Password Attacks - Password Reuse / Default Passwords

Thanks it worked

whoever made it so you can’t actually login into mysql is fucking special ngl.
I used a bash script that would work perfectly fine in a normal environment in which mysql is actually used / can be logged into.

This is the only module which is like an actual dumpster fire and it’s such a shame. Concepts they teach here are very important but how they do it is such pathetic disaster. Especially if we take all their talk about how mindsets and all that BS at the start of the CPTS path. Truly a shame.

sed ‘s/[^,]*,//; s/,/:/’ data.csv > file.txt
Assuming data.csv format is v1,v2,v3
This command will produce a v2:v3 per line file

For those who want to do command line brute forcing:

#!/bin/bash

# Check if the file "cred.txt" exists
if [ -f "cred.txt" ]; then
  # Read each line of the file and process it
  while IFS= read -r line; do
    # Split the line into two variables using ":" as the delimiter
    IFS=":" read -r word1 word2 <<< "$line"
    
    # Now you can work with word1 and word2 separately
    echo "First word: $word1"
    echo "Second word: $word2"
    mysql -u $word1 -p$word2
  done < "cred.txt"
else
  echo "File 'cred.txt' does not exist."
fi

I mean, we’re on a brute forcing chapter so a quick N dirty script to do brute force without access to tools is nice :slight_smile:

bro, trust me, none of these they suggested to you were real suggestions, except partially the one from : wfsahuo3
the purpose of this module is to demonstrate that passwords are reused or at least some are default, so the only option you have is
don’t use hydra, because it’s useless,
you simply have to use the s***** credentials to log in via ssh and evaluate which of the credentials provided by this link:
https://raw.githubusercontent.com/ihebski/DefaultCreds-cheat-sheet/main/DefaultCreds-Cheat-Sheet.csv
they allow you to enter mysql server, no
Port forwarding, no bash scripts, no once you have proven the credentials that allow you to enter the server you are done, use those credentials to answer the question .

1 Like

I’m stuck. I have referenced the list (https://raw.githubusercontent.com/ihebski/DefaultCreds-cheat-sheet/main/DefaultCreds-Cheat-Sheet.csv) and none of the 4 sets of credentials are working for me. I can’t figure out how to get in to MySQL from sam’s SSH. I am currently running the mutated password list against kira but in the meantime, this MySQL thing is kicking my ■■■■.

Any help? Thank you.

EDIT: I figured it out. Idk what I was doing wrong… I feel like I type in that command with those credentials several times but hey, at least I got through.

Thanks! Your comment saved me a ton of time!

So after all the trouble with the last lab, I have to repeat it because I didn’t save the credentials?

Thank you soooo much. Gosh, I hadn’t thought to actually start the process. :slight_smile:

You don’t need to brute force anything on this one.
SSH in as before, use ‘mysql -u … -p’ syntax for the my SQL login and use the DefaultCreds script lin on the page to search for MySQL logins.

from where i did you find this link was it mentioned in any where after we ssh into the server ? or did you just goolge default mysql password and find this

Hello! If you look at the standard mysql passwords and start trying to enter them, then one of these values ​​will be what you need! To find the standard values, yes, you need to google