Official Socket Discussion

I already solved the box with but whenever i spawn the machine it gives me the weird instance ip and i cant submit my flags…i cant even ping that instance ip otherwise i wouldve logged in from that ip and submitted its flags

Same here. Any luck?

Requirements for medium boxes: straight forward exploitation, path clear from context / hints, no rabbit holes. Can someone tell me what enumeration should I do to test app workflow?
For example: why there is database, what is role of it and what information from enumeration can tell me about it? Default 2-rated box.

Never mind, I found it. Just look at what you have and think a little bit “real life” …


hi i am able to display the different versions but when dumping the data, it does not show databases. any idea with this?

The only time I’ve seen any websocket being used in HTB machines was with the crossfit2 machine… but, at that time, the WS was loaded by the main page and thus we were able to locate it and map the entry points and what were the needed data (after that it was also a sql injection through the requests).

But, on this site, I’m not able to see anything calling the WS and thus I don’t know how to enumerate it… by calling it “without parameters” will not returning anything. By inserting some random data, it’ll just close the connection…

Am I missing something here or maybe firefox is somehow blocking the WS calling from the main site? Any help to enumerate WS entry points and required data? Please PM if possible :slight_smile:

Thanks a lot.


Same issue here, I’ve spent at least two or three hours poking at it from all sides that I could find. I’ve found a POST request that can be transformed into json, which doesn’t appear to be injectable, and of course I’ve found a port that advertises itself as receiving a websocket connection. But no documentation and no hints.

Am I missing something obvious?

I think so, but i cannot get it to execute my query any idea what injection should we use?

I’m using this extension for Chrome which supports JSON by default: Browser WebSocket Client - Chrome Web Store


Try writing your own python script using websocket library (the doc is very helpful) like someone said. (not websockets)

In case someone else goes crazy looking for it, that would be the “websocket-client” package (which comes preinstalled on pwnbox).

how did you find it? Thought about enumerating other table but column name wont match

Can anyone help me out?till now i’ve enumerated and wrote a python script to interact with websocket server, but now i don’t really know how to go forward.

1 Like

Just ran sqlmap using a middleware python server (look for blog sqlmap websockets rayhan0x01)
It says might be “MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)” idk
Cant get it to work any help??

1 Like

this can be useful in gaining initial foothold

1 Like

Indeed, that blog saved me in other machine also required web socket sqli exploitation

the script contains this variable:
data = ‘{“employeeID”:“%s”}’ % message
what do i have to replace the emplyeeID with? currently i used the only id from the source code of the site which is inputGroupFile01, but that is not working.

thats what i’m using but you mean to run sqlmap? it cant seem to find the injection payload. Or should i craft the payload myself?

Edit: Should SQLMAP get the job done?

as someone mentioned it’s all about the double quote, try to read the blog again. he handles the quotes in other way. make sure you can reproduce the injection by yourself before running sqlmap.

1 Like

Used the same value you use when making manual requests “version” and versionnumber

yes, just increase risk level