Sunday, 25 August 2013

Resetting mysql root password without knowing the old one

This is an interesting one: I regularly forget the mysql password for my server. It is one of the most irritating feelings especially when I'm ready to use it and develop some server-side component of my project.

I came across this:

The link gives you a step-by-step to resetting your mysql database's root user password in case you forgot it and all you need is the root/admin account on the box to stop the mysql daemon and restart it in a "no-privilege-check" mode.

In light of this working for me, it dawned on me that when I do CTF competitions, we easily get access to the root/admin user on another team's server. Being able to change their password and dump (or destroy) their database might be a useful trick to know.

In other words, I'm just putting this here and one day it'll be put to use in a competition or for my personal use again -- let's face it: If at this stage, I keep forgetting the password, I'll keep forgetting it. Best to remember how to reset it.

In case the link dies:

How can I reset my MySQL password?

IconsPage/IconWarning3.png Following this procedure, you will disable access control on the MySQL server. All connexions will have a root access. It is a good thing to unplug your server from the network or at least disable remote access.
To reset your mysqld password just follow these instructions :
  • Stop the mysql demon process using this command :
    •    sudo /etc/init.d/mysql stop
  • Start the mysqld demon process using the --skip-grant-tables option with this command 
    •    sudo /usr/sbin/mysqld --skip-grant-tables --skip-networking &
Because you are not checking user privs at this point, it's safest to disable networking. In Dapper, /usr/bin/mysqld... did not work. However, mysqld --skip-grant-tables did.
  • start the mysql client process using this command 
    •    mysql -u root
  • from the mysql prompt execute this command to be able to change any password
  • Then reset/update your password 
    •    SET PASSWORD FOR root@'localhost' = PASSWORD('password');
  • If you have a mysql root account that can connect from everywhere, you should also do:
    •    UPDATE mysql.user SET Password=PASSWORD('newpwd') WHERE User='root';
  • Alternate Method:
    •    USE mysql
         UPDATE user SET Password = PASSWORD('newpwd')
         WHERE Host = 'localhost' AND User = 'root';
  • And if you have a root account that can access from everywhere:
    •    USE mysql
         UPDATE user SET Password = PASSWORD('newpwd')
         WHERE Host = '%' AND User = 'root';
For either method, once have received a message indicating a successful query (one or more rows affected), flush privileges:
Then stop the mysqld process and relaunch it with the classical way:

sudo /etc/init.d/mysql stop
sudo /etc/init.d/mysql start

Sunday, 24 March 2013

iCTF 2012

The UCSB iCTF was moved from December 2012 to March 22nd, 2013. I've been part of this event at my university for 2 years now and we keep getting better.

UTM has an information security program which I'm about to graduate from. We learn about hacking and other security related issues, but we don't have enough practice. For 2 years, we've been making a team of people who take our CSC347 Intro to InfoSec class and have them hack away at the competition. Our setup is usually just "show up day-of and do out best".

This year, I wanted to do it differently: I wanted to have an experienced team. For 10 weeks, I held 3 hour training sessions for the purpose of training students on security issues related to the iCTF. These issues comprised of Web application security (attack AND defense), Secure communication and Intrusion detection. In addition, we looked at writing homebrew exploits using Python to perform automated chaos.

The competition came around and we were prepared: VPN setup confirmed and tested, Backtrack on all machines, Twitter feed and mailing list updates live. Our team was set. Of course, as our prof says: All things technology must fail: Couldn't keep the VPN up more than 30 seconds... For 10 hours, we weren't able to log into our server running all of our services. We didn't do too well, but we were prepared and that's important.

I learned a lot about security this year. I'm about to graduate and I'm confident in what I know and what I can build on. Currently, we're talking about building our own little CTF for the security kids at UTM. We want them to learn on their own and capture flags in things they've never seen before: true hackers!

Imagine an android app with a MITM weakness revealing a flag. Alternatively, suppose we build a webapp with an SQLi vulnerability allowing a database dump of SHA1 passwords; can you find the flag? Better yet, a social network with a clever JS exploit which takes over your computer (malware)... can you find the C&C server and exploit it to find the flag?

Let's see. Coming to UTM Summer 2013?