# Enumerating MYSQL

**Lets Get Started**

Before we begin, make sure to deploy the room and give it some time to boot. Please be aware, this can take up to five minutes so be patient!

**When you would begin attacking MySQL**

MySQL is likely not going to be the first point of call when it comes to getting initial information about the server. You can, as we have in previous tasks, attempt to brute-force default account passwords if you really don't have any other information- however in most CTF scenarios, this is unlikely to be the avenue you're meant to pursue.

**The Scenario**<br>

Typically, you will have gained some initial credentials from enumerating other services, that you can then use to enumerate, and exploit the MySQL service. As this room focuses on exploiting and enumerating the network service, for the sake of the scenario, we're going to assume that you found the **credentials: "root:password"** while enumerating subdomains of a web server. After trying the login against SSH unsuccessfully, you decide to try it against MySQL.

**Requirements**

You're going to want to have MySQL installed on your system, in order to connect to the remote MySQL server. In case this isn't already installed, you can install it using "sudo apt install MySQL". Don't worry- this won't install the server package on your system- just the client.<br>

Again, we're going to be using Metasploit for this, it's important that you have it Metasploit installed, as it is by default on both Kali Linux and Parrot OS.

**Alternatives**

As with the previous task, it's worth noting that everything we're going to be doing using Metasploit can also be done either manually, or with a set of non-metasploit tools such as nmap's mysql-enum script: <https://nmap.org/nsedoc/scripts/mysql-enum.html> or <https://www.exploit-db.com/exploits/23081>. I recommend after you complete this room, you go back and attempt it manually to make sure you understand the process that is being used to display the information you acquire.

Okay, enough talk. Let's get going!\
&#x20;

As always, let's start out with a port scan, so we know what port the service we're trying to attack is running on. What port is MySQL using?\
&#x20;

Good, now- we think we have a set of credentials. Let's double check that by manually connecting to the MySQL server. We can do this using the command "mysql -h \[IP] -u \[username] -p"\
&#x20;

Okay, we know that our login credentials work. Lets quit out of this session with "exit" and launch up Metasploit.\
&#x20;

We're going to be using the "mysql\_sql" module.

Search for, select and list the options it needs. What three options do we need to set? (in descending order).\
&#x20;

Run the exploit. By default it will test with the "select module()" command, what result does this give you?<br>

Great! We know that our exploit is landing as planned. Let's try to gain some more ambitious information. Change the "sql" option to "show databases". how many databases are returned?\ <br>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://captmouse.gitbook.io/defense/getting-started/network-services-2/enumerating-mysql.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.