Hack the Box – Appointment

# Information:

Platform Name: Hack the Box

Machine Challenge: Appointment

Machine Status: Starting Point

Challenge Level: Very Easy

# Used Tools:

  • Linux
  • nmap
  • gobuster
  • terminal
  • SQLi

# Challenge Description:

This challenge has a list of questions that need to be answered in order to retrieve the flag. We will answer every question.

# Writeup:

Task 1:

What does the acronym SQL stand for?

Answer: The acronym SQL stands for Structured Query Language.

SQL is a language for database creation and manipulation.


Task 2:

What is one of the most common type of SQL vulnerabilities?

Answer: After a quick search I discovered that the answer is SQL injection.


Task 3:

What is the 2021 OWASP Top 10 classification for this vulnerability?

Answer: I googled it and the answer is A03:2021 – Injection.


Task 4:

What does Nmap report as the service and version that are running on port 80 of the target?

Answer: After doing a nmap scan (that you can see in image 1), I discovered that the service and version running on port 80 is Apache httpd 2.4.38 ((Debian)).

Image 1

As you can see in image 1, port 80 is opened and this port is used to send and receive unencrypted web pages. So, what I did next was google:

http://<the_IP_of_your_box_here>

And as you can see in image 2, a login page appeared.

Image 2

Task 5:

What is the standard port used for the HTTPS protocol?

Answer: The port is 443.


Task 6:

What is a folder called in web-application terminology?

Answer: A folder in web-application is called directory.


Task 7:

What is the HTTP response code is given for ‘Not Found’ errors?

Answer: The code is 404.


Task 8:

Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?

Answer: The switch is dir.

On your terminal if you enter man gobuster, you will have access to the manual of gobuster which means that you will find the answer to this question. You can see this in image 3.

image 3

As you can see in the image above, dir is the classic directory brute-forcing mode.

After knowing all this, I used the following command to brute force directories on the webserver.

gobuster dir -u http://<the_IP_of_your_box_here> -w /path/to/wordlists/dirbuster/directory-list-2.3-medium.txt
Image 4

In image 4, we can see that we have some directories that if we google we will have access to, and we have another that if we google it we will not have access to (it’s the one with the status: 403).


Task 9:

What single character can be used to comment out the rest of a line in MySQL?

Answer: The character is #.


Task 10:

If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

Answer: The first word is Congratulations.

To login I searched for a SQL Injection authentication bypass Cheat Sheet.

After reading this Cheat Sheet, I used the following as username to login:

admin' #

And as password I inserted something random like the number 1. Then I clicked “login” and there it was our flag and the first word that our webpage returned.

Image 5

Submit root flag:

Show flag
e3d0796d002a446c0e622226f42e9672


Thank you very much for reading!

Cheers,

SoBatista


Leave a Reply

Your email address will not be published. Required fields are marked *