Soccer (HackTheBox) — Write-up
In this blog we will see walk-through of HackTheBox machine — Soccer Like all machines, we begin by enumerating open ports with nmap scan –
nmap -sC -sV 10.10.11.194
Seeing as port 80 is hosting a web-server lets check — Because direct access is restricted, we must first add soocer.htb to our hosts file you can do that using this command
sudo echo 10.10.11.194 soccer.htb >> /etc/hosts And now let's check the website soccer.htb
It looks like the page has no Information Available, Even in the Source code. Let’s Enumerate the Directories!! For short web Content Enumeration, I’ll use the Below wordlist
gobuster dir -u http://soccer.htb/ -w /usr/share/wordlists/dirb/big.txt
Here’s something interesting /tiny add to our hosts file and see what happens.
CCP Programmers, this is something we should look at after gathering some information something useful is discovered. We discovered the default login credentials while reading the manual.
After using this credentials we got admin login
Here we are upload button we can now upload reverse php shell and get a shell and move a step ahead to victory! Here’s the reverse shell which we can use make sure to change the IP Address and name it as .php
https://github.com/tanishq396/phpreverseshell/blob/main/reverseshell.php
Now let’s upload it -
Before running the Reverse shell, Start the Listener by using the below command (The port used in the rev_shell should be used here to get reverse Connection)
Boom we got a shell but still we don’t have user access
But there must be something that will lead us to our next move. After some digging, I discovered a subdomain in /etc/nginx/sites-enabled now let’s add this in our host file and see what is shows up.
There are some options like Match, Login and Signup option available after signing in we got a ticket
Viewing the source code reveals that this field is linked to the Web socket. We can use the Python code below to direct the request from sqlmap to our localhost.
https://github.com/tanishq396/sql.py/blob/main/https:/github.com/tanishq396/sql.py.git
Run the python script first, followed by the sqlmap command.
sqlmap -u “http://localhost:8081/?id=1" -p “id”
Here are some credentials we got user access
Now using this we can ssh into user
Now let’s grind for root
I checked sudo permissions first, but none were available, and the user was not a member of any other groups. I ran linpeas and discovered a couple mentions of ‘doas,’ which isn’t a package installed by default, so I’ll look into its default ‘/etc/doas.conf’ location. No luck with the default location, but you may use locate to search.
The possibility to develop our own plugins for its usage is mentioned inside the man page’s ‘PLUGINS’ section; and near the bottom, as shown in the image above, are several places for our custom plugins to be stored. In addition, the naming standard is ‘dstat *.py’.
Now we can generate the file ‘dstat <name>.py’ in /usr/share/dstat. https://github.com/tanishq396/dstat.py/blob/main/dstat (Do change your IP and PORT) and start listener
doas -u root /usr/bin/dstat --<name>And Boom here you will get root access!!
