HTB Labs — Tier 1 — “Sequel” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Welcome to a new walkthrough powered by HTB, Tier 1, named “Sequel”. Sequel machine demonstrates a critical database security vulnerability where a MariaDB instance allows root access without password authentication, exposing all stored data including sensitive configuration flags.
The Sequel machine exposes a MariaDB 10.3.27 service on port 3306 with a critical misconfiguration that allows the root user to authenticate without providing a password. This represents a fundamental security failure in database administration.
Executive Summary
Here is an executive summary of the steps we will follow:
Stage I: Scanning
We will use Nmap to reveal the open ports and the services that are running in the background. There will be only one open port, which is 3306, and a service called MariaDB
Upon the Nmap scan, we will find the following information
- Operating System: Linux (Debian 10)
- Database Service: MariaDB 10.3.27–0+deb10u1
- Exposed Port: 3306/TCP (MySQL/MariaDB)
Stage II: Enumeration
MariaDB service exposed on port 3306 was critically misconfigured. Using the MySQL client with the “-u” flag and disabling SSL via “ — skip-ssl”, the root account authenticated without a password, granting full administrative access. Once inside, executing “SHOW DATABASES;" revealed the standard system databases plus a unique database named HTB, indicating custom host-specific data. Enumerating its structure with “SHOW TABLES;” identified two tables—users and config—and querying them with “SELECT *” exposed all stored records, including the plaintext root flag inside the config table. This phase confirmed unrestricted database access and complete data exposure due to improper authentication controls.
Stage III: Exploiting
We will be able to directly connect to the database service using standard MySQL/MariaDB client tools with the root username, bypassing all authentication controls. Finally, we will find the root flag inside one of the tables of the database “HTB”.
Let’s not waste more time on the introduction and begin hacking in detail!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: During our scan, which port do we find serving MySQL?
Answer: 3306
Walkthrough:
We will use Nmap to scan the network to identify the running ports on the target machine. Either we can use the traditional way for Nmap, in which we specify the flags that we want Nmap to run upon, or we can use an automated tool that runs Nmap along with specified scan types.
This automated tool is called “Nmap Automator”. You may download it through the following link.
I will use this tool to run a full scan on the target’s IP. The tool will use all the possible options and flags that are preidentified by Nmap to come up with the ultimate scan results.
The usage of the tool is very easy, and you can find out more about it in the description section on GitHub. To perform a full scan, write the following command:
bash nmapAutomator.sh --host 10.129.116.14 --type all
This nmap scan reveals valuable information about the MariaDB database service running on port 3306.
Task 2: What community-developed MySQL version is the target running?
Answer: MariaDB
Walkthrough:
Debian 10 is also hosting MariaDB version 10.3.27 as per the nmap scan results. After Oracle acquired MySQL, it was substituted with MariaDB, a community-maintained fork developed by MySQL’s original developers. While adding additional enhancements, MariaDB preserves MySQL compatibility. As observed, MariaDB has replaced MySQL in several Linux distributions, including Debian.
Task 3: When using the MySQL command line client, what switch do we need to use in order to specify a login username?
Answer: -u
Walkthrough:
To specify a login username when using the MySQL command line client, you use the “-u” switch.
The syntax will be:
mysql -u usernameNote that you can use the long form of the switches. Instead of typing -u, we will type “ — username=”.
For more information about the switches and how it is used, you may check the help for the MySQL tool by typing “mysql -?” or “mysql — help”.
There are lots of other switches that can be used as well, such as:
- -h: This switch is used to identify the target IP.
- -p: This switch is used to prompt the password of the username that will be used to log in to the MySQL database.
mysql -u username -p -h "target_ip"Note that when typing the “-p” switch, you will be asked to enter the password of the username. In our case, we will not authenticate with a password as we will log in using “root” username.
Task 4: Which username allows us to log into this MariaDB instance without providing a password?
Answer: root
Walkthrough:
In MariaDB, you can use the username “root” to log in to the database without providing the password. On the other hand, the username that is used to log in to the MySQL database without providing a password is called “anonymous”.
Task 5: In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?
Answer: *
Walkthrough:
In SQL, you can use the asterisk (*) symbol to specify that you want to display everything from a table. The syntax for this is:
SELECT * FROM table_name;Replace “table_name” With the name of the table you want to query. This will return all columns and all rows from that table.
Task 6: In SQL, what symbol do we need to end each query with?
Answer: ;
Walkthrough:
In SQL, each query is typically ended with a semicolon (;). This indicates the end of the statement. For example:
SELECT * FROM table_name;The semicolon is particularly important when executing multiple queries in a single batch.
Task 7: There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that’s unique to this host?
Answer: htb
Walkthrough:
To identify and show all the databases within the target server, we will run the following command
mysql -u root -h 10.129.101.67This will enable us to log in to the target server with a username called root. This will also allow us to log in without providing a password.
Note that you will encounter an issue stating that “TLS/SSL error: SSL is required, but the server does not support it”. The error indicates that your MySQL client is trying to establish a secure SSL/TLS connection, but the target MariaDB server doesn’t support SSL. So, you need to disable SSL for the connection.

To solve this issue, you will need to add a certain switch, which is “ — skip-ssl” as shown in the following screenshot. The “— skip-ssl” switch tells the MySQL client not to attempt an SSL connection.
mysql -u root -h 10.129.101.67 --skip-ssl
After connecting to the target server, to show all the databases, type the following command:
show database;Based on the previous screenshot, you will notice that the fourth database is called “HTB”.
Task 8: Submit root flag
Answer: 7b4bec00d1a39e3dd4e021ec3d915da8
Walkthrough:
After successful login to MariaDB and listing all the databases. We will connect to the “HTB” database and extract the root flag by executing the following commands in order:
Firstly: Selecting the database we want to establish a connection with
use htb;
This will establish a connection with the “HTB” database. You can see that switching to “HTB” was successful, as the name of the database is switched from “None” to “HTB”.
Secondly: Showing the tables inside “HTB” database.
show tables;
You will notice that there are 2 tables. One is named “config” and the other is named “users”. You can navigate and see the content of each table by executing the following command:
select * from users;
select * from config;

As shown in the previous screenshot, you will find out that the flag is under the table “config”. The root flag of Sequel Machine is “7b4bec00d1a39e3dd4e021ec3d915da8”
Additional Notes
MySQL Database Hierarchy
MySQL Server Instance
├── Database 1
│ ├── Table 1
│ │ ├── Column 1 (Field)
│ │ ├── Column 2 (Field)
│ │ └── Rows (Records)
│ └── Table 2
├── Database 2
└── System DatabasesCommon Commands to Explore Structure
→ To show and use all databases:
SHOW DATABASES;
use database_name;→ To show tables in the current database
SHOW TABLES;→ To view columns
#### To Show all columns in a table:
DESCRIBE table_name;
or
SHOW COLUMNS FROM table_name;
#### To Show specific columns
SELECT column1, column2 FROM table_name;
#### To Show detailed column info
SHOW FULL COLUMNS FROM table_name;
#### To Show column info from specific database
SHOW COLUMNS FROM database_name.table_name;→ To view rows
#### To show all the rows
SELECT * FROM table_name;
#### To show rows with conditions
SELECT * FROM table_name WHERE column_name = 'value';
#### To show limited numbers of rows
SELECT * FROM table_name LIMIT 10;Hope you enjoyed reading my blog about solving the sequel machine from HTB — Tier 1 — Starting Point Phase.
See you in another write-up!.


