Appointment - Linux

We start by running ping and nmap using sudo nmap -sC -sV {target Ip} where -sC preforms a script scan using the default set of scripts. Some are considered intrusive and should not be run against a target network without permission and why we need to run the command as sudo.

We find port 80/tcp open running an Apache HTTP server which is a free open-source app that runs web pages either physical or virtual. It’s one of the most popular HTTP servers, and it usually runs on standard HHTP ports like 80 TCP, 443 TCP, or on HTTP ports like 8080 TCP or 8000 TCP.

Since we find the version (2.4.38((Debian))) it’s a good idea to search the service version on a vulnerability database to see if any exist for the version. In this case there are none.

Since it’s a web server we can enter the target Ip into a browser and view the page.

We are meet with a login screen, and can next try to find any directories using gobuster to brute force, running gobuster dir –url http://{target Ip}/ --wordlist /(wordlist file path) where dir specifies that we’re looking for directories, --url specifies the web address of the target Ip, and –wordlist specifies the wordlist we want to use.

We find some directories, but in this lab, we’ll use SQL injection, which is a common way of exploiting web pages that use `SQL Statements` that retrieve and store user input data. If configured incorrectly, one can use this attack to exploit the well-known `SQL Injection` vulnerability. SQL stands for Structured Query Language.

To do this, we can enter admin’# as the username. What this does is when the admin username is searched for, it will close the query with the single quote and comment out the rest of the query using the hashtag which would normally ask for the password. Since the password portion of the query was skipped using the hashtag, we can enter anything into the password field like “123”.

Using SQL injection, we can bypass the login page and capture the flag