Mariadb

Box info | OS: Debian 10 (Buster) — MariaDB 10.3.27 | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: MySQL/MariaDB CLI, database enumeration, blank root password, FILE privilege Pwned: 2026-04-28 TL;DR Sequel (the name is a wordplay on SQL) is a Tier 1 box with a single exposed service: MariaDB 10.3.27 on port 3306. The root database user has a blank password and accepts connections from any host (root@%). Connecting with mysql -h IP -u root lands you in a fully privileged session with ALL PRIVILEGES including FILE. The flag is a row in htb.config at name='flag'. Going further, LOAD_FILE('/etc/passwd') works (FILE privilege active, no secure_file_priv restriction), exposing system user accounts. SSH is firewalled off. The lesson: a database root account with no password and internet exposure is a complete data breach. ...

Box info | OS: Linux Debian 10 (Apache/2.4.38) | Difficulty: Very Easy | Tier: 1 | Status: Starting Point Skills: SQL injection, authentication bypass, blind SQLi, sqlmap Pwned: 2026-04-28 TL;DR Appointment is a Tier 1 web box running Apache 2.4.38 on Debian 10 with a PHP login form backed by MariaDB. The username POST parameter is directly interpolated into a SQL query with no sanitization. A classic ' OR '1'='1' -- - payload bypasses authentication and triggers the flag to appear in the HTTP response. Going deeper with sqlmap confirms boolean-based blind injection, extracts the appdb database schema, and dumps two user records — including a plaintext password for a test user. The lesson: unsanitized SQL interpolation in authentication queries is still widespread, and it can be exploited by any attacker who knows three characters: ', --, and 1. ...