Socket

Enumeration

Nmap discovered just three open ports. two standard ports with known services and one unknown service on a non-standard port.

looking at the webpage, we there's a fully functional QR code reader app that displays information in a QR code and can also embed data in QR code format. 

After further enumeration I couldn't find any other foothold on the webapp, no sub-directory, no subdomain.

I decided to check the other open TCP port 5789 but it's running on a websocket and won't run on a web Browser

For a Websocket client I used the Python3 Websocket module, I used empty ison curly bracket and got a hint from the server to try a different path (update and version).  With version path there was an SQLi injection in the version

On the  version path and after toying around with the input, I observerd there was an SQLi injection.

To automate the SQLi I used Rayhan0x01's "Automating Blind SQL injection over WebSocket" python script called Middleware Server and edited the relevant part.

Ran the server and headed to sqlmap.

I used the below sqlmap command to dump found database.

And below are the dumps...

User

Now I have a md5 password and used Crackstation to crack the password

I tried all known  relevant usernames with the cracked password and no luck. I decided to clone the username-anarchy tool to generate possible usernames, since I know the admin name as Thomas Keller, I can generate possible usernames from it.

After generating names, I simply used Hydra to brute force names on SSH.

Logged in and accessed user.txt flag as user tkeller

Privilege Escalation

checking our privilege and what commands we can run as sudo, I found that I can run a script named /usr/local/sbin/build-installer.sh

Script content...

From the script, we can see we can run three actions on the bash script, cleanup, make and build. build needs to run on a .spec file, spec file is actually executable Python code. PyInstaller builds the app by executing the contents of the spec file. make does similar thing but run against a .py python file.

To see how the script is run and peep on relevant processes, I uses pspy32, from, I see  .spec files are being periodically removed from Keller's home directory.

To exploit build-installer.sh and overcome the periodic deletion, I created the below bash script to set SUID on /bin/bash and named it revshell.sh. As seen below there are two files created, a .spec file that build was run on and a .py file that make was run on.

To overcome file deletion, I copied content of /opt/shared to keller's home directory once the script finishes.

#!/bin/bash

echo "import os

os.system ('chmod +s /bin/bash')" > priv1.spec

echo "import os

os.system('chmod +s /bin/bash')" > prive2.py

sudo /usr/local/sbin/build-installer.sh build priv1.spec

sudo /usr/local/sbin/build-installer.sh make prive2.py

cp /opt/shared ./ -r