solved by manual enumeration, no sqlmap needed here just a waste of time trying to get it to work
I wouldn’t be able sleep at night of shame
1 Like
I am able to enumerate only column names not further. Every other command or query doesn’t work at all. Also trying sqlmap with the websocket-client python but also it doesn’t show any success. Any hint for further?.. If the manual thing works then pls let me know. Need to learn new things from this.
Edit: Nevermind got it worked.
Gosh, I’m starting to feel stupid. 
Whatever I do with quotes, I can’t find a way to send doublequotes that doesn’t break everything. Can anyone point me to a good resource that would lead me in the right direction?
I’m trying to find a way to actually understand what I’m doing wrong, not just a quick fix to get the points.
Try to escape your quotes in the json
RIP, but that means less free flags for skidz.
Stuck on to find username. Give me a hint thanks
3 Likes
PM’ed
Can i PM u?
1 Like
Hello, I am trying to reply everyone, it may take some time, but sending some hints that may answer everyone’s questions 
User
- Focus on the websocket, this is the machine’s name after all
- For tools, I recommend wscat, it works just fine to establish a connection, and sending a blank json
{}in the main url will show you the websocket endpoints - The most correct way to get the payload parameters would be to debug the app and intercept its calls, but you can just guess by using the same name of the endpoint for it, much less time consuming
- After you understand the intended queries, you can try to exploit them by closing quotes and make other requests, at first I recommend you to try manually until you get something, and then you can use Rayhan’s middleware to map everything using SQLmap, you will need to change the unquote line to instead of changing double quotes to single quotes, replace single quotes with escaped double quotes (
\\\") - Yes, you only got a password, because the user wouldn’t put his computer name as “admin”, you need to find his real name and maybe change it a little so it becomes a username rather than a user’s name
Root
And for root you only need to know one thing, run pspy, no function looks vulnerable, right? But what if you could override them with executables which made them much more dangerous? You surely can, run sudo -l and exploit the function :smiling_face:For anything else, just send me a message, R is always here
30 Likes
■■■ thank u bro I was not escaping quotes correctly
UR THE BEST <3
1 Like
Pwned this box, this one was rather easy imo. If anyone who got root is willing to discuss the solution i’ll be happy as i’m not sure if I’ve done it the intended way.
Some hints for user:
- download the app & try to get the sources
- play around with parameters and get some useful info. you may need something like
username-anarchyto get the shell
Some hints for the root (not sure if my solution was the intended one though):
- check your privs, read about the tool
- maybe you can create a spec that includes some nice file that would let you to become root?
Overall it was a nice box, closer to the easy kind of boxes on the difficulty scale. If you need any help feel free to PM me 
2 Likes
Ok starting to feel big dumb here, I found the ws easily and can elicit the response that gives basic information like {“/paths”:{“path1”:“”,etc.}} but I can’t figure out what to send to actually get a proper response to the actions from it, no matter what I send I always get that same response. I’m still trying but I’ve done like 100 varied payloads just trying to get the proper format and still just the same.
Just think if you had to code an endpoint that gives out info about a given version, what input parameter would you use and what name would it have?
On the other hand I’m sure you can find a value of interest for this parameter(version number) somewhere else…
{“v******”:“0.***”}
2 Likes
I have got the same problem.
For everyone that has problems knowing where to inject, please observe the traffic between the app and the server. That will tell you all you need to know about how to interact with those endpoints.
You mentionned “basic information”. This info gives you endpoints. Try to communicate with those by changing the websocket url.
Try basic variables or debug the app for variables.
DM me if you need help.
The app never worked for me. It did for you? 
Yes, and there’s a reason why it’s not working. Look closer at all the traffic it’s sending and you’ll see why it’s failing.
2 Likes