MySQL CTF Lab — NexaCorp Breach

📋 Mission Briefing

A suspicious actor has been detected with access to NexaCorp's internal MySQL database server. Your assignment: connect to the live database as a limited-privilege analyst account and locate all 14 hidden flags embedded throughout the data.

Each flag follows the format: FLAG{...}

You will need SELECT queries, JOINs, aggregation, schema inspection, stored procedures, and data decoding techniques. This is a real MySQL server — your queries run live against actual data.

🔌 Connection Parameters

Host173.255.198.113

Port3306

Usernamectf_student

PasswordCyberPath2025!

Databasectf_corp

Connect from your Kali VM:

mysql -h 173.255.198.113 -u ctf_student -p --skip-ssl ctf_corp

Overall Progress 0 / 14 flags captured

Rules of Engagement

Rule	Details
Account Access	Use only the `ctf_student` account provided. Do not attempt to escalate privileges on the server itself.
Allowed Operations	SELECT queries, CALL (stored procedures), SHOW, DESCRIBE, and INFORMATION_SCHEMA queries only.
Flag Format	All flags follow the pattern `FLAG{...}`. Copy the exact string from your query result and paste it into the flag submission box.
Hints	Each challenge has a hint button. Use hints if you are stuck — there is no penalty.
Submission	When all 14 flags are captured, take a screenshot of this page and submit it to the LMS as your lab deliverable.

Table / Object	Key Columns	Notes
`employees`	emp_id, first_name, last_name, email, dept_id, job_title, hire_date, active, secret_note	Core employee directory. Some accounts are deactivated (active=0).
`departments`	dept_id, dept_name, location, budget, active, dept_code	Corporate departments. Not all are visible in normal operations.
`salaries`	sal_id, emp_id, base_salary, bonus, pay_grade, effective_date	Compensation records linked to employees by emp_id.
`users`	user_id, username, pass_hash, role, last_login, is_locked	Application login accounts. Passwords stored as MD5 hashes.
`config`	cfg_id, cfg_key, cfg_value, encoding, description	Application configuration. Not all values are plaintext.
`audit_log`	log_id, event_type, actor, target, details, logged_at, deleted_at	Security event log. Some records are soft-deleted.
`projects`	project_id, project_name, dept_id, status, classification, deadline, notes	Active and historical projects. Classification levels vary.
`messages`	msg_id, sender, recipient, subject, body, encoding, encoded_payload	Internal communications. Some messages use encoded payloads.
`inventory`	asset_id, asset_name, asset_type, dept_id, assigned_to, status	IT asset registry. Each asset linked to a department.
`flag_vault`	id, ref, payload	A hidden table. You'll need to find it yourself.
`executive_summary`	(VIEW) full_name, job_title, dept_name, total_compensation, account_status	A database VIEW joining employees, departments, and salaries.

Task	Command
List all tables	`SHOW TABLES;`
Describe table structure	`DESCRIBE employees;`
Select all rows	`SELECT * FROM employees;`
Filter rows	`SELECT * FROM employees WHERE active = 0;`
Sort results	`SELECT * FROM salaries ORDER BY base_salary DESC LIMIT 5;`
Join two tables	`SELECT e.first_name, d.dept_name FROM employees e JOIN departments d ON e.dept_id = d.dept_id;`
Group and count	`SELECT dept_id, COUNT(*) FROM inventory GROUP BY dept_id;`
Decode base64	`SELECT FROM_BASE64('encoded_string');`
Decode hex	`SELECT UNHEX('hexstring');`
Show table comments	`SELECT TABLE_COMMENT FROM information_schema.TABLES WHERE TABLE_NAME='employees';`
Call stored procedure	`CALL get_flag_eleven();`
Show all views	`SHOW FULL TABLES WHERE TABLE_TYPE = 'VIEW';`
Find soft-deleted rows	`SELECT * FROM audit_log WHERE deleted_at IS NOT NULL;`
Crack MD5 (Kali)	`hashcat -m 0 hash.txt /usr/share/wordlists/rockyou.txt`

Goal	Query
List all tables in database	`SELECT TABLE_NAME FROM information_schema.TABLES WHERE TABLE_SCHEMA='ctf_corp';`
List all columns in a table	`SELECT COLUMN_NAME FROM information_schema.COLUMNS WHERE TABLE_NAME='employees';`
Read table comments	`SELECT TABLE_NAME, TABLE_COMMENT FROM information_schema.TABLES WHERE TABLE_SCHEMA='ctf_corp';`
Find stored procedures	`SHOW PROCEDURE STATUS WHERE Db='ctf_corp';`

🎉 All Flags Captured!

📋 Mission Briefing

💡 Tip