Hacking Insights by Max Bautista

Soccer writeup

Soccer writeup

Box name: Soccer

Difficulty: Easy

OS: Linux

Overview: Soccer is an easy difficulty Linux machine that features a foothold based on default credentials, forfeiting access to a vulnerable version of the Tiny File Manager, which in turn leads to a reverse shell on the target system (CVE-2021-45010). Enumerating the target reveals a subdomain which is vulnerable to a blind SQL injection through websockets. Leveraging the SQLi leads to dumped SSH credentials for the player user, who can run dstat using doas- an alternative to sudo. By creating a custom Python plugin for doas, a shell as root is then spawned through the SUID bit of the doas binary, leading to fully escalated privileges.

Link: https://app.hackthebox.com/machines/519?sort_by=created_at&sort_type=desc

Machine IP: 10.129.34.94

Ran rustscan against the machine.

rustscan -a 10.129.34.94 –ulimit 5000 -b 2000 — -A -Pn

Any interesting port 9091 is open that I have not seen before. I’ll check out the webserver first anyways. Added soccer.htb to /etc/hosts.

Ran ffuf and feroxbuster.

ffuf -u http://soccer.htb -H “Host: FUZZ.soccer.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -c -fc 302,301

feroxbuster -u http://soccer.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,txt,bak,zip,json,xml,py,sh,config –force-recursion -t 50 -d 4 –filter-status 404,400

Ffuf found nothing. Feroxbuster found something called Tiny File Manager.

Looked up default creds and I was able to get in with admin:admin@123

Version bottom right, Tiny File Manager 2.4.3. Searched exploits, looks like its vulnerable to CVE-2021-45010. Found a github exploit https://github.com/febinrev/tinyfilemanager-2.4.3-exploit. I played with this script but it didn’t work. Instead I will try taking advantage of the vulnerability manually. Created a PHP rev shell from https://www.revshells.com/. I was only able to upload in /tiny/uploads directory.

Triggered it and we get a shell.

Stabilized my shell. At /home there is a player account so we can not get user.txt just yet. Poked around I read out tinyfilemanager.php and I found the creds we used and possible creds for player.

Neither worked. Moved over linpeas to the device. The only thing I could find that was interesting was doas SUID bit is set but thats for player.

Couldn’t find anything to get creds for player just yet. I saw some mentions of soc-player.soccer.htb from linpeas though. Added that to etc/hosts (interesting as ffuf didn’t find anything earlier). It looks almost identical to the original site but has a login and signup button.

Created a test account kami@kami.com:kami and it brought me to this page when logging in.

In source code this is connected to that port 9091 we saw earlier. I got stuck here so I referred to the writeup. It turns out using BurpSuite using repeater we can find out that it is vulnerable to SQL injection. We can dump the database then the accounts in the database. I will need to brush up on sqlmap.

player:PlayerOftheMatch2022

Then we can ssh into his account and get user.txt.

We saw doas/dstat earlier from linpeas. Check GTFObins https://gtfobins.org/gtfobins/dstat/#inherit. It can inherit from python. Created a python script to create a bash shell.

echo ‘import os; os.system(“/bin/bash”)’ > /usr/local/share/dstat/dstat_pwn.py

Made sure dstat sees it.

doas /usr/bin/dstat –list

Ran it.

doas /usr/bin/dstat –pwn

We got root and read root.txt.

GG

Attack Chain

1 – Reconnaissance Ran RustScan and identified ports 22 (SSH), 80 (HTTP), and 9091 (unknown). Added soccer.htb to /etc/hosts. Browsed to the web server and ran feroxbuster and ffuf for directory and VHOST enumeration. Feroxbuster discovered a Tiny File Manager installation. ffuf found no additional subdomains at this stage.

rustscan -a 10.129.34.94 –ulimit 5000 -b 2000 — -A -Pn feroxbuster -u http://soccer.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -x php,html,txt,bak,zip,json,xml,py,sh,config –force-recursion ffuf -u http://soccer.htb -H “Host: FUZZ.soccer.htb” -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -c -fc 302,301

2 – Tiny File Manager default credentials and PHP webshell upload – CVE-2021-45010 Found Tiny File Manager 2.4.3 accessible on the web server. Tried default credentials and gained access. Researched CVE-2021-45010 and attempted the public exploit but it did not work. Manually exploited the vulnerability by uploading a PHP reverse shell to the /tiny/uploads directory. Triggered the shell and obtained a foothold as www-data.

Credentials: admin:admin@123

3 – Subdomain discovery and blind WebSocket SQL injection Stabilized the shell and ran LinPEAS. Found a reference to soc-player.soccer.htb and noted dstat had the SUID bit set but was only useful for the player user. Added soc-player.soccer.htb to /etc/hosts. The subdomain had a login and signup page. Created a test account and found the ticket checking feature connected to port 9091 via WebSockets. Used Burp Suite repeater to test for SQL injection and confirmed the ticket ID parameter was vulnerable to blind SQLi over the WebSocket connection. Used sqlmap to dump the database and extract credentials for the player account.

Credentials recovered: player:PlayerOftheMatch2022

4 – SSH access and user flag SSH’d in as player and retrieved user.txt.

5 – Privilege Escalation – doas dstat plugin injection Confirmed player could run dstat via doas. Checked GTFOBins and found dstat loads Python plugins from /usr/local/share/dstat. Created a malicious dstat plugin that spawned a bash shell, verified dstat recognized it, and executed it via doas to obtain a root shell. Retrieved root.txt.

echo ‘import os; os.system(“/bin/bash”)’ > /usr/local/share/dstat/dstat_pwn.py doas /usr/bin/dstat –pwn

Key Takeaways

  1. Default credentials on Tiny File Manager – CVE-2021-45010 (CVSS 8.8 High) – Tiny File Manager 2.4.3 was accessible with the well-known default credentials admin:admin@123, providing immediate authenticated access. Default credentials must be changed before any application is deployed and file manager applications must require strong unique authentication.
  2. Tiny File Manager allowing PHP file upload to web root – The file manager permitted uploading arbitrary PHP files to a web-accessible directory, enabling direct webshell deployment. File managers must restrict uploadable file types via a strict allowlist and must not allow execution of uploaded files. Upload directories must be outside the web root or configured to deny script execution.
  3. Blind SQL injection over WebSocket – CWE-89 – The ticket checking feature passed user-supplied input directly to a SQL query over a WebSocket connection without sanitization. WebSocket endpoints are frequently overlooked in security testing but must be subject to the same input validation requirements as HTTP endpoints. All database queries must use parameterized statements.
  4. Weak password on player account – The player account password was a descriptive phrase that was recoverable from the dumped database hash. All user account passwords must meet complexity requirements that resist offline cracking and dictionary attacks.
  5. doas dstat rule allowing plugin code execution as root – Player could run dstat via doas and the plugin directory was writable, allowing arbitrary Python code to be loaded and executed as root. Sudo and doas rules granting access to tools that load code from user-writable directories are equivalent to unrestricted root access and must never be granted.

Remediation

[Immediate] Change default credentials and patch Tiny File Manager – CVE-2021-45010 (CVSS 8.8 High) Update Tiny File Manager to the latest patched version immediately and change the default admin credentials. Restrict access to the file manager to authorized administrators only via IP allowlist or VPN. If Tiny File Manager is not operationally required, remove it entirely.

[Immediate] Restrict file upload to non-executable file types Configure the file manager to deny uploads of PHP, PHTML, and all other executable script file types via a strict allowlist. Set the upload directory to deny script execution via web server configuration. Move the upload directory outside the web root where possible.

[Immediate] Remediate the WebSocket SQL injection vulnerability Rewrite all WebSocket message handlers to use parameterized queries or prepared statements for all database interactions. Conduct a full code review of all WebSocket endpoints for injection vulnerabilities. Deploy a WAF with SQL injection detection rules covering both HTTP and WebSocket traffic.

[Immediate] Restrict the dstat plugin directory permissions Set /usr/local/share/dstat to be owned and writable only by root. Remove write access for the player user and all other non-root accounts. Audit all directories from which privileged scripts or tools load code for non-root write access.

[Immediate] Remove or restrict the doas dstat rule Remove the doas rule allowing player to run dstat as root. If dstat access is operationally required, restrict it to specific arguments that do not load plugins and verify no user-writable plugin directory is in the search path. Test all doas and sudo rules against GTFOBins before deployment.

[Short-term] Enforce strong passwords for all application and OS accounts The player password was recovered from a database dump. Enforce a minimum password length of 14 characters with complexity for all accounts. Audit existing account passwords against common wordlists and force resets where weak passwords are identified.

[Long-term] Implement WebSocket security testing as part of the application security program WebSocket endpoints are commonly missed in security assessments. Ensure all penetration tests explicitly cover WebSocket connections for injection, authentication bypass, and authorization flaws. Include WebSocket input validation in the secure development lifecycle and code review checklist.

Leave a comment