HackTheBox - Socket

00:00 - Introduction
01:00 - Start of nmap
01:45 - Taking a look at QReader.htb
04:40 - Opening the QReader application to discover it requires GLIBC_2.35, going back to nmap to see what flavor of linux was used
06:25 - Switching to Ubuntu Jammy and running Wireshark with the app running to see it makes a request to WS.QREADER.HTB
09:30 - Using BurpSuite to intercept this thick client by setting it up as a transparent proxy
12:00 - Playing with the websocket and discovering SQL Injection
14:40 - Using WebSocat and watch to build a quick client to test the SQL Injection over websockets and playing with Union to see how many columns are needed
16:00 - Identifying what database is used, using SQLITE_VERSION() and seeing it is SQLITE. Then dumping the schema of SQLITE
20:30 - Dumping the Users table
24:10 - Dumping the other tables, getting the name of the admin in the answers table
28:20 - Using username-anarchy to generate a bunch of potential usernames, then using CrackMapExec to spray ssh
29:30 - Logging into the webserver, looking at the webserver code and not really finding anything
32:00 - Looking at sudo rules to see I can run build-installer.sh, which is a wrapper around pyinstaller
34:50 - Looking at the PyInstaller spec file, to show we can include files in the executable that gets created by pyinstaller
35:30 - Including files owned by root such as ssh key, shadow and flag in the specfile for pyinstaller
39:30 - Using Pyinstxtractor to extract the pysinstaller exe and downloading our files
40:47 - Beyond Root: Decompiling the QReader Application with pycdc (Decompyle++)