Soccer
Enumeration
I found three open TCP ports, the web service didn't load on the IP but redirects to soccer.htb so I had to add that to the /etc/hosts file.
The webpage can be seen below, not robots file, no links nothing is source code...
...Further enumeration with Dirbuster, I found the /tiny directory seen below, I don't have any valid credential for the login however, with a quick Google search, I was able to see the TinyFileManager default login credential.
Exploring the TinyFileManager dashboard, I noticed the web service files are created by root and can't be modified nor deleted as they have certain permissions. we can however create a new folder and file in the tiny folder.
Knowing I can create files and that the website runs on PHP, I am able to upload usual PHP reverse shell payload from pentestmonkey here.
Setting a listening port and running the file, I was able to get a shell as www-data
Enumerating a further and I noticed there's a user called player that we need to get access to but there is clear exploit, no ssh files.
After enumerating for what seems like counting to infinity twice, I checked the /etc/hosts file and saw an entry of a subdomain of soccer.htb
Adding the subdomain to my /etc/hosts file, I got a different version of the initial webpage, this one comes with login and signup page.
User Flag
Played around with the subdomain, no exploit in login, I created an account and got redirected to the below /check directory, So I get assigned a ticket, entering random ticket number or strings returns Ticket Doesn't Exist error. Played around a bit more, nothing, so I decided to fire up Burpsuite and intercept the request, apparently, the requests are not normal request but webSocket as seen below. also note the websocket is going through the port 9091 initially found during early state nmap enumeration.
Now I know we have a ticket generating framework on the backend and hence most likely a SQL DB however, I have never come across exploiting possible SQLi in a web socket, luckily, Google exists and luckily this article exists.
I found the article very helpful in setting up an automated SQL injection in websocket using the provided Python script.
Using the script, all I had to change is the "ws_server" entry to the websocket address and the "data" entry to the parameter name id in our case.
Running the script and Sqlmap for SQL injection.
From SQLmap, you can see a time-based blind SQLi vulnerability was found together with some Database entry.
The soccer_DB looks promising, using the command
sqlmap -u "http://localhost:8081/?id=1" -D soccer_db --tables
I selected the DB and tried dumping the tables in the DB, as seen below I got the accounts table
to dump the content of the accounts Table:
sqlmap -u "http://localhost:8081/?id=1" -D soccer_db -T accounts --dump --batch
Now I got the user Player password and can easily login with SSH to get a stable shell and user flag.
Privilege Escalation
To escalate my privilege was no easy feet. I uploaded linpeas.sh and found some potential CVE exploits but non worked. therefore, on to manual enumeration...Under Interesting Files in Linpeas output I found a binary DOAS with SUID set, interesting uhn!
But what is doas? "There are some alternatives to the sudo binary such as doas for OpenBSD, remember to check its configuration at /etc/doas.conf" according to hacktricks.
The doas.conf file shows that Player can run /usr/bin/dstat command as root using the doas command.
so, dstat is a binary that displays system resources usage, it however allows the usage of plugins which are built in python, oh, and dstat itself is a python executable as seen below.
Searching the system to all files related to dstat... we can see the plugins files all in python.
As seem below we run the binary as root...
...To exploit dstat, I created a rogue plugin containing a privesc payload.
I just imported Python os module, added SUID to /bin/bash which allows me run /bin/bash with the permission of the person who owned the file. then, bash -p allows me run bash with the permission of root.
