Appointment (Tier 1)

Description

  • Tier -> 1

  • Difficult -> Very Easy

  • OS -> Linux

  • Tags -> Databases / Apache / MariaDB / PHP / SQL / Reconnaissance / SQL Injection

https://app.hackthebox.com/starting-point?tier=1

Write-up

  • With some research, I started answering the first questions

Answer: Structured Query Language

Anwer: SQL Injection

Answer: A03:2021 Injection

  • Then, I did an initial scan using Nmap

nmap -p- -Pn --min-rate 2000 10.129.228.241

  • I continued doing an exhaustive scan on the open port to know about the services running

nmap -p80 -sVC 10.129.228.241

  • With that and some research, I answered the next questions

Answer: Apache httpd 2.4.38 ((Debian))

Answer: 443

Answer: Directory

Answer: 404

Answer: dir

Answer: #

  • As I found an HTTP service running on port 80, I went to the browser to explore the content being deployed. I found a simple login page and tried to log in with default credentials but it didn't work

To learn more about the HTTP protocol you can go here

  • So looking for another way to get through this, I tried doing some basic SQL Injection tests assuming that was the way the credentials were being validated. After some tries, I found out that by using the username admin'# and providing any password (a basic test for SQLi in PHP-based pages), I gained access, and a message with the flag was displayed

To learn more about Authentication bypass via SQLi, you can go here

  • With this, I answered the last question

Answer: Congratulations

  • And finally, I got the root flag and pwned the machine

Answer: e3d0796d002a446c0e622226f42e9672

PreviousSynced (Tier 0)NextSequel (Tier 1)

Last updated