Nmap Results →

Nmap scan report for 10.10.96.154
Host is up (0.049s latency).
Not shown: 65529 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 28:0c:0c:d9:5a:7d:be:e6:f4:3c:ed:10:51:49:4d:19 (RSA)
|   256 17:ce:03:3b:bb:20:78:09:ab:76:c0:6d:8d:c4:df:51 (ECDSA)
|_  256 07:8a:50:b5:5b:4a:a7:6c:c8:b3:a1:ca:77:b9:0d:07 (ED25519)
3306/tcp  open  mysql   MySQL 5.7.29-0ubuntu0.18.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 5.7.29-0ubuntu0.18.04.1
|   Thread ID: 3
|   Capabilities flags: 65535
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, ConnectWithDatabase, Speaks41ProtocolNew, SwitchToSSLAfterHandshake, IgnoreSigpipes, LongPassword, FoundRows, SupportsLoadDataLocal, SupportsTransactions, InteractiveClient, DontAllowDatabaseTableColumn, SupportsCompression, LongColumnFlag, IgnoreSpaceBeforeParenthesis, ODBCClient, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: \\x06
| y^\\x0Bg/Q[jN9s=Z\\x12ohF\\x1E
|_  Auth Plugin Name: mysql_native_password
9999/tcp  open  abyss?
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Date: Sun, 12 Jul 2020 13:18:28 GMT
|     Content-Length: 4
|     Content-Type: text/plain; charset=utf-8
|     king
|   GenericLines, Help, Kerberos, LDAPSearchReq, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request
15065/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Host monitoring
16109/tcp open  unknown
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Sun, 12 Jul 2020 13:18:28 GMT
|     Content-Type: image/jpeg
|     JFIF
|     #*%%*525EE\\xff
|     #*%%*525EE\\xff
|     $3br
|     %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
|     &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
|     Y$?_
|     qR]$Oyk
|_    |$o.
46969/tcp open  telnet  Linux telnetd

MySQL

First of all the syntax to login to mysql is

mysql -h <ip> -u root -p

and then when we get in .In this case they were just using root:root so it was easy peasy. We can see databases by doing

show databases;
use user;
show tables;
Select * from table1

so this is the syntax to find databases and then listing use the database called user and then showing the tables they contain and then selecting everyhting from the table we found.

and we get our first flag immedietly and ssh credentials

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/7e13e058-5903-4f9e-ab95-b34b6b059f75/Untitled.png