Soccer — HackTheBox
Soccer is an easy machine from HackTheBox. It involves exploiting file upload CVE in an old version of tiny file manager, finding another running application and exploiting sqli in the vulnerable websocket leading to foothold. Finally, creating and running the custom plugin of dstat utility with doas command leads to privilege escalation as root.
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
9091/tcp open xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
| HTTP/1.1 400 Bad Request
| Connection: closePORT 80 (HTTP)
Add the domain soccer.htb in /etc/hosts file and navigate to the website. It is a static page for football club.
Directory busting with ffuf reveals a valid path.
ffuf -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://soccer.htb/FUZZ -fw 4
Navigating to /tiny page, we see the login page of tiny file manager.
Looking at the source, we can find it is version 2.4.3.
CVE-2021–45010
Doing a google search, we find that it is vulnerable to CVE-2021–45010.
A path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager before 2.4.7 allows remote attackers (with valid user accounts) to upload malicious PHP files to the webroot, leading to code execution.
But, to exploit this we need to be authenticated. We can try default credentials to see if they work. Doing a google search, we can find them.
Luckily, both credentials work successfully and we can get authenticated as admin or user.
Reading the CVE details, it said that file upload is vulnerable so we can try to exploit it. Opening the upload page, it tells us the destination where file will be uploaded.
But, when we upload file it says that it has no permissions to upload in this directory.
But, if we go back to home, where all the files are listed, we can see a directory name tiny. Inside there’s a upload directory. Going there, if we click on upload, the destination path changes and we can upload files there.
Now, we can just upload the PHP reverse shell code to get foothold on the box.
Opening the php rev shell file, we get shell on box.
Looking at the /etc/passwd file, there’s a player user.
While enumerating for privesc, looking at /etc/hosts file, we can find an entry for another domain. This points that there may be another application running.
Looking at the nginx configuration, we can confirm that another application is running on port 3000.
Let’s add the new found domain in our /etc/hosts file and navigate to the website.
We can try registering for an account, after signing up, we can login
After logging in, it asks for ticket. Entering any random number, it says ticket doesn’t exist.
Entering the given ticket id, it says it exists.
Viewing the source, it can be seen that it is interacting with server via Websocket.
Also, in the burp proxy, it can be seen sending ticket id to websocket.
Websocket Blind SQLi
Doing a google search, i found the following article which explains that Websocket can vulnerable to blind SQL injection. It also explain the steps to exploit.
So, using the sqlmap, we can automate the exploitation of this blind SQL injection and dump the database. The credentials of player user are found in the soccer_db.
sqlmap -u "ws://soc-player.soccer.htb:9091/" --method=POST --data '{"id":"60497"}' --batch --dump
Using the credentials, we can login via SSH.
Privilege Escalation
Now, while doing enumeration for privesc, we find doas SUID binary. It is program to execute commands as other user.
Doing the research, it can be seen that we can find which commands are permitted in the config file of doas.
Looking at the config file, we can see that player user is permitted to run dstat command as root.
dstat is a tool for generating system resource statistics.
Looking at the manual pages of dstat, it can be seen that this tool allows to create custom plugin.
The custom plugins need to placed in the following paths with the mentioned naming conventions.
Looking at the dstat directory, player user have write access to it. This means we can write our malicious plugin.
We write plugin named shell with the required naming convention. This just execute the id command so we can see that it runs as root.
Now, we replace the id command with bash and running the command with doas, we get shell as root.
References
- CVE-2021–45010: https://www.cvedetails.com/cve/CVE-2021-45010/
- Automating Blind SQL injection over WebSocket: https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html
- Doas PrivEsc: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#doas
- Dstat man: https://linux.die.net/man/1/dstat
