Same here. Any luck?
Requirements for medium boxes: straight forward exploitation, path clear from context / hints, no rabbit holes. Can someone tell me what enumeration should I do to test app workflow?
For example: why there is database, what is role of it and what information from enumeration can tell me about it? Default 2-rated box.
Never mind, I found it. Just look at what you have and think a little bit āreal lifeā ā¦
2 Likes
hi i am able to display the different versions but when dumping the data, it does not show databases. any idea with this?
The only time Iāve seen any websocket being used in HTB machines was with the crossfit2 machineā¦ but, at that time, the WS was loaded by the main page and thus we were able to locate it and map the entry points and what were the needed data (after that it was also a sql injection through the requests).
But, on this site, Iām not able to see anything calling the WS and thus I donāt know how to enumerate itā¦ by calling it āwithout parametersā will not returning anything. By inserting some random data, itāll just close the connectionā¦
Am I missing something here or maybe firefox is somehow blocking the WS calling from the main site? Any help to enumerate WS entry points and required data? Please PM if possible 
Thanks a lot.
3 Likes
Same issue here, Iāve spent at least two or three hours poking at it from all sides that I could find. Iāve found a POST request that can be transformed into json, which doesnāt appear to be injectable, and of course Iāve found a port that advertises itself as receiving a websocket connection. But no documentation and no hints.
Am I missing something obvious?
I think so, but i cannot get it to execute my query any idea what injection should we use?
Iām using this extension for Chrome which supports JSON by default: Browser WebSocket Client - Chrome Web Store
2 Likes
Try writing your own python script using websocket library (the doc is very helpful) like someone said. (not websockets)
In case someone else goes crazy looking for it, that would be the āwebsocket-clientā package (which comes preinstalled on pwnbox).
how did you find it? Thought about enumerating other table but column name wont match
Can anyone help me out?till now iāve enumerated and wrote a python script to interact with websocket server, but now i donāt really know how to go forward.
1 Like
Just ran sqlmap using a middleware python server (look for blog sqlmap websockets rayhan0x01)
It says might be āMySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)ā idk
Cant get it to work any help??
1 Like
this can be useful in gaining initial foothold
1 Like
Indeed, that blog saved me in other machine also required web socket sqli exploitation
the script contains this variable:
data = ā{āemployeeIDā:ā%sā}ā % message
what do i have to replace the emplyeeID with? currently i used the only id from the source code of the site which is inputGroupFile01, but that is not working.
thats what iām using but you mean to run sqlmap? it cant seem to find the injection payload. Or should i craft the payload myself?
Edit: Should SQLMAP get the job done?
as someone mentioned itās all about the double quote, try to read the blog again. he handles the quotes in other way. make sure you can reproduce the injection by yourself before running sqlmap.
1 Like
Used the same value you use when making manual requests āversionā and versionnumber
yes, just increase risk level
2 Likes
Ahhā¦I already miss those good times when breached was alive
4 Likes