flag.


Submit root flag:

Show flag
7b4bec00d1a39e3dd4e021ec3d915da8


Thank you very much for reading!

Cheers,

SoBatista


Leave a Reply

Your email address will not be published. Required fields are marked *