I just finished Tier 0 of the Starting Point and now I’m moving on to Tier 1 boxes. These are still very easy level boxes, but we all start somewhere, and I’m enjoying every step of this process. That’s what matters hehe.
What does the acronym SQL stand for?
Structured Query Language!What is one of the most common type of SQL vulnerabilities?
SQL InjectionWhat is the 2021 OWASP Top 10 classification for this vulnerability?
A03:2021-Injection
What does Nmap report as the service and version that are running on port 80 of the target?
Apache httpd 2.4.38 ((Debian)) 1┌─[us-starting-point-vip-1-dhcp]─[10.10.14.28]─[leewookb@htb-wv2b0ymwtt]─[~/Desktop]
2└──╼ [★]$ nmap -sC -sV 10.129.50.1 -p 80
3Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-11 13:16 CDT
4Nmap scan report for 10.129.50.1
5Host is up (0.0085s latency).
6
7PORT STATE SERVICE VERSION
880/tcp open http Apache httpd 2.4.38 ((Debian))
9|_http-server-header: Apache/2.4.38 (Debian)
10|_http-title: Login
11
12Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
13Nmap done: 1 IP address (1 host up) scanned in 6.76 secondsWhat is the standard port used for the HTTPS protocol?
443What is a folder called in web-application terminology?
directoryWhat is the HTTP response code is given for ‘Not Found’ errors?
404Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?
dir
What singlce character can be used to comment out the rest of a line in MySQL?
#We can also use -- for commenting, but that’s two characters.
If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?
CongratulationsI first tried admin# but kept failing to log in, so since the gobuster was mentioned earlier, I tried dirbuster to see if there were any helpful folders open but couldn’t find any.
After peeping the provided walkthrough, I learned that I had to include ' the single quote to close the query, allowing the script to search for the admin username and then add the hashtag symbol to comment out the rest of the query.
1┌─[us-starting-point-vip-1-dhcp]─[10.10.14.28]─[leewookb@htb-wv2b0ymwtt]─[~/Desktop]
2└──╼ [★]$ gobuster dir -u http://10.129.50.1 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
3===============================================================
4Gobuster v3.6
5by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6===============================================================
7[+] Url: http://10.129.50.1
8[+] Method: GET
9[+] Threads: 10
10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
11[+] Negative Status codes: 404
12[+] User Agent: gobuster/3.6
13[+] Timeout: 10s
14===============================================================
15Starting gobuster in directory enumeration mode
16===============================================================
17/images (Status: 301) [Size: 311] [--> http://10.129.50.1/images/]
18/css (Status: 301) [Size: 308] [--> http://10.129.50.1/css/]
19/js (Status: 301) [Size: 307] [--> http://10.129.50.1/js/]
20/vendor (Status: 301) [Size: 311] [--> http://10.129.50.1/vendor/]
21/fonts (Status: 301) [Size: 310] [--> http://10.129.50.1/fonts/]
22/server-status (Status: 403) [Size: 276]
23Progress: 220560 / 220561 (100.00%)
24===============================================================
25Finished
26===============================================================
Submit root flag
e3d0796d002a446c0e622226f42e9672