HTB Sequel — Blank Root on MariaDB

Part of the OSAI Prep series → — HTB writeups mapped to OWASP LLM Top 10.

Machine Summary

Field	Value
Platform	HackTheBox
Difficulty	Very Easy
OS	Linux
Vulnerability	MySQL/MariaDB root with blank password
OWASP Mapping	A07 — Identification and Authentication Failures

Reconnaissance

We start with a default nmap scan.

nmap -sC -sV -oN nmap.txt 10.129.43.114

nmap output showing MariaDB on port 3306 with mysql_native_password

We find an open MySQL server. The script output gives us the protocol version, the server flavour (MariaDB), and the supported authentication mechanism (mysql_native_password).

A MariaDB instance reachable on the public interface is a finding by itself — production database servers should be bound to localhost or kept behind a firewall, not exposed to network scanners. The next question is whether the authentication is actually configured at all.

Initial Foothold

We try to connect with the default MySQL admin (root) and no password.

The first attempt fails on SSL negotiation, so we retry with --skip-ssl.

Successful MySQL connection as root with no password using --skip-ssl

We’re inside the server. Root access on the database, no credentials required. Now we have to select the DB.

show databases output revealing the htb database

We select the htb database and list its tables.

show databases;
use htb;
show tables;

show tables output listing users and config tables

Two interesting tables: users and config.

We dump the users table:

select * FROM users;

users table contents

Then we dump the config table:

select * FROM config;

config table contents config table flag value

The flag sits in the config table.

Privilege Escalation

No privilege escalation on this box; very straightforward.

The MariaDB root account already has full read/write access across every database on the host, so there is nothing left to escalate to at the application layer. (For full system root we’d need a separate pivot — abusing UDFs or INTO OUTFILE to drop a payload — but the box’s flag was readable straight from the database.)

Root Cause

Two misconfigurations compound here:

MariaDB bound to the public interface — the server listens on 0.0.0.0:3306 instead of 127.0.0.1:3306, exposing the database to anyone who can reach the host on the network.
The root account has a blank password — the highest-privilege account on the database accepts any caller, no authentication required.

Either misconfiguration alone is bad. Together they hand any attacker on the network full read/write across every database on the host. The mysql_native_password advertised in the nmap output is irrelevant when the password itself is empty — it’s the check that’s missing, not the algorithm.

The AI Equivalent

This is OWASP LLM08 — Excessive Agency: an agent or LLM-based system with a root-level account whose access controls have collapsed (in this case, a default blank root password).

The Sequel vulnerability isn’t really about MariaDB being reachable — it’s about a root-equivalent account being reachable, with no password, granting unrestricted authority across every database on the host. The structural failure is granting an account total power and then accepting any caller as that account.

In LLM agentic systems, this maps directly to automation agents wired with admin-level API tokens — Postgres superuser credentials, Okta SSWS tokens, AWS IAM admin keys — that execute on behalf of any incoming webhook, message queue payload, or chat prompt. The agent itself has root-equivalent power, so anyone who can trigger the agent inherits root by proxy. There is no out-of-band verification that the trigger came from a legitimate operator.

This is the same failure pattern as Meow’s blank-password root: the principle of least privilege never made it from policy to runtime configuration. The defenses are identical too — scope the agent’s tokens to the minimum required permissions (read-only when possible), require human-in-the-loop confirmation for destructive operations, and add caller-identity verification so the agent knows who is asking, not just what is being asked. Like Meow and Sequel, the attacker doesn’t break in. They call.

Lessons Learned

Bind databases to localhost by default. Unless you have a documented, audited reason for 0.0.0.0, set bind-address = 127.0.0.1 in /etc/mysql/mariadb.conf.d/50-server.cnf and require all access through an SSH tunnel or VPN.
Run mysql_secure_installation on every fresh install. It removes anonymous users, disables remote root login, and forces a root password — exactly the three holes that Sequel exploits.
No service account should have a blank password. Apply this to MySQL, Postgres, Redis, MongoDB, Elasticsearch, and every other data store you operate. Default credentials are credentials.
Restrict root to the local socket. CREATE USER 'root'@'localhost' IDENTIFIED BY ... and revoke remote root access entirely. Use lower-privilege application users for everything else.
Apply the same logic to agent service accounts. An LLM agent with admin API tokens is a database with root-on-network. Scope tokens to the smallest permission set, rotate frequently, and require caller verification before executing privileged operations.