AFZ-logo

JeeZy Blog

appointment

Appointment writeup

Task 1


What does the acronym SQL stand for?

Answer : Structured Query Language

SQL is a standardized programming language used for managing and manipulating relational databases. It allows users to create, read, update, and delete (CRUD) data within a database. SQL is used to define the structure of data, perform queries to retrieve specific data, and manage database schemas.

Task 2


What is one of the most common type of SQL vulnerabilities?

Answer : SQL injection

SQL Injection (SQLi) is a type of security vulnerability that occurs when an attacker can insert or manipulate SQL queries through user input in a web application's database query. This can lead to unauthorized access, data leakage, data modification, or even complete control over the database server.

Task 3


What is the 2021 OWASP Top 10 classification for this vulnerability?

Answer : A03:2021-Injection

The OWASP Top 10 is a list of the most critical security risks to web applications, published by the Open Web Application Security Project (OWASP). It is widely recognized as an essential guide for developing secure web applications and mitigating the most common security threats.

Task 4


What does Nmap report as the service and version that are running on port 80 of the target?

nmap -sv IP

Answer : Apache httpd 2.4.38 ((Debian))

Apache HTTP Server, commonly referred to as Apache, is an open-source web server software developed and maintained by the Apache Software Foundation. It is one of the most widely used web servers globally, known for its reliability, performance, and extensive feature set.

Task 5


What is the standard port used for the HTTPS protocol?

Answer : 443

Task 6


What is a folder called in web-application terminology?

Answer : directory

Task 7


What is the HTTP response code is given for 'Not Found' errors?

Answer : 404

Here's a brief list of common HTTP response codes along with their general meanings:


- 100 Continue: Request received, continue with the request or ignore if already completed.


- 101 Switching Protocols: Server is switching protocols as requested by the client (e.g., upgrade to WebSocket).


- 200 OK: Request succeeded, the response includes the requested data.


- 201 Created: Request resulted in a new resource being created (e.g., after a POST request).


- 204 No Content: Request succeeded, but the server returned no content (often used for successful DELETE requests).


- 301 Moved Permanently: Resource has been permanently moved to a new URL.


- 302 Found (Moved Temporarily): Resource temporarily moved to a different URL (often used for redirects).


- 304 Not Modified: Client's cached copy is up to date, so the server sends no content.


- 400 Bad Request: Server cannot process the request due to a client error (e.g., malformed syntax).


- 401 Unauthorized: Client needs to authenticate itself to get the requested response.


- 403 Forbidden: Client does not have permission to access the requested resource.


- 404 Not Found: Server cannot find the requested resource.


- 500 Internal Server Error: Server encountered an unexpected condition that prevented it from fulfilling the request.


- 502 Bad Gateway: Server received an invalid response from an inbound server while acting as a gateway or proxy.


- 503 Service Unavailable: Server is temporarily unable to handle the request due to overload or maintenance.


- 504 Gateway Timeout: Server did not receive a timely response from an upstream server while acting as a gateway or proxy.


Task 8


Gobuster is one tool used to brute force directories on a webserver. What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?

Answer : dir

There are several tools that offers directory and file brute force like Gobuster (Fast) : Dirbuster (GUI), Dirsearch and others that offer much more webserver testing like Nikto or OWASP ZAP

Task 9


What single character can be used to comment out the rest of a line in MySQL?

Answer : #

Task 10


If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

I recommend checking and adding to your bookmarks this incredible ressource : PayloadsAllTheThings

It has a SQLi cheatsheet where you can find what I used as a username : admin' # Put anything in password it doesn't matter.

To understand it, we can imagine that this simple query is done on the server using our user input :

SELECT * FROM users WHERE username = 'username' AND password = 'password';

Using admin' # in the username variable would end up :

SELECT * FROM users WHERE username = 'admin' #' AND password = 'password';

Which comments out the rest of the SQL query (checking the password for admin user)

Answer : Congratulations

Task 11


Submit root flag

Obtained via the previous SQLi

Answer : Get your own !

AFZ-logoJeeZy Blog

© 2024-2025 JeeZy Blog