Soccer

nano /etc/hosts 

10.10.11.194     soccer.htb

PORT Scan ⤵️

sudo nmap -sC -sV -p- -T4 -oN Nmap_results.txt 10.10.11.194

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChXu/2AxokRA9pcTIQx6HKyiO0odku5KmUpklDRNG+9sa6olMd4dSBq1d0rGtsO2rNJRLQUczml6+N5DcCasAZUShDrMnitsRvG54x8GrJyW4nIx4HOfXRTsNqImBadIJtvIww1L7H1DPzMZYJZj/oOwQHXvp85a2hMqMmoqsljtS/jO3tk7NUKA/8D5KuekSmw8m1pPEGybAZxlAYGu3KbasN66jmhf0ReHg3Vjx9e8FbHr3ksc/MimSMfRq0lIo5fJ7QAnbttM5ktuQqzvVjJmZ0+aL7ZeVewTXLmtkOxX9E5ldihtUFj8C6cQroX69LaaN/AXoEZWl/v1LWE5Qo1DEPrv7A6mIVZvWIM8/AqLpP8JWgAQevOtby5mpmhSxYXUgyii5xRAnvDWwkbwxhKcBIzVy4x5TXinVR7FrrwvKmNAG2t4lpDgmryBZ0YSgxgSAcHIBOglugehGZRHJC9C273hs44EToGCrHBY8n2flJe7OgbjEL8Il3SpfUEF0=
|   256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIy3gWUPD+EqFcmc0ngWeRLfCr68+uiuM59j9zrtLNRcLJSTJmlHUdcq25/esgeZkyQ0mr2RZ5gozpBd5yzpdzk=
|   256 5797565def793c2fcbdb35fff17c615c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2Pj1mZ0q8u/E8K49Gezm3jguM3d8VyAYsX0QyaN6H/
80/tcp   open  http            nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http:/soccer.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
9091/tcp open  xmltec-xmlmail?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   GetRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 139
|     Date: Thu, 13 Apr 2023 15:50:21 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot GET /</pre>
|     </body>
|     </html>
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Date: Thu, 13 Apr 2023 15:50:22 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot OPTIONS /</pre>
|     </body>
|_    </html>

Web Enumeration ➡️

From directory or files bruteforcing I got to know about directory /tiny and /tiny/uploads .

So while Recon I got the Tiny File Manager version >

And I found something on searchsploit also about Tiny File Manager ➡️

Now with default Credentials like > admin : admin@123 I got in ➡️

So lets try to upload the reverse shell Now .

Now After uploading the reverse shell file I got the shell ⤵️

I got something from tinyfilemanager.php >

Now after so much recon I found a subdomain ⤵️

Now lets set the /etc/hosts file »

Now after Signing up I got logged in and got this —>

Now After Looking into the source code >

I got to know that this site is vulnerable to SQLi and also related with websocket so lets research about it .

So From this site we are performing these steps to capture our output ⤵️

Now first run that python3 script which we got from this site >

Now I got this »

+——+——————-+———-+———————-+

id

email

username

password

+——+——————-+———-+———————-+

1324

player@player.htb

player

PlayerOftheMatch2022

+——+——————-+———-+———————-+

Credentails >
player : PlayerOftheMatch2022

Now lets login into player user .

player@soccer:~$ cat user.txt
cat user.txt
38bba6d79100041daf683a4911ffe3e9
player@soccer:~$

Looking into the SUIDS I got to know about daos so I followed this > LINK

So I created a File named as “**dstat_.py”** which contains the python reverse shell code .

Now copy this into ‘/usr/local/share/dstat’. Time to start netcat listener.

command : doas /usr/bin/dstat --<name>

Finally got Root !!

# cat root.txt
b86ac8558e5bb1aee4a830773c76d81a

If you have any questions or suggestions, please leave a comment below. Thank You !