HackTheBox - Socket

00:00 - Introduction 01:00 - Start of nmap 01:45 - Taking a look at QReader.htb 04:40 - Opening the QReader application to discover it requires GLIBC_2.35, going back to nmap to see what flavor of linux was used 06:25 - Switching to Ubuntu Jammy and running Wireshark with the app running to see it makes a request to WS.QREADER.HTB 09:30 - Using BurpSuite to intercept this thick client by setting it up as a transparent proxy 12:00 - Playing with the websocket and discovering SQL Injection 14:40 - Using WebSocat and watch to build a quick client to test the SQL Injection over websockets and playing with Union to see how many columns are needed 16:00 - Identifying what database is used, using SQLITE_VERSION() and seeing it is SQLITE. Then dumping the schema of SQLITE 20:30 - Dumping the Users table 24:10 - Dumping the other tables, getting the name of the admin in the answers table 28:20 - Using username-anarchy to generate a bunch of potential usernames, then using CrackMapExec to spray ssh 29:30 - Logging into the webserver, looking at the webserver code and not really finding anything 32:00 - Looking at sudo rules to see I can run build-installer.sh, which is a wrapper around pyinstaller 34:50 - Looking at the PyInstaller spec file, to show we can include files in the executable that gets created by pyinstaller 35:30 - Including files owned by root such as ssh key, shadow and flag in the specfile for pyinstaller 39:30 - Using Pyinstxtractor to extract the pysinstaller exe and downloading our files 40:47 - Beyond Root: Decompiling the QReader Application with pycdc (Decompyle++)