Soccer

htb hack the box hackthebox soccer machine box write up walkthrough

Enumeration

I found three open TCP ports, the web service didn't load on the IP but redirects to soccer.htb so I had to add that to the /etc/hosts file.

nmap scan result of open ports
host file

The webpage can be seen below, not robots file, no links nothing is source code...

...Further enumeration with Dirbuster, I found the /tiny directory seen below, I don't have any valid credential for the login however, with a quick Google search, I was able to see the TinyFileManager default login credential.

TinyFileManager Tiny File Manager

Exploring the TinyFileManager dashboard, I noticed the web service files are created by root and can't be modified nor deleted as they have certain permissions. we can however create a new folder and file in the tiny folder.

Knowing I can create files and that the website runs on PHP, I am able to upload usual PHP reverse shell payload from pentestmonkey here.

php reverse shell

Setting a listening port and running the file, I was able to get a shell as www-data

netcat listening port

Enumerating a further and I noticed there's a user called player that we need to get access to but there is clear exploit, no ssh files.

After enumerating for what seems like counting to infinity twice, I checked the /etc/hosts file and saw an entry of a subdomain of soccer.htb

Adding the subdomain to my /etc/hosts file, I got a different version of the initial webpage, this one comes with login and signup page.

User Flag

Played around with the subdomain, no exploit in login, I created an account and got redirected to the below /check directory, So I get assigned a ticket, entering random ticket number or strings returns Ticket Doesn't Exist error. Played around a bit more, nothing, so I decided to fire up Burpsuite and intercept the request, apparently, the requests are not normal request but webSocket as seen below. also note the websocket is going through the port 9091 initially found during early state nmap enumeration.

soccer ticket
burpsuite web socket captured packet

Now I know we have a ticket generating framework on the backend and hence most likely a SQL DB however, I have never come across exploiting possible SQLi in a web socket, luckily, Google exists and luckily this article exists.

I found the article very helpful in setting up an automated SQL injection in websocket using the provided Python script.

Using the script, all I had to change is the "ws_server" entry to the websocket address and the "data" entry to the parameter name id in our case.

no sqli sql injection

Running the script and Sqlmap for SQL injection.

From SQLmap, you can see a time-based blind SQLi vulnerability was found together with some Database entry.

sqlmap database dump

The soccer_DB looks promising, using the command

sqlmap -u "http://localhost:8081/?id=1" -D soccer_db --tables

I selected the DB and tried dumping the tables in the DB, as seen below I got the accounts table

blind sql exploit by sqlmap

to dump the content of the accounts Table:

sqlmap -u "http://localhost:8081/?id=1" -D soccer_db -T accounts --dump --batch

Now I got the user Player password and can easily login with SSH to get a stable shell and user flag.

Privilege Escalation

To escalate my privilege was no easy feet. I uploaded linpeas.sh and found some potential CVE exploits but non worked. therefore, on to manual enumeration...Under Interesting Files in Linpeas output I found a binary DOAS with SUID set, interesting uhn!

doas alternate to sudo command for linux linpeas

But what is doas? "There are some alternatives to the sudo binary such as doas for OpenBSD, remember to check its configuration at /etc/doas.conf" according to hacktricks.

The doas.conf file shows that Player can run /usr/bin/dstat command as root using the doas command.

so, dstat is a binary that displays system resources usage, it however allows the usage of plugins which are built in python, oh, and dstat itself is a python executable as seen below.

Searching the system to all files related to dstat... we can see the plugins files all in python.

As seem below we run the binary as root...

dstat running process stats

...To exploit dstat, I created a rogue plugin containing a privesc payload.

I just imported Python os module, added SUID to /bin/bash which allows me run /bin/bash with the permission of the person who owned the file. then, bash -p allows me run bash with the permission of root.

root flag pwned