Note

It typically runs on port 3306

Nmap scan

nmap 10.129.14.128 -sV -sC -p3306 --script mysql*

HTB Cheatsheet

CommandDescription
mysql -u <user> -p<password> -h <IP address>Connect to the MySQL server. There shouldย notย be a space between the โ€˜-pโ€™ flag, and the password.
show databases;Show all databases.
use <database>;Select one of the existing databases.
show tables;Show all available tables in the selected database.
show columns from <table>;Show all columns in the selected table.
select * from <table>;Show everything in the desired table.
select * from <table> where <column> = "<string>";Search for neededย stringย in the desired table.

You should check Footprinting Theory ๐ŸŒš to get further knowledge.

Where to find credentials

  • Most of the times root creds will be stored under the /var/www directory, maybe in a .php file or something like that. Always deeply check all the files inside
    • Inside the directory there are always the html directory and maybe others (where it is located the real sugar)

Basic commands

  • To connect to a mysql database run:
mysql -u root -h IP -p
# or directly enumerate
mysql -h db -u root -proot database -e 'show tables;'
  • To see databases: show databases;

  • To use one database: use DATABASE_NAME;

  • To see tables of database: show tables;

  • To modify a value: update runcheck set run = 1;

  • Now (when you inside a table) you can do: select * from TABLE_NAME

  • To quit run: quit

  • In web browser, if you find a cookie, try adding a the end of its value a ' like:

  • If so, you can try some sql injections with sqlmap or by yourself