Appointment Starting Point HackTheBox Writeup.

protonsec
5 min readJul 29, 2022
Appointment Starting Point HackTheBox Writeup

Appointment is a very good lab to practice for Databases related security isssues. So in this writeup[walkthrough] we are going to exploit this challenge.

Appointment Starting Point HackTheBox Writeup
Appointment Starting Point HackTheBox Writeup

First of all check for the services running on the serverusing nmap as given below

wesecure1337@kali:~$ nmap -sV 10.129.173.10
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 15:02 IST
Nmap scan report for 10.129.173.10
Host is up (0.52s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.65 seconds

Here is the useful information from the nmap scan result.

PORT   STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))

Here port 80/tcpis open and Apache is running which means that a website is running on the machine so lets go the the website by typing ip_address of the Appointment Challenge in your favourite browser.

Now let’s solve the Tasks

Simple google sql stands for and you will get the answer for Task 1

TASK 1What does the acronym SQL stand for?
Structured Query Language

If you have seen any article or video by any cybersecurity professional must have heard of sql injection is a great issue.

TASK 2What is one of the most common type of SQL vulnerabilities?SQL injection

If you don’t know about PII then it is any information that can uniquely identify any person/individual .

TASK 3What does PII stand for?
Personally Identifiable Information

Simple googling brings us to

TASK 4What does the OWASP Top 10 list name the classification for this vulnerability?
A03:2021-Injection

As you can see from our nmap scan results

TASK 5What service and version are running on port 80 of the target?
Apache httpd 2.4.38 ((Debian))

As we know standard port used by HTTPS protocol is 443

TASK 6What is the standard port used for the HTTPS protocol?
443
Appointment Starting Point HackTheBox Writeup website by @wesecure1337

Copy and paste the ip_address in your favourite browser, you can see in the browser it is a login page which is asking for the username and password. Now whenever I see anything the first thing comes in my mind is to check for the sql injection and/or directory brute forcing if you want to make it easy, first check for sql injection and sometime brute-forcing works on luck.

TASK 7What is one luck-based method of exploiting login pages?
brute-forcing

folder is used in the case when we used computer for normal use like I have some hacking related pdfs in my Document folder but in the case of web-application directory is used instead of folder

TASK 8What is a folder called in web-application terminology?
directory

Just simple google Not Found http status code you will get the result.

TASK 9What response code is given for "Not Found" errors?
404

If you haven’t installed gobuster yet go and install it. Just type gobuster in terminal

wesecure1337@kali:~$ gobuster
Usage:
gobuster [command]
Available Commands:
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode
help Help about any command
s3 Uses aws bucket enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode
Flags:
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlist
Use "gobuster [command] --help" for more information about a command.

As you can see the commands

Available Commands:
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode
help Help about any command
s3 Uses aws bucket enumeration mode
version shows the current version
vhost Uses VHOST enumeration mode

It clearly says that to search for directory we have to specify dir . This leads to our Task 10

TASK 10What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?
dir

In most of the languages # is used to comment out parts out the code, meaning that any written after # in the line is not considered to a code but only for the developers to understand what is the purpose of the code.

TASK 11What symbol do we use to comment out parts of the code?
#

Go back in the browser where you have pasted the the ip address of the the Appointment challenge and enter admin as username and password as password to check how the application is behaving. Nothing happens means our username password combination is not correct so lets try some simple sql injection

Enter admin'# in the usernamefield and password in the passwordfield. You will be logged in and the screen displays the flag for this Appointment challenge.

Appointment Starting Point HackTheBox Writeup Flag
SUBMIT FLAGSubmit root flag
e3d0796d002a446c0e622226f42e9672

Voila!!! We have successfully hacked the Appointment by HacktheBox. If you enjoyed reading walkthrough[writeup] and excited then do checkout our other walkthroughs.

Let’s get connected

Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec

If you want to appreciate and support my work here you go…

Thanks for Reading!!!

--

--