HackTheBox machine "Appointment"

Description

Appointment is a web-application-oriented box focused on SQL Injection. The target is a website with a search feature querying an SQL database, where different user roles (admin, regular user) have varying access to data. An attacker can exploit the SQL Injection vulnerability to bypass these restrictions and retrieve sensitive information, like user details and billing information, from the database.

Enumeration

To begin, we use an Nmap scan to identify open ports and services running on the target machine. By default, if no specific flags are used, Nmap scans the most common 1000 TCP ports, which is sufficient for our scenario. This will help us discover the services available on those ports, setting the stage for further exploitation.

Ananlysis

Step:-1 This nmap command is to run a scan on the 10.129.213.14 IP address and includes the following options:

-sC: Run the default scripts, which are standard security tests and other common scripts by nmap.

-sV: Do service version scanning, which will reveal which services and their versions are running on which ports.

sudo namp -sC -sV  10.129.213.14        

Step:-2

In this section, we'll explore brute-forcing directories as part of our Enumeration phase. While this is optional for Tier 0, it's a valuable step in the assessment process. If you prefer to skip it, you can proceed to the Foothold section.

After entering the target IP into our browser, we see a log-in form. Since we don't have credentials, we'll look for other directories or pages that could be useful in enumeration. Fully mapping out the target is essential before exploiting known vulnerabilities like SQL Injection, as it helps avoid potential pitfalls.

Web directories are like "folders" that store resources such as log-in forms, images, and configuration files (CSS, JavaScript, etc.). Some of these directories are linked directly from the homepage, while others need to be discovered. For example, navigating from the Home to the Contact page changes the URL, indicating a different directory.

Step:-3 To install Gobuster on a Linux system using apt, follow these steps:

Install Gobuster by running the following command:

sudo apt install gobuster        

Step:-4

Notice how following our input, we have commented out the password check section of the query? This will result in the PHP script returning the value 1 (1 row found) for username = 'admin' without checking the password field to match that entry. This is due to a lack of input validation in the PHP code shown above.

Step:-5

We successfully performed a primary SQL Injection and got the flag.

Task 1

What does the acronym SQL stand for?

Structured Query Language

Task 2

What is one of the most common type of SQL vulnerabilities?

SQL injection

Task 3

What is the 2021 OWASP Top 10 classification for this vulnerability?

A03:2021-Injection

Task 4

What does Nmap report as the service and version that are running on port 80 of the target?

Apache httpd 2.4.38 ((Debian))

Show Answer

Task 5

What is the standard port used for the HTTPS protocol?

443

Task 6

What is a folder called in web-application terminology?

directory

Task 7

What is the HTTP response code is given for 'Not Found' errors?

404

Task 8

Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?

dir

Task 9

What single character can be used to comment out the rest of a line in MySQL?

#

Task 10

If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

Congratulations

Submit Flag

Submit root flag

e3d0796d002a446c0e622226f42e9672

Thanks for Visiting