Metasploitable 2 Walkthrough: Part VII

Exploiting Port 3306 – MySQL

MySQL is an open-source relational database management system. A relational database organizes data into one or more data tables in which data types may be related to each other.

There are several possibilities to explore when connecting to the MySQL service running on the Metasploitable 2 VM

Blank password

The MySQL database in Metasploitable 2 has negligible security so you can connect to it using the MySQL function of Kali by defining the username and host IP. The password will be left blank.

Connecting to SQL without password

Once you have root access to the database access you can do anything

Brute forcing MySQL using Hydra

Brute forcing MySQL is in its essence the same as brute forcing any other applications and therefore similar tools and techniques can be used

Brute forcing MySQL with Hydra

Brute forcing MySQL using Metasploit

Use the proper auxiliary module. Note that in order to successfully use this, you'll need some wordlists for username and password combinations. Try using a single user (root) and the rockyou list for passwords:

Brute forcing MySQL with Metasploit

The result is the same as before; the root account has a blank password.

Exploiting My SQL using Metasploit

Once you have credentials to connect to the MySQL server, you will want to pivot from recon mode to attack mode. This means you'll be using different exploits from MSF. Whereas the initial exploit was a scanner, the subsequent exploits will be admin exploits.

There are two different ways to exploit the MySQL server to obtain system information and database information. These are covered below.

The mysql_sql auxiliary module can be used to connect to the remote database and execute SQL commands. As an example, execute SQL's load_file() function to scan the contents of the /etc/passwd file and get a list of users on the system.

Executing SQL commands with Metasploit

Enumerating MySQL users with Metasploit

This module will enumerate all of the MySQL accounts on the system and their various privileges.

Enumerating MySQL users with Metasploit

Since we already have access to the root user in MySQL, there's no need to brute force other login names. However, if there were many users in a complex database, this might yield a treasure trove of usernames with different privileges, allowing you to see different sections of the database.

Take a look at the credentials you have stored so far:

Credentials stored in the MSF database

Dumping the MySQL database contents

Use the show databases SQL command to show the databases available.

Dumping the MySQL Database contents

Use the use databasename SQL command to use a particular database.

Selecting the database to use

Once you've selected a particular database, you can start to explore it.

Exploring the database contents

Select a different database and explore it

Selecting and exploring a different database

You can use the describe command to describe the fields in each SQL table, as well as data types.

Describing the accounts table

Describing the credit cards table

Dumping the MySQL database contents using mysqlshow

You can also use mysqlshow to easily show the contents of the database. Use the host option to use a remote database.

Dumping the MySQL database with mysqlshow

Dumping the MySQL database contents using mysqldump

Like the mysqlshow command, the mysqldump command accepts the host argument. To dump a table, run the command like this:

# mysqldump --host=10.0.0.27 [database] [tablename]

This will result in an SQL script that will recreate the entire database from scratch. Be careful and make sure you use mysqlshow –count before, to avoid dumping out a 500 GB database.

DVWA

Try it with the dvwa database:

Counting the dvwa database with mysqlshow

Unfortunately, the current version of mysqldump doesn’t work with the currently available version of Metasploitable 2. An older Kali version (2015) will work just fine and dumping the dvwa web app reveals some usernames and password hashes.

Dumping the dvwa database with mysqldump

Table users in the dvwa database

From this, we can see a couple of interesting things.

First, we have 5 users in this web app. The password field of the table consists of strings of 33 characters, in hex. You can use Hash-Identifier to identify the hash.

Running Hash Identifier

Looks like it is an MD5 hash. My advice; pay attention to the gathered info but don’t waste time trying to crack this.

OWASP10

The owasp10 database has some very good info too.

One table has plain-text passwords.

Table users in the owasp10 database

Another has credit card details

Table credit cards in the owasp10 database

Several other tools can be used to enumerate and exploit this MySQL database but all revolve around the same basic procedures.


2 comments:

lola said...

Great work! thanks for the tutorial. Where can I get the rockyou.txt file?

Rui Natário said...

Just Google for "rockyou passwords" or something similar. I would use the classic file and not the 2021 version (much bigger).