Sequel

#sql #nmap

Level: Starting Point Tier 1
Date: 2025-08-31
VM IP: 10.129.93.143

Task 1

During our scan, which port do we find serving MySQL?

Starting with the nmap scan, so we can check what ports are open and what services are running on them:

nmap -sC -sV 10.129.93.143

Output:

Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-31 19:24 MDT
Stats: 0:03:24 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 87.50% done; ETC: 19:27 (0:00:03 remaining)
Nmap scan report for 10.129.93.143
Host is up (0.15s latency).
Not shown: 999 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
3306/tcp open  mysql?
| mysql-info:
|   Protocol: 10
|   Version: 5.5.5-10.3.27-MariaDB-0+deb10u1
|   Thread ID: 66
|   Capabilities flags: 63486
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, DontAllowDatabaseTableColumn, SupportsCompression, SupportsLoadDataLocal, Support41Auth, LongColumnFlag, IgnoreSigpipes, ConnectWithDatabase, InteractiveClient, Speaks41ProtocolOld, SupportsTransactions, ODBCClient, Speaks41ProtocolNew, FoundRows, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
|   Status: Autocommit
|   Salt: {C{c^/mXRp]_H,?79W*h
|_  Auth Plugin Name: mysql_native_password

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 206.98 seconds

flag: 3306

We only found one open port - 3306, which runs a service named MySQL 5.5.5-10.3.27-MariaDB0+deb10u1 . MySQL is a service designed for database management: creating, modifying, and updating databases, changing and adding data, and more.

Task 2

What community-developed MySQL version is the target running?

flag: MariaDB

Task 3

When using the MySQL command line client, what switch do we need to use in order to specify a login username?

List the switches for mysql using the following command

mysql --help
...
-h : Connect to host.
-u : User for log-in if not current user.
...

flag: -u

Task 4

Which username allows us to log into this MariaDB instance without providing a password?

To start, we can try the following:

mysql -h 10.129.93.143 -u root

With an ounce of luck, our connection is accepted without a password requirement. We are placed in a MySQL service shell from where we can explore the tables and data therein that are available to us. If you need help with MySQL command syntax, you can refer to the cheatsheet provided by MySQLTutorial. The commands we are going to use are essential for navigation:

ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

flag: root

Task 5

In SQL, what symbol can we use to specify within the query that we want to display everything inside a table?

In SQL, the asterisk symbol (*) is used within a SELECT statement to specify that all columns from a table should be displayed.

Example:

SELECT *
FROM your_table_name;

In this example, your_table_name should be replaced with the actual name of the table from which you want to retrieve all data. The * acts as a wildcard, representing all columns in that table.

Task 6

In SQL, what symbol do we need to end each query with?

The commands we are going to use are essential for navigation:

SHOW databases;      : Prints out the databases we can access.
USE {database_name}; : Set to use the database named {database_name}.
SHOW tables;         : Prints out the available tables inside the current database.
SELECT * FROM {table_name}; : Prints out all the data from the table {table_name}.

Note that it is essential to end each command with the ; symbol, as it declares the end of the command. Apart from that, SQL is a query-oriented language, which means that you supply it with one query at a time.

flag: ;

Task 7

There are three databases in this MySQL instance that are common across all MySQL instances. What is the name of the fourth that's unique to this host?

The command that we need in order to be able to enter without password using the root user is actually the following one:

┌──(macc㉿kaliLab)-[~]
└─$ mysql -h 10.129.93.143 -u root --ssl-verify-server-cert=FALSE
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 83
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

Now lets try to list the databases in this mysql instance:

MariaDB [(none)]> SHOW databases;
+--------------------+
| Database           |
+--------------------+
| htb                |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.062 sec)

MariaDB [(none)]>

From the output, the htb database seems to be of value to us. In order to see what rests inside it, we will need to "select" the htb database as the active one - the database we want to actively interact with for our subsequent commands. To achieve this, the USE htb; command can be used.

The name of the database that's unique to this host is htb

flag: htb

Submit Flag

Select the htb database

MariaDB [htb]> USE htb;
Database changed
MariaDB [htb]>

We have successfully changed the database. The next step is to check what tables does the htb database contain. We can achieve this by following up with the SHOW tables; command.

MariaDB [htb]> SHOW tables;
+---------------+
| Tables_in_htb |
+---------------+
| config        |
| users         |
+---------------+
2 rows in set (0.065 sec)

MariaDB [htb]>

We have two tables: config and users . These can be checked sequentially for their content by using the SELECT * FROM {table_name} command, where {table_name} is the exact name of the table you want to explore, taken from the output above. Once we query the config table for contents, the flag entry is output in our terminal, alongside its' value