 Database password is the first challenge in the intermediate category from Ryan Nicholson CTF to where 30 points and the prompt here is what is the plaintext password of the flag user in the MySQL database? So we get a link here that we can log into a web shell. The login is CTF1 and challenge1 and we can start to poke around. So what I had done originally is I tried to find all the locations of MySQL because we can interact with it. We can MySQL U root and we can try and log in with like a password that it may be just like root or tor backwards, but we don't know any credentials so we're not able to actually log in. So what I tried to do is see, well, can I find any notion in the file system that will let me take a look at things in the actual database? So I checked out, okay, user lib, var log, var lib, et cetera, see if it would store the database there. And I would try and move into some of those directories. And I even did so successfully with et cetera MySQL. But there wasn't anything in there except for like kind of setup scripts. Same thing with var lib MySQL except I was not able to actually enter that database. I did not have the permission to. So actually this solution and notion in mind came from Alyssa Tiger in the Discord server. So props to him for this challenge. It's kind of a really smart and intuitive solution. You want to approach this from the admin or real administrator that may not know or has forgotten their own password. So you can use utility MySQL admin and that will do things like allow you to change the password or for specific, excuse me, I don't know why that was a tongue twister for a specific user. So if you wanted to specify, okay, let's see tack you to denote the user. We can say you root set the password to whatever we want. So we can run actually MySQL admin, user root password as a functionality or the command we want to run here. And then we can say anything as our password. So now when we try and log into MySQL with the user root, we can denote the password as anything and we're logged in. Cool. So now if you want to see the databases we have here, MySQL is the notion that we're looking at so we can use MySQL and then we can show tables if we particularly wanted to. But we know there's this database and table called user. So we can select all from user, but that's pretty huge, right? So we want to find the user that was specifically noted and called flag. So let's try that back in that shell. Let's run select all from user where user capital U. That's where they keep the name of this individual account user equals flag and then we'll call in here and then, okay, we only get that result back. It's pretty hard to read, but we can assume that this hash is what we're looking for. So we can go ahead and copy that and then let's like MD5 hash crack or whatever we need to for a crack station. Paste in this hash and we should be able to detect it. Copy please. Okay, cool. Crack this hash and we should have the password and the flag we can submit as periwinkle. Great. So that would be what we submit here and we can take note of that we want to in our own notes and we can mark that challenge as complete. So good thing to keep in mind, take note of that MySQL admin command. It's good for actually doing your own testing or troubleshooting of your own MySQL database and you may have access to it in a capture flag like challenge. I need to give a special shout out and some love to the people that support me on Patreon. All of these individuals are awesome and I can't thank you enough. $1 a month on Patreon will give you this special shout out at the end of every video. $5 a month will give you early access to everything I release on YouTube. If you did like this video, please do like, comment and subscribe. Hang out with us on Discord and if you're willing to check me out on Patreon. Thanks. See you soon.