Hack The Box’s Learn the basics of Penetration Testing: Appointment
Tier 1: “You need to walk before you can run”.
APPOINTMENT
First, connect to the Starting Point VPN with:
sudo openvpn [filename].ovpnOpen another tab on your Kali Linux terminal without closing the current tab where you connected to your lab.
Second, select the “Spawn the Machine” in green to Spawn the target machine; make sure there are no active machine. The target machine IP address is 10.129.163.76. Your target machine IP address maybe different so use the IP address that you had received for this box.
Check out the IP address in a web browser to see what the website looks like.
Finally, you are provided with a question that will lead you to the next task until you are complete with all the tasks.
Task 1 asks, “What does the acronym SQL stand for?”
The answer is Structured Query Language. You can google the acronym to find the answer or use the hint which also advises to use google search.
Task 2 asks, “What is one of the most common type of SQL vulnerabilities?”
I checked the hint which reveals, “Mentioned in the write-up’s Introduction section.” So, I downloaded the Appointment’s Walkthrough to check what is in the Introduction because I was curious. I saw it said, “SQL Injection”.
SQLi is also mentioned in the tags.
Hence the answer is SQL Injection.
Task 3 asks, “What does PII stand for?”
That’s actually one of the question that’s asked in the CompTIA Security+ exam. Also, you can google the answer. PII stands for Personally Identifiable Information.
Task 4 asked, “What does the OWASP Top 10 list name the classification for this vulnerability?”
I checked the hint and it reads, “It holds the third place (first place in the previous one) in the OWASP Top 10 list of most commonly met web vulnerabilities. Use the complete classification name.” I checked the downloaded walkthrough from HTB which led me to the Owasp website that had the Top 10 Web Application Security Risks.
The answer is A03:2021-Injection
Task 5 asks, “What service and version are running on port 80 of the target?
I am going to use nmap -sV 10.129.163.76to scan the IP address to see which service and version are running on port 80 of the target.
Apache httpd 2.4.38 ((Debian)) is the correct answer.
Task 6 asks, “What is the standard port used for the HTTPS protocol?
The correct answer is 443. You can also google to find the port for HTTPS.
Task 7 asks, “What is one luck-based method of exploiting login pages?”
I checked the hint which said, “Remember to add a dash of wordlists!” That would be brute forcing. If you google “brute force”, the definition of brute force attack is when an attacker uses a wordlist of passwords or phrases of passwords to guess the password correctly.
Task 8 asks, “What is a folder called in web-application terminology?”
The correct answer is directory. Directory is the folder.
Task 9 asks “What response code is given for “Not Found” errors?”
The correct answer is 404. You can google 404 and see that it is the code for “Not Found” errors.
Task 10 asks, “What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?”
If we are looking to discover directories, and not subdomains, then it will be the dir switch that we will use. dir is the correct answer.
Task 11 asks, “What symbol do we use to comment out parts of the code?”
If we are using Python to comment out parts of a code, then that would be the hash or pound symbol, #. # is the correct answer.
Finally, the last one which is to “Submit root flag.”
In order to login to this website, I do not know the username or the password, but I can use SQLi to login. Thus, I googled, “SQL injection cheat sheet” to see which username and password to use to login. I used my favorite website for SQLi, which is pentestlab.blog.
The reason I used the hash symbol in the username is because the Application box entailed a question in Task 11 that showed the comment symbol.
Logged in using the username: admin’ # and password: admin
