OSCP series – Soccer writeup

Posted on By Sagahiko
HackTheBox, Machines, OSCP preparation

nmap

Add the domain name to the hosts file.

Also, port 9091 is open. It is worth checking it.

Enumeration

When I accessed the web page, the home page looked like the image below.

There’s nothing to see on the main page.

I ran dirbuster to find directories.

There’s one hit.

User flag

And I logged in with the default credentials admin/admin@123.

It seems to be written in php and there’s the upload button.

My first thought was to upload a reverse shell.

I uploaded the reverse shell at /var/www/html/tiny/uploads and executed.

I managed to get a shell! However, I didn’t have permission to read the user flag.

During enumerating directories, I found the version of Tiny File Manager.

It has an exploit for this version.

I typed ss -lntp to see the ports and process information

I also found the following subdomain from nginx directory.

So it needs to be added to the hosts file.

Then we can see another login page.

After signing up and log in, we can see the check page.

I noticed it is vulnerable to sql injection attack.

I captured the request using Burp.

It looks like using a web socket.

I used sql map with the captured request to enumerate databases.

sqlmap -u ‘ws://soc-player.soccer.htb:9091/’ –data ‘{“id”:”*”}’ –dbs –threads 10 –level 5 –risk 3 –batch

After waiting about 30 minutes, i got the following result.

The db soccer_db looks interesting.

We can target the database and get information with the following command.

sqlmap -u “ws://soc-player.soccer.htb:9091” –data ‘{“id”: “*”}’ –threads 10 -D soccer_db –dump –batch

Then, finally, we can get the user credentials.

Root flag

After getting the user flag, I checked sudo permission for the user player.

Sorry, user player may not run sudo on localhost.

Ok, then how about SUID?

find / -type f -perm -4000 2>/dev/null

*4000 for Set UID and 2000 for Set GID.

doas file executes a program as another user.

According to the Debian wiki it provides “95% of the features of sudo with a fraction of the codebase”. Interesting.

Usually, the conf file is located in /etc/doas.conf but in this machine, it was in /usr/local/etc/doas.conf.

Hmm.. it says player can run dstat as root!

I read the manual page of dstat and found something interesting.

Does it mean we can execute Python code as root?

Let’s give it a try.

This directory has write permission.

*ls -d option for directory itself, not its contents

Now create a file to spawn a reverse shell and put it on the dstat directory.

echo ‘import os; os.system(“/bin/bash”)’ > /usr/local/share/dstat/dstat_shell.py

Then let’s check if it is created in the target directory.

Good!

Let’s execute the shell!

doas /usr/bin/dstat –shell

Lesson learned

  • doas. it acts almost like sudo, but need to do some research.
  • Find SUID file with perm 4000 and GUID with perm 2000.
  • sqlmap is very convenient for an sql injection attack.
  • If there’s something with web socket, consider sql injection attack?
  • it’s good to check nginx directory. Maybe there’s information about a subdomain.

You may also like

CTF
Pico CTF 2023 – Specialer writeup
HackTheBox
Hack the box – Sherlocks – Brutus
HackTheBox
Hack the box – Legacy – CVE-2008-4250
HackTheBox
Sherlock Ultimatum write-up