Walkthrough for the Appointment Machine — Hack The Box (HTB) Challenge

Walkthrough for the Appointment Machine — Hack The Box (HTB) Challenge

Welcome back to another installment of my 100-Day Hack The Box (HTB) Challenge! In this post, we’ll be walking through the Appointment Machine, a web application-oriented box that highlights SQL injection techniques and database exploitation. This machine is perfect for both beginners and those looking to sharpen their web application penetration testing skills.

Check out the full video walkthrough on my YouTube channel for real-time demos of each step covered in this guide.

Step 1: Initial Enumeration

As with any HTB machine, we start by performing an nmap scan to identify open ports and services on the target machine. The command I used was:

nmap -sC -sV -oN nmap/appointment_scan <target-ip>

This scan reveals a single open port:

• Port 80: Running an Apache web server

With the HTTP service exposed on port 80, our next move is to investigate the website hosted on this server.

Step 2: Exploring the Web Application

When we navigate to the website, we find a search functionality integrated into the site. This feature seems to allow users to search through various items or information stored in the backend database. Given that this is a web app, the first thing that comes to mind is testing the search functionality for SQL injection vulnerabilities.

Using a simple SQL injection payload like admin’ OR ‘1'=’1 in the search box immediately produces unusual results, indicating that the search field is vulnerable to SQL injection.

Step 3: Exploiting SQL Injection

After confirming that the web application is vulnerable, the next step is to fully exploit the SQL injection to gather valuable information from the backend database. A tool like sqlmap can automate this process and make the extraction of data from the database much easier.

Run the following sqlmap command to enumerate the databases:

sqlmap -u “http://<target-ip>/search.php” — data=”search=your_search_query” — dbs

With this, we can begin to retrieve information about the database structure. Eventually, we extract key information, including usernames, passwords, and other sensitive data stored in the database.

Step 4: Cracking Passwords and Logging In

Once we dump the usernames and passwords, it’s time to crack any hashed passwords using a tool like John the Ripper. After successfully cracking the hashes, we use the valid credentials to log in to the web application or services.

In this case, the cracked credentials allow us to access an admin panel or restricted part of the website. With admin-level privileges, we now have greater control over the system.

Step 5: Gaining a Shell

The goal of most HTB machines is to eventually gain a shell on the target system. After exploring the admin panel, we look for a file upload feature or any other functionality that can help us execute code on the server.

We find a vulnerable upload function that lets us upload a PHP reverse shell. With the reverse shell uploaded, we set up a listener on our attack machine using Netcat:

nc -lvnp 4444

Triggering the reverse shell through the web application, we gain a foothold on the target machine!

Step 6: Privilege Escalation

Now that we have a low-privilege shell, the final step is to escalate our privileges to root. By exploring the system, we identify a misconfigured file with SUID permissions that allows us to run commands as the root user.

Using the following command, we exploit the vulnerable file and escalate to root:

./<vulnerable_file>

At this point, we’ve fully compromised the machine and obtained the root flag!

Lessons Learned

The Appointment machine demonstrates the critical importance of securing web applications, particularly when interacting with databases. Here are a few takeaways:

1. SQL Injection: Input validation and parameterized queries are crucial for protecting against SQL injection attacks.

2. File Upload Security: Proper restrictions on file uploads can prevent attackers from uploading malicious files like reverse shells.

3. Privilege Escalation: Misconfigured file permissions often provide an easy path for attackers to gain root access, so it’s essential to review and secure all system files.

Final Thoughts

The Appointment machine is a great exercise in database exploitation and web application security. If you’re working on sharpening your penetration testing skills, this machine is perfect for learning SQL injection and privilege escalation techniques.

Check out my full video walkthrough on YouTube for a detailed, real-time demo of the steps outlined in this post.

Connect with Me:

• YouTube Channel

• LinkedIn

Stay tuned for more Hack The Box walkthroughs as we continue the 100-Day HTB Challenge! 👾

This blog post provides a comprehensive step-by-step walkthrough for the Appointment machine, focusing on key techniques like SQL injection and privilege escalation, while encouraging readers to watch the full video on your YouTube channel! Medium Blog Post: Walkthrough for the Appointment Machine — Hack The Box (HTB) Challenge

Title: Appointment Machine Walkthrough — Hack The Box (HTB) Challenge

Welcome back to another installment of my 100-Day Hack The Box (HTB) Challenge! In this post, we’ll be walking through the Appointment Machine, a web application-oriented box that highlights SQL injection techniques and database exploitation. This machine is perfect for both beginners and those looking to sharpen their web application penetration testing skills.

Check out the full video walkthrough on my YouTube channel for real-time demos of each step covered in this guide.

Step 1: Initial Enumeration

As with any HTB machine, we start by performing an nmap scan to identify open ports and services on the target machine. The command I used was:

nmap -sC -sV -oN nmap/appointment_scan <target-ip>

This scan reveals a single open port:

• Port 80: Running an Apache web server

With the HTTP service exposed on port 80, our next move is to investigate the website hosted on this server.

Step 2: Exploring the Web Application

When we navigate to the website, we find a search functionality integrated into the site. This feature seems to allow users to search through various items or information stored in the backend database. Given that this is a web app, the first thing that comes to mind is testing the search functionality for SQL injection vulnerabilities.

Using a simple SQL injection payload like admin’ OR ‘1'=’1 in the search box immediately produces unusual results, indicating that the search field is vulnerable to SQL injection.

Step 3: Exploiting SQL Injection

After confirming that the web application is vulnerable, the next step is to fully exploit the SQL injection to gather valuable information from the backend database. A tool like sqlmap can automate this process and make the extraction of data from the database much easier.

Run the following sqlmap command to enumerate the databases:

sqlmap -u “http://<target-ip>/search.php” — data=”search=your_search_query” — dbs

With this, we can begin to retrieve information about the database structure. Eventually, we extract key information, including usernames, passwords, and other sensitive data stored in the database.

Step 4: Cracking Passwords and Logging In

Once we dump the usernames and passwords, it’s time to crack any hashed passwords using a tool like John the Ripper. After successfully cracking the hashes, we use the valid credentials to log in to the web application or services.

In this case, the cracked credentials allow us to access an admin panel or restricted part of the website. With admin-level privileges, we now have greater control over the system.

Step 5: Gaining a Shell

The goal of most HTB machines is to eventually gain a shell on the target system. After exploring the admin panel, we look for a file upload feature or any other functionality that can help us execute code on the server.

We find a vulnerable upload function that lets us upload a PHP reverse shell. With the reverse shell uploaded, we set up a listener on our attack machine using Netcat:

nc -lvnp 4444

Triggering the reverse shell through the web application, we gain a foothold on the target machine!

Step 6: Privilege Escalation

Now that we have a low-privilege shell, the final step is to escalate our privileges to root. By exploring the system, we identify a misconfigured file with SUID permissions that allows us to run commands as the root user.

Using the following command, we exploit the vulnerable file and escalate to root:

./<vulnerable_file>

At this point, we’ve fully compromised the machine and obtained the root flag!

Lessons Learned

The Appointment machine demonstrates the critical importance of securing web applications, particularly when interacting with databases. Here are a few takeaways:

1. SQL Injection: Input validation and parameterized queries are crucial for protecting against SQL injection attacks.

2. File Upload Security: Proper restrictions on file uploads can prevent attackers from uploading malicious files like reverse shells.

3. Privilege Escalation: Misconfigured file permissions often provide an easy path for attackers to gain root access, so it’s essential to review and secure all system files.

Final Thoughts

The Appointment machine is a great exercise in database exploitation and web application security. If you’re working on sharpening your penetration testing skills, this machine is perfect for learning SQL injection and privilege escalation techniques.

Check out my full video walkthrough on YouTube for a detailed, real-time demo of the steps outlined in this post.

Connect with Me:

• YouTube Channel

• LinkedIn

Stay tuned for more Hack The Box walkthroughs as we continue the 100-Day HTB Challenge! 👾