The aim of this walkthrough is to provide help with the Appointment machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.
It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 1 challenges.
There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.
Once our connection is taken care of, we spawn the target machine.
Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $rhost=<target-hosts-ip>
┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $ echo $rhost <target-hosts-ip> ┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $
You could use the unset command to remove it after you no longer need it.
┌─[✗]─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $unset rhost ┌─[htb-bluewalle@htb-pwdysfiide]─[~/Desktop] └──╼ $
Question: What does the acronym SQL stand for?
Look up sql on the internet.
structured query language
Question: What is one of the most common type of SQL vulnerabilities?
The first answer I happened to stumble upon after a quick search was in-band sql injection. Loosing the first part of the word provides you with the correct answer.
Question: What does PII stand for?
The internet delivers again.
personally identifiable information
Question: What is the 2021 OWASP Top 10 classification for this vulnerability?
Then answer should be clear after the first couple of internet search results.
Question: What does Nmap report as the service and version that are running on port 80 of the target?
Run nmap with the -sV options set to enable service name and version discovery.
┌─[htb-bluewalle@htb-yyi8qlbzkz]─[~/Desktop] └──╼ $nmap -sV -p80 $rhost Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-05 10:12 BST Nmap scan report for 10.129.161.249 Host is up (0.014s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.38 ((Debian)) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds ┌─[htb-bluewalle@htb-yyi8qlbzkz]─[~/Desktop] └──╼ $
apache httpd 2.4.38 ((debian))
Question: What is the standard port used for the HTTPS protocol?
Searching the internet for something like - https protocol default port - should suffice for this task.
Question: What is a folder called in web-application terminology?
Well, one way would be to search the internet again. One other one would be to make an educated guess.
If you have already used gobuster to enumerate the files/folders on a web page, you must have used it in dir mode, which stands for the directory/file enumeration mode. So there you have it.
Question: What is the HTTP response code is given for ‘Not Found’ errors?
Searching for something like - http response code not found - on the internet should give you the answer right away.
Question: Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?
Checking out the command’s built-in help option (if it has one) is always a good start to get a better idea about the command’s available options and their usage.
┌─[htb-bluewalle@htb-yyi8qlbzkz]─[~/Desktop] └──╼ $gobuster --help Usage: gobuster [command] Available Commands: dir Uses directory/file enumeration mode dns Uses DNS subdomain enumeration mode fuzz Uses fuzzing mode help Help about any command s3 Uses aws bucket enumeration mode version shows the current version vhost Uses VHOST enumeration mode Flags: --delay duration Time each thread waits between requests (e.g. 1500ms) -h, --help help for gobuster --no-error Don't display errors -z, --no-progress Don't display progress -o, --output string Output file to write results to (defaults to stdout) -p, --pattern string File containing replacement patterns -q, --quiet Don't print the banner and other noise -t, --threads int Number of concurrent threads (default 10) -v, --verbose Verbose output (errors) -w, --wordlist string Path to the wordlist Use "gobuster [command] --help" for more information about a command. ┌─[htb-bluewalle@htb-yyi8qlbzkz]─[~/Desktop] └──╼ $
Run it in order to get a better idea about the available files/directories on the target machine.
┌─[htb-bluewalle@htb-yyi8qlbzkz]─[~/Desktop] └──╼ $gobuster dir -u http://$rhost/ -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.129.161.249/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/05/05 10:43:09 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 279] /.htaccess (Status: 403) [Size: 279] /.htpasswd (Status: 403) [Size: 279] /css (Status: 301) [Size: 314] [--> http://10.129.161.249/css/] /fonts (Status: 301) [Size: 316] [--> http://10.129.161.249/fonts/] /images (Status: 301) [Size: 317] [--> http://10.129.161.249/images/] /index.php (Status: 200) [Size: 4896] /js (Status: 301) [Size: 313] [--> http://10.129.161.249/js/] /server-status (Status: 403) [Size: 279] /vendor (Status: 301) [Size: 317] [--> http://10.129.161.249/vendor/] =============================================================== 2023/05/05 10:43:14 Finished =============================================================== ┌─[htb-bluewalle@htb-yyi8qlbzkz]─[~/Desktop] └──╼ $
Question: What single character can be used to comment out the rest of a line in MySQL?
For this task, the internet search results were not as straightforward as in the previous tasks.
The reason for might be that there are multiple ways to comment something out in mysql. Like – (two dashes) or using the /* and */ symbol pairs. But none of them are only one character long.
So the question is quite misleading.
The one we are actually looking for is one of the single line comments available for php. And since // consists of two characters, # must be our answer.
Question: If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?
Well, since no interesting directories/files were found during the enumeration in the previous task, fire up your browser to check out the target machine’s landing page.
We could already guess the username from the task description. It must be admin, but you will have to adjust it in such way that your mysql query removes the password verification part.
One way to craft this is to first use the ' symbol to close up the sql query part. Then use the information gathered in the previous task (commenting something out with #) to comment out the rest of the query.
This would result in a the following
Once logged-in, the welcome message displays the flag for the last task.
Question: Submit root flag
The flag was already displayed once we logged in during the previous task.
Make sure to terminate the target box before you continue with the next machine!