The aim of this walkthrough is to provide help with the Appointment machine on the Hack The Box website. Please note that no flags are directly provided here. Moreover, be aware that this is only one of the many ways to solve the challenges.

It belongs to a series of tutorials that aim to help out complete beginners with finishing the Starting Point TIER 1 challenges.


There are a couple of ways to connect to the target machine. The one we will be using throughout this walkthrough is via the provided pwnbox.

Once our connection is taken care of, we spawn the target machine.

Additionally - even though not required - it is possible to set a local variable (only available in the current shell) containing our target host’s IP address. Once set, we can easily access it by prepending a $ to our variable name.

└──╼ $rhost=<target-hosts-ip>
└──╼ $ echo $rhost 
└──╼ $

You could use the unset command to remove it after you no longer need it.

└──╼ $unset rhost 
└──╼ $


Question: What does the acronym SQL stand for?

Look up sql on the internet.

structured query language


Question: What is one of the most common type of SQL vulnerabilities?

The first answer I happened to stumble upon after a quick search was in-band sql injection. Loosing the first part of the word provides you with the correct answer.

sql injection


Question: What does PII stand for?

The internet delivers again.

personally identifiable information


Question: What is the 2021 OWASP Top 10 classification for this vulnerability?

Then answer should be clear after the first couple of internet search results.



Question: What does Nmap report as the service and version that are running on port 80 of the target?

Run nmap with the -sV options set to enable service name and version discovery.

└──╼ $nmap -sV -p80 $rhost 
Starting Nmap 7.93 ( ) at 2023-05-05 10:12 BST
Nmap scan report for
Host is up (0.014s latency).

80/tcp open  http    Apache httpd 2.4.38 ((Debian))

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 6.74 seconds
└──╼ $

apache httpd 2.4.38 ((debian))


Question: What is the standard port used for the HTTPS protocol?

Searching the internet for something like - https protocol default port - should suffice for this task.



Question: What is a folder called in web-application terminology?

Well, one way would be to search the internet again. One other one would be to make an educated guess.

If you have already used gobuster to enumerate the files/folders on a web page, you must have used it in dir mode, which stands for the directory/file enumeration mode. So there you have it.



Question: What is the HTTP response code is given for ‘Not Found’ errors?

Searching for something like - http response code not found - on the internet should give you the answer right away.



Question: Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?

Checking out the command’s built-in help option (if it has one) is always a good start to get a better idea about the command’s available options and their usage.

└──╼ $gobuster --help
  gobuster [command]

Available Commands:
  dir         Uses directory/file enumeration mode
  dns         Uses DNS subdomain enumeration mode
  fuzz        Uses fuzzing mode
  help        Help about any command
  s3          Uses aws bucket enumeration mode
  version     shows the current version
  vhost       Uses VHOST enumeration mode

      --delay duration    Time each thread waits between requests (e.g. 1500ms)
  -h, --help              help for gobuster
      --no-error          Don't display errors
  -z, --no-progress       Don't display progress
  -o, --output string     Output file to write results to (defaults to stdout)
  -p, --pattern string    File containing replacement patterns
  -q, --quiet             Don't print the banner and other noise
  -t, --threads int       Number of concurrent threads (default 10)
  -v, --verbose           Verbose output (errors)
  -w, --wordlist string   Path to the wordlist

Use "gobuster [command] --help" for more information about a command.
└──╼ $

Run it in order to get a better idea about the available files/directories on the target machine.

└──╼ $gobuster dir -u http://$rhost/ -w /usr/share/wordlists/dirb/common.txt
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2023/05/05 10:43:09 Starting gobuster in directory enumeration mode
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/css                  (Status: 301) [Size: 314] [-->]
/fonts                (Status: 301) [Size: 316] [-->]
/images               (Status: 301) [Size: 317] [-->]
/index.php            (Status: 200) [Size: 4896]                                   
/js                   (Status: 301) [Size: 313] [-->]    
/server-status        (Status: 403) [Size: 279]                                    
/vendor               (Status: 301) [Size: 317] [-->]
2023/05/05 10:43:14 Finished
└──╼ $



Question: What single character can be used to comment out the rest of a line in MySQL?

For this task, the internet search results were not as straightforward as in the previous tasks.

The reason for might be that there are multiple ways to comment something out in mysql. Like (two dashes) or using the /* and */ symbol pairs. But none of them are only one character long.

So the question is quite misleading.

The one we are actually looking for is one of the single line comments available for php. And since // consists of two characters, # must be our answer.



Question: If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

Well, since no interesting directories/files were found during the enumeration in the previous task, fire up your browser to check out the target machine’s landing page.

We could already guess the username from the task description. It must be admin, but you will have to adjust it in such way that your mysql query removes the password verification part.

One way to craft this is to first use the ' symbol to close up the sql query part. Then use the information gathered in the previous task (commenting something out with #) to comment out the rest of the query.

This would result in a the following


Once logged-in, the welcome message displays the flag for the last task.



Question: Submit root flag

The flag was already displayed once we logged in during the previous task.


Make sure to terminate the target box before you continue with the next machine!