Soccer

World Cup Finals!

Gaining Access

Nmap scan:

We would need to add soccer.htb to our /etc/hosts file to browser on port 80.

Port 80

The website is an average soccer related page.

Doing a directory enumeration with feroxbuster reveals a few extra directories:

We can head to the /tiny endpoint to find another application running.

Tiny File Manager

On this directory, H3K Tiny File Manager is running and requires credentials to log in:

When googling online for exploits, I found quite a few that lead to RCE using default admin credentials of admin:admin@123, which worked when trying to login.

Here, we can confirm the version of the software running in the help page.

There was one exploit for this on Github with a script:

GitHub - febinrev/tinyfilemanager-2.4.3-exploit: A Path traversal vulnerability in the file upload functionality in tinyfilemanager.php in Tiny File Manager Project's Tiny File Manager <= 2.4.6 allows remote attackers with valid user accounts to upload malicious PHP files to the webroot and achieve code execution on the target server.GitHub

To exploit this manually, we just need to upload a PHP web shell to this machine. However, it seems that we need to redirect our files to another folder since the /var/www/html folder was not writeable.

Anyways, I uploaded the script to the uploads directory and it seems to work. I uploaded via URL by hosting the cmd.php file on a Python HTTP Server.

From here, we can get RCE on the machine easily.

Then, we can use this to spawn a reverse shell.

Privilege Escalation

We can find another user called player.

soc-player.soccer.htb

When checking netstat, we find that port 3000 has a service running on it.

/etc/hosts file on the machine also presents another domain:

www-data@soccer:/dev$ cat /etc/hosts
cat /etc/hosts
127.0.0.1       localhost       soccer  soccer.htb      soc-player.soccer.htb
127.0.1.1       ubuntu-focal    ubuntu-focal

We can also check the nginx configuration files for this website:

www-data@soccer:/$ cat /etc/nginx/sites-available/soc-player.htb 
server {
        listen 80;
        listen [::]:80;

        server_name soc-player.soccer.htb;

        root /root/app/views;

        location / {
                proxy_pass http://localhost:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
}

The configuration files only tell me that this os some type of proxy..? Seeing that there's a Connection 'upgrade' bit, this service is definitely some type of WebSocket that is running on the machine.

We can proceed with enumeration of this host.