Appointment is a very good lab to practice for Databases related security isssues. So in this writeup[walkthrough] we are going to exploit this challenge.
First of all check for the services running on the serverusing nmap as given below
wesecure1337@kali:~$ nmap -sV 10.129.173.10
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-28 15:02 IST
Nmap scan report for 10.129.173.10
Host is up (0.52s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.65 seconds
Here is the useful information from the nmap scan result.
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))Here port 80/tcpis open and Apache is running which means that a website is running on the machine so lets go the the website by typing ip_address of the Appointment Challenge in your favourite browser.
Now let’s solve the Tasks
Simple google sql stands for and you will get the answer for Task 1
TASK 1What does the acronym SQL stand for?
Structured Query Language
If you have seen any article or video by any cybersecurity professional must have heard of sql injection is a great issue.
TASK 2What is one of the most common type of SQL vulnerabilities?SQL injection
If you don’t know about PII then it is any information that can uniquely identify any person/individual .
TASK 3What does PII stand for?
Personally Identifiable Information
Simple googling brings us to
TASK 4What does the OWASP Top 10 list name the classification for this vulnerability?
A03:2021-Injection
As you can see from our nmap scan results
TASK 5What service and version are running on port 80 of the target?
Apache httpd 2.4.38 ((Debian))
As we know standard port used by HTTPS protocol is 443
TASK 6What is the standard port used for the HTTPS protocol?
443
Copy and paste the ip_address in your favourite browser, you can see in the browser it is a login page which is asking for the username and password. Now whenever I see anything the first thing comes in my mind is to check for the sql injection and/or directory brute forcing if you want to make it easy, first check for sql injection and sometime brute-forcing works on luck.
TASK 7What is one luck-based method of exploiting login pages?
brute-forcing
folder is used in the case when we used computer for normal use like I have some hacking related pdfs in my Document folder but in the case of web-application directory is used instead of folder
TASK 8What is a folder called in web-application terminology?
directory
Just simple google Not Found http status code you will get the result.
TASK 9What response code is given for "Not Found" errors?
404
If you haven’t installed gobuster yet go and install it. Just type gobuster in terminal
wesecure1337@kali:~$ gobuster
Usage:
gobuster [command]Available Commands:
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode
help Help about any command
s3 Uses aws bucket enumeration mode
version shows the current version
vhost Uses VHOST enumeration modeFlags:
--delay duration Time each thread waits between requests (e.g. 1500ms)
-h, --help help for gobuster
--no-error Don't display errors
-z, --no-progress Don't display progress
-o, --output string Output file to write results to (defaults to stdout)
-p, --pattern string File containing replacement patterns
-q, --quiet Don't print the banner and other noise
-t, --threads int Number of concurrent threads (default 10)
-v, --verbose Verbose output (errors)
-w, --wordlist string Path to the wordlistUse "gobuster [command] --help" for more information about a command.
As you can see the commands
Available Commands:
dir Uses directory/file enumeration mode
dns Uses DNS subdomain enumeration mode
fuzz Uses fuzzing mode
help Help about any command
s3 Uses aws bucket enumeration mode
version shows the current version
vhost Uses VHOST enumeration modeIt clearly says that to search for directory we have to specify dir . This leads to our Task 10
TASK 10What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?
dir
In most of the languages # is used to comment out parts out the code, meaning that any written after # in the line is not considered to a code but only for the developers to understand what is the purpose of the code.
TASK 11What symbol do we use to comment out parts of the code?
#
Go back in the browser where you have pasted the the ip address of the the Appointment challenge and enter admin as username and password as password to check how the application is behaving. Nothing happens means our username password combination is not correct so lets try some simple sql injection
Enter admin'# in the usernamefield and password in the passwordfield. You will be logged in and the screen displays the flag for this Appointment challenge.
SUBMIT FLAGSubmit root flag
e3d0796d002a446c0e622226f42e9672
Voila!!! We have successfully hacked the Appointment by HacktheBox. If you enjoyed reading walkthrough[writeup] and excited then do checkout our other walkthroughs.
Let’s get connected
Twitter: proton_sec
GitHub: proton-sec
LinkedIn: protonsec
If you want to appreciate and support my work here you go…
Thanks for Reading!!!
