Skip to main content

Featured

 Hi there, I am malw_guy , a former Penetration-Tester, currently pursuing a degree in Electro-Communications. I've been nourishing my hacking skills since I was just a teenager, I started back when I was 13 (I'd like to keep my current age confidential). The purpose of this blog is as a showcase / portfolio so people can grasp a lil' bit of my knowledge in the field.  It should be noted that I am inclined to withhold public disclosure of the majority of my accomplishments in this particular field, primarily due to their involvement with governmental entities. However, should you possess a compelling reason to inquire further about these achievements, I am prepared to disclose them on a case-by-case basis, depending on the nature of your inquiry.
Read more

Machine: Soccer

We'll start like always, scanning with nmap while checking the web page
In the nmap scan we don't see anything out of ordinary, except the service on port 9091 called xmltec-xmlmail
I checked the port by url, and it says "Cannot GET", I tried with all the HTTP methods, but nothing, let's continue our enumeration
We found a directory /tiny on soccer.htb, let's check it out
Here we have a login page, tried some injections, nothing, and when I was searching the page source, I found something interesting
Let's see if we find any exploit on google related to that file manager
We still need an account to exploit that vulnerability, and we have no signup page. With the help of google we find the default credentials
The default credentials worked, so let's try our exploit
It didn't work, most probably we have to play around with the path's in the exploit. but I found a folder where we can upload in /tiny
So I uploaded a basic php shell, based on the destination folder, let's access it.
*saddness noises*
Running linpeas we see a subdomain, let's add that to our /etc/hosts and carry on
After making on account, and logging in, we can buy tickets, and we're prompted with some input field, by expecting the source-code we can see that it's based on web sockets. Unfortunately we can't use sqlmap to exploit websockets, but googling a little bit about the problem I encountered a workaround. We have to make a python script that will act as a proxy, run sqlmap on our local proxy, and the proxy will redirect the query to the websocket, I found such a script here
But we still need to make some changes to our script, modify the target url and the data that's supposed to be parsed.
Now let's run our script and sqlmap
You'll have to wait a little bit, but it'll produce some great results
Let's try to ssh into the machine now with that password on the user "player"
Alright, we get the user, let's run linpeas to find a way to get the root
That "/usr/local/bin/doas" is a piece of script that allows us to run commands as different users, let's check it's configuration
So we can run "dstat" as root, I googled a lil bit about this and found something interesting
Now let's recreate that scenario
And we got it