Just wanted to know, has anyone used MySQL to get the flag on frett ?
In short yes.
A combination of Local File Inclusion and Mysql UDF vulnerabilities.
Another hint is that it involves privileges
Do I need to crack the webmin hash that I found!
Nope, you don't have to