Setup

First, we need to connect to the HTB network. There are two different methods to do the same:

  1. Using Pwnbox
  2. Using OpenVPN

(Click here to learn to connect to HackTheBox VPN)

Introduction

This box will help us to practice performing an SQL injection against an SQL database enabled web application.

SQL Injection is a common way of exploiting web pages that use SQL Statements to retrieve and store user input data.

Scanning and enumeration

Spawn machine.png

After our connection to the HTB network is successfully established, we can spawn the target machine from the Starting Point lab’s page by clicking on “SPAWN MACHINE” as show above. After spawning the machine, we can check if our packets reach their destination by using the ping command.

htb-appointment-02-ip-address.png

Grab the IP address of your current target and paste it into your terminal after typing in the ping command. After 4-5 successful replies from the target, we can confirm that our connection is formed and stable. We can cancel the ping command by pressing the Ctrl + C combination on our keyboard.

htb-appointment-03-ping.png

Now let’s start scanning the target using nmap to find any open ports and services

We can use the following nmap command: sudo nmap -sC -sV {target_ip}

{target_ip} has to be replaced with the IP address of the Appointment machine.

The -sC switch is used to perform script scan using the default set of scripts. The -sV switch is used to display the version of the services running on the open ports.

htb-appointment-04-nmap-scan.png

From the nmap scan, we can see that port 80 is open and it is running Apache httpd server with version 2.4.38

Apache httpd server is used for running web pages on either physical or virtual web servers.

If we type the IP address of the device into the address bar of our browser, we can see a website with a login form

htb-appointment-05-website-page.png

Foothold

We can pass in default credentials or use brute-forcing attacks to bypass the login system. But even after doing those we are unable to login.

So, we will try for any possible SQL injection vulnerability in the login form.

Below is an example SQL query to verify username and password and log the person in

SELECT * FROM users WHERE username='$username' AND password='$password’

htb-appointment-06-sql-query-example.png

$username will be replaced by whatever we type in the username field of the form and similarly for $password

In PHP, we use #to comment lines of code.

With this much knowledge we can try to do SQL injection in the login form provided to us.

htb-appointment-07-filled-login-form.png

In the username field, we can type admin'# . This line will go inside the code, and it will put the username as admin and because of # the rest of the line is commented, so the code only checks for the usernames with admin and ignores the password validation. So, we can put any value in password field and login.

After filling the form and clicking on the login button, this is how the SQL query will look like 👇

htb-appointment-08-sql-payload.png

After submitting the form, we get a page like:

htb-appointment-09-flag.png

This shows that the login form on the website was vulnerable to SQL injection, and we have successfully exploited it.

Copy the flag value and paste it into the Starting Point lab’s page to complete your task.

htb-appointment-10-submit-flag.png

Congrats, you have just pwned Appointment! 👏


Task answers

Task 1: What does the acronym SQL stand for?

Structured Query Language

Task 2: What is one of the most common type of SQL vulnerabilities?

SQL injection

Task 3: What does PII stand for?

Personally Identifiable Information

Task 4: What does the OWASP Top 10 list name the classification for this vulnerability?

A03:2021-Injection

Task 5: What service and version are running on port 80 of the target?

Apache httpd 2.4.38 ((Debian))

Task 6: What is the standard port used for the HTTPS protocol?

443

Task 7: What is one luck-based method of exploiting login pages?

brute-forcing

Task 8: What is a folder called in web-application terminology?

directory

Task 9: What response code is given for “Not Found” errors?

404

Task 10: What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?

dir

Task 11: What symbol do we use to comment out parts of the code?

#

🚩 Root flag:

e3d0796d002a446c0e622226f42e9672