Hack the Box is one of the cybersecurity upskilling platforms I use for professional development. Roughly once a week, Hack the Box releases a new vulnerable box for users to hack. Additionally, one active box is retired every week. Below is a walkthrough on compromising the recently retired box, “Soccer.” The goal is to obtain the user.txt flag in the user home directory and the root.txt flag in the /root directory.
Soccer is hosting a website that exposes a website admin login page still configured with default credentials. Once I log in, I am able to upload a PHP file, granting me RCE (Remote Code Execution) on the box. While enumerating the box, I come across a new subdomain of the website. Upon exploring the subdomain, I discover a blind, boolean-based SQL injection vulnerability, which I exploit to obtain the user’s credentials. Logged in as a user, I find that doas is configured to allow me to run dstat. This configuration enables me to obtain a root shell.
Below is a step-by-step guide of how I completed the box “soccer.” This guide will expand on the details of the above summary and focus on the tools and techniques I used to complete this challenge.
nmap found TCP ports 22, 80 and 9091 open.
Enumerating port 80
I navigated to http://10.10.11.194 and I was redirected to soccer.htb. I added soccer.htb to /etc/hosts and reload the page. I found the “HTB FootBall Club” website.
I didn’t find anything interesting looking around the website.
I used gobuster and the word list directory-list-2.3-small.txt to discover the directory tiny.
I visited http://soccer.htb/tiny/ in my browser and I encountered a login screen.
I googled “Tiny File Manager default credentials” and found admin:admin@123. I was able to login with the default credentials!
Looking around I discovered I could upload a php file to the uploads directory. This allowed me to obtain a foothold on the box.
I used re_shell.php to obtain a reverse shell.
To establish the reverse shell, first I created a nc listener on port 9595. Then I logged in with the default credentials. I selected the directory tiny, then the directory uploads. I uploaded re_shell.php and opened re-shell.php to initiate my reverse shell. The animated gif below shows these steps.
Discovering New Subdomain
From here I ran linpeas. Looking through the output of linpease I noticed the subdomain soc-player in /etc/hosts
Adding soc-player.soccer.htb to /etc/hosts and navigating to the subdomain in my browser, I found a page similar to “HTB FootBall Club,” but with a “sign up” page.
I registered an account.
I logged in with the account I created, and I was able to check the validity of (soccer?) tickets.
The image above shows that ticket 78807 is a valid ticket while ticket 1 is not valid.
Looking at the ticket traffic in burp, I saw that this feature is being accomplished using a websocket. Alternatively, you can obtain this information by looking at the source code of this page by right clicking and selecting “view page source” or you could use your browser’s developer tools to view network traffic. This must be why the box is called soccer and not football!
With a little help from python's websocket library I was able to discover a boolean based blind SQL injection in the websocket.
Running the above code I see that I am able to inject sql logic.
Looking at this example, if the database begins with the letter a. Then the result would be “Ticket Exists”.
Running the above code we see “Ticket Doesn’t Exists.” This tells us that our above statement is false and therefore the database does not start with the letter a.
However, If we check if the database starts with the letter s, we receive “Ticket Exists.”
Now that I know that the first letter of the database is s, I can loop through the alphabet to find the second letter. If I did this I would find the second letter is “o.”
Rather than doing this manually, I wrote a python script to automate this enumeration.
First I got the name of the database I was working in.
Then I used my script to look for tables in soccer_db.
I found only one table accounts. Then I found the columns in that table.
I was then able to extract data out of the username and password columns.
I have discovered the credentials player:PlayerOftheMatch2022. I was able to ssh in as player and obtain the user.txt flag.
Looking at which applications have the SUID bit set I discovered an unusual one, doas.
Looking at the man pages for doas I saw the application allows me to execute commands as another user and I should check /usr/local/etc/doas.conf for current configuration.
Looking at doas.conf I saw I was able to run dstat as root.
Looking up dstat on gtfo bins I found a suitable privilege escalation. I just needed to replace sudo with the doas command.
“Soccer” is an example of one of the many intriguing challenges available on Hack the Box. I intend to publish walkthroughs of future retired boxes as I continue using the platform to broaden my knowledge.