Soccer
Easy linux machine
Last updated
Was this helpful?
Easy linux machine
Last updated
Was this helpful?
In this article I’m going to be tackling Soccer machine, an easy difficulty Linux machine on hackthebox.com
soccer is an easy difficuly machine, this machine uses Tiny File Manager with default credentials giving access to a vulnerable version of Tiny File Manager which leads to a reverse shell to the target system using a weak upload functionality. enumerating the machine (nginx config files) reveals a hidden subdomain that is vulnerable to a Boolean Based SQLI that we will exploit using SQLMAP to dump SSH Credentials for the user player, this user can run dstat with root privileges which is an alternative to sudo, by leveraging a dstat python plugin we can execute code on the machine with root privileges and escalate privileges to become root.
-sC: It is an Nmap option that enables the use of default scripts for service and version detection.
-sV: It is an Nmap option that enables version detection against open ports.
-oA nmap/soccer: It is an Nmap option to specify the output filename. In this case, it will save the output in three formats: normal, XML, and grepable. The files will be named "soccer.nmap," "soccer.xml," and "soccer.gnmap" respectively. The output files will be stored in the "nmap" directory.
10.10.11.194: It is the IP address of the target host that you want to scan.
let's visit the website open on port 80 but when we type at the search bar http://10.10.11.194:80
but all request are forwareded to http://soccer.htb and since soccer.htb is not known we will get server not found error so what we need is to assign the ip address 10.10.11.194 to soccer.htb name in the /etc/hosts file
based on the response to the "GetRequest" sent to port 9091/tcp, it appears that the server is running a web server and if we search for the html tag resulting for an Error <pre>Cannot GET</pre> we will find that this web server is Nodejs
https://exploit-notes.hdks.org/exploit/web/tiny-file-manager-pentesting/
let's log in using default admin credentials admin : admin@123 and we are logged in
at the right bottom we can notice that the Tiny File Manager Version is 2.4.3
now let's search for an upload functionality so we can uplaod a reverse shell
go to tiny
and then uploads
and then upload
download the reverse shell script
link : https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
copy the content of the reverse shell script and copy it to a file called shell.php and then update values of “$ip” and “$port” in the above script to our local ip and port for listener which will start. Then upload the script to the arbitrary folder in the Tiny File Manager dashboard.
and now upload the reverse shell script
and now the shell.php file is uploaded into /var/www/html/tiny/uploads so to execute that file we have to go to http://soccer.htb/tiny/uploads/shell.php
but before that we have to setup a listener so we capture the reverse tcp connection made when executing the reverse shell script
now let's execute the script by visiting http://soccer.htb/tiny/uploads/shell.php
and Boom we've a shell into the machine as www-data user
now controlling the machine with the privileges of www-data user let's take a look at all the listening network sockets along with their associated processes and PID (process id) number using ss -lntp
The ps -ef --forest command is used to display a process listing in a tree-like format, showing the hierarchical relationship between processes but no information related to the 9091 service
and this is because of the hidepid=2 option is is used to restrict access to process information in the /proc filesystem. When hidepid=2 is set, only the process owner and privileged users (typically root) can access the process information directories under /proc. Other users will not be able to see the directories or contents of processes they do not own.
hidepid=0: No restriction; all users can access all process information.
hidepid=1: Restricted access; users can access only their own process information.
hidepid=2: Strong access restriction; only the process owner and privileged users can access the process information
now let's add this subdomain to the /etc/host file so we can navigate to it
this subdomain page is similar to the landing page the diffrence is that there is added functionnality in this subdomain like the signup and login functionnalities
trying to login with default credentials or sql injection didn't work for me so what we'll do is create an acount using signup page
after logging in using those credentials we will be redirected to the /check endpoint where it checks whether a ticket id exists or no
press CTRL + U to see the source code and you will find the javascript script that implements the check functionality
this script establishes a WebSocket connection with a nodejs server on port 9091 and listens for key presses, sends messages over the WebSocket connection when the "Enter" key is pressed, receives messages from the server, and updates the HTML content (Ticket Exists or not) on the page with the received message
to intercept the web socket message using burp we have to open the network tab on the developper tool CTRL + SHIFT + i and then press Enter
make sure that the websocket proxy options are enabled
now if we go back to burp we will see that the websocket message is intercepted now
send it to repeater
now let's copy the request to a file to use sqlmap to automate the boolean sqli
The "ws://" URI scheme is used to specify the WebSocket protocol and the WebSocket server's address and port. For example the URI "ws://soc-player.soccer.htb:9091" indicates that a WebSocket connection is being established with the server at "soc-player.soccer.htb" on port 9091.
testing if soc-player.soccer.htb:9091 is a valid socket name and it's
-u : this flag specifies the target URL as ws://soc-player.soccer.htb:9091, which is a WebSocket URL
--data {"id":"*"} : The --data option in sqlmap is used to specify the data payload to be sent as part of an HTTP POST request and the * specifies where to inject SQLI payloads
--dbs : This option is used to instruct the tool to enumerate the available databases on the target server during the SQL injection testing process
--threads : This option is used to specify the number of concurrent threads to be used during the SQL injection testing process. Each thread represents a separate request made by sqlmap to the target server.
--risk : This option sets the risk level of the SQL injection tests. The risk level determines how aggressively sqlmap performs the tests. It accepts an integer value from 1 to 3.
--level : This option sets the level of tests to perform in terms of techniques and payloads used by sqlmap. It also accepts an integer value from 1 to 5.
--batch : This option instructs sqlmap to run in non-interactive mode, which means it will not prompt for user input during the testing process, it will automatically make decisions based on its default or configured options and proceed with the SQL injection detection and exploitation process without user intervention.
--technique=B : This option is used to specify the technique to be used for exploiting SQL injection vulnerabilities. The --technique=B parameter you provided indicates the use of the "Boolean-based blind" technique.
now let's dump the columns (username and password columns) of soccer_db database
-D : This option is used to specify the target database name to be selected during the SQL injection testing process
--dump : option is used to extract and dump the contents of database tables
The database is dumped successfully, revealing the credentials player:PlayerOftheMatch2022 , which we can use to SSH into the box.
to search for SUID bit set run this command
and the more interesting one here is the doas binary which is an alternative to sudo
to search for the doas confuguration file run this command
doas.conf file is the configuration file for the doas (do as) command, which is an alternative to sudo. It allows users to run specific commands with the privileges of another user, typically the root user, after authentication
ased on the content you provided (permit nopass player as root cmd /usr/bin/dstat), the doas.conf file configuration allows the user player to execute the /usr/bin/dstat command as the root user without requiring a password
This means that the user player can run the dstat command with root privileges by simply executing doas /usr/bin/dstat without being prompted for a password.
dstat gives the possibility of using Python plugins for the tool and since wecan run it as root we can leverage a privilege escalation by running a python plugin that elevates our privileges
first off, find and locate the dstat directory
we have to pick the one we have write permissions on and /usr/local/share/dstat is the one we will work on
Create a plugin called dstat_exploit.py under /usr/local/share/dstat/
dstat recognizes plugins under /usr/local/share/dstat/.
Check if the above exploit plugin has been added by executing the following command.
Now execute dstat with —exploit flag (the flag name is determined by the suffix of the file name e.g. dstat_<plugin-name>.py ).
and Boom our Python Plugin have been executed
since we have set the permissions to run /usr/bin/bash in the python plugin now let's execute it
hope you found this walkthrough easy to understand and follow
Greeting From Sayonara
