Hack the Box — Appointment
HTB Tags: #Linux #SQL #SQLi #MariaDB
This is the first in Tier 1, as part of the Starting Point series, with a focus database injection on a Linux target. Let’s start by enumerating with the standard commands, ping and nmap.
ping $IP -c 4
Only one showing and it is the default http port webpage.
Looks like we have a login page showing:
Trying the usual user and passwords does not provide access.
Although we know the challenge is sqli based, lets just complete the enumeration with a gobuster review.
Quickly looking through the directories does not provide anything that can assist.
What is sql injection (sqli). From Portswigger the provider of the Burp Suite set of tools, they describe it as:
SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior. In some situations, an attacker can escalate an SQL injection attack to compromise the underlying server or other back-end infrastructure, or perform a denial-of-service attack.
I will let you review his document, but will only discuss how we can the process for the admin user.
We will type in the admin username and close the query with a single quote, allowing the script to search for the admin username. By adding the hashtag, we will then comment out the rest of the query, which will make searching for a matching password for the specified username obsolete. So as long as there is a user called `admin` then we will gain access. Most times I repeat the user details with teh password. In this case you can actually enter anything.
We could also use `admin’ or ‘1’=’1` which in a similar manner forces the request to accept the user as TRUE, therefore existing…..
We now gain access and the challenge flag.
A further resource and listing of these exploitable commands can be found at:
An interesting way to gain access to a target. Also worthwhile following and understanding the Injection Handbook, mentioned above as it gives you a better understanding for creating database queries, which you will definitely use later.