HTB Academy Footprinting MySQL

HTB Content
1

I can’t get my head around this “During our penetration test, we found weak credentials “robin:robin”. We should try these against the MySQL server. What is the email address of the customer “Otto Lang”?” … and this makes me feel super dumb.

I tried ‘mysql -u -p ’ with like a thousand different possibilities, changing ports, adding domain name, dozens of common username and mirrored, reversed, scrambled and whatever username as pass. I always get that same ‘ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/run/mysqld/mysqld.sock’ (2)’

Also tried nmap mysql-enum and mysql-brute scripts with the footprinting name list from the module.
Went back to SMTP enum to try and find mail address for Otto Lang.
Looked at HackTricks and Pentestmonkey to find if i missed some obvious.

What did I miss please ?

2

because the ip address using -h [ip address]

3 Likes
3

Sorry for late reply, but tried already with -h and didn’t go anywhere.

This is what i would get then : ERROR 1045 (28000): Access denied for user ‘robin’@‘10.10.XX.XX’ (using password: NO)

and if I try with the password…

ERROR 2002 (HY000): Can’t connect to local MySQL server through socket ‘/run/mysqld/mysqld.sock’ (2)

4

Were you able to fix this? Im having the same issue :confused:

5

https://dev.mysql.com/doc/refman/8.0/en/connecting-disconnecting.html
Dai un occhiata alla documentazione :slight_smile:

1 Like
6

Meaning that server is down ???
Because that’s the kind of confirmation I was looking for. :wink:
I’ll check on it again today. If I still get the same result I’ll contact them in chat.

7

No hai capito male…:slight_smile: L’errore è nel modo in qui formuli il comando per collegarti…
Prova cosi mysql -h host -u user -p
(dopo la p non mettere la passw.Te la chiederà in seguito).

2 Likes
8

You’re right mate :v:
The problem was I wasn’t using -h for the host. It seems it’s missing in the command I’ve wrote for myself…because it is missing in one of the academy commands. @NPTG was right too. Lol
For some reason i thought -h was to be used for passwordless only :yum:
Thx for the help mate :wink:

9

Di nulla…
So cosa si prova a restare bloccati su una domanda :slight_smile:

10

Di nulla :slight_smile:

11

nice! :smiley:

12

Do Like This:
connect to user robin through ssh with pass robin
mysql -V – [For Version]
mysql -urobin -probin Note:- Don’t Give Space after -p
SHOW DATABASES;
use customers;
show Tables;
select * from [table name];
copy and grep for otto

2 Likes
13

Hello! Can somebody help! It’s not the first when I try in the HTB pwnbox and it’s not working . I’m running this command : python3 mssqlclient.py backdoor@10.129.195.164 -windows-auth
And I get this message. What shoul I do? python3: can’t open file ‘/home/htb-ac-1386447/mssqlclient.py’: [Errno 2] No such file or directory

14

i was getting errors for self-signed cert when i tried to connect w/ mysql. if anybody else is struggling, try this switch: --ssl-verify-server-cert=FALSE

15

hahahahahah this is so funny friend, this was my case:

mysql -u robin -p robin -h 10.129.20.77 --ssl-verify-server-cert=FALSE

Enter password:
ERROR 1049 (42000): Unknown database ‘robin’

so…

mysql -u robin -p sys -h 10.129.20.77 --ssl-verify-server-cert=FALSE

Enter password:
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 50
Server version: 8.0.27-0ubuntu0.20.04.1 (Ubuntu)

Is this normal!?

16

yes, now just use mysql commands to find what you need.

17

that took me 5 secs =) thanks 4 ur reply dude :wink:

18

thanks dude