HackTheBox CTF: Appointment
Appointment is a Very Easy Linux box on HackTheBox focused entirely on SQL injection. The attack path is straightforward — enumerate the target, discover a web login form, and exploit a classic SQL injection vulnerability using MySQL comment syntax to bypass authentication entirely without needing a valid password.
Background Knowledge
What does the acronym SQL stand for?
Answer: Structured Query LanguageWhat is one of the most common types of SQL vulnerabilities?
Answer: SQL InjectionWhat is the 2021 OWASP Top 10 classification for this vulnerability?
Answer: A03:2021-InjectionRecon & Enumeration
I started with enumeration to see what open ports there are and what the system is running:
sudo nmap -sC -sV -Pn -T4 -oN scan.txt 10.129.184.107
What does Nmap report as the service and version running on port 80?
Answer: Apache httpd 2.4.38 ((Debian))What is the standard port used for the HTTPS protocol?
Answer: 443What is a folder called in web-application terminology?
Answer: directoryWhat is the HTTP response code that is returned for Not Found errors?
Answer: 404Web Enumeration
With port 80 open I navigated to the site and found a login form. I ran Gobuster to check for any hidden directories:
gobuster dir -u http://10.129.184.107 -w /usr/share/wordlists/dirb/common.txt
What switch do we use with Gobuster to specify we're looking to discover directories, and not subdomains?
Answer: dirExploitation — SQL Injection
What single character can be used to comment out the rest of a line in MySQL?
Answer: #The login form takes a username and password and passes them to a backend SQL query that looks something like this:
SELECT COUNT(*) FROM users WHERE username='INPUT' AND password='INPUT'
The key insight here is that if user input isn't sanitized, we can inject SQL syntax directly into the query. By entering admin'# as the username with any password, the ' closes the username string and the # comments out everything after it — including the password check entirely.
Normal query:
SELECT COUNT(*) FROM users WHERE username='admin' AND password='correctpassword'
After injection with admin'#:
SELECT COUNT(*) FROM users WHERE username='admin'#' AND password='test'
Everything after # is commented out — the password check never runs.
Using admin'# as the username and anything as the password I was logged straight into the admin panel and captured the flag.
If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?
Answer: CongratulationsSubmit root flag:
Answer: flag captured ✓Validation
What I Learned
SQL injection is still everywhere. This vulnerability has been known for decades and is still in the OWASP Top 10. Any login form that doesn't properly sanitize user input is potentially vulnerable. Always test login forms with basic SQLi payloads during web enumeration.
The # character is a MySQL comment. Anything after # on the same line is ignored by MySQL. This makes it a powerful tool for manipulating SQL queries — closing strings early and commenting out conditions like password checks entirely.
Understanding what the server sees matters. The key to exploiting SQLi isn't memorizing payloads — it's understanding how the backend query is structured and how your input gets inserted into it. Once you can visualize the query, the injection becomes obvious.
Always enumerate before exploiting. Running Nmap first confirmed this was a web target on port 80. Without that step you're guessing. Enumeration tells you what attack surface exists before you start probing it.
Simple payloads often work. This box required just four characters — admin'# — to fully bypass authentication. Real-world SQLi is often just as simple on poorly secured targets. Always try the basics before reaching for complex tools.