# Soccer

## Gaining Access

Nmap scan:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-a96da31a4485ab51980cf676c85a23b77f367426%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We would need to add `soccer.htb` to our `/etc/hosts` file to browser on port 80.

### Port 80

The website is an average soccer related page.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-9b816d1e0fc4cee94768d58b2d210a591f28ad83%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Doing a directory enumeration with feroxbuster reveals a few extra directories:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-330eedd083599b0aefb9b97af62432637b63fea9%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We can head to the `/tiny` endpoint to find another application running.

### Tiny File Manager

On this directory, H3K Tiny File Manager is running and requires credentials to log in:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-d52b409ed7f7c9889824afa2ba62d39e7e6a1425%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

When googling online for exploits, I found quite a few that lead to RCE using default admin credentials of `admin:admin@123`, which worked when trying to login.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-8bd6e2479d123514a7ef94245fb3324c3e5f912e%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Here, we can confirm the version of the software running in the help page.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-a911ac5cfbd17a33631ccc24a6aa0bb5167ada51%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

There was one exploit for this on Github with a script:

{% embed url="<https://github.com/febinrev/tinyfilemanager-2.4.3-exploit>" %}

To exploit this manually, we just need to upload a PHP web shell to this machine. However, it seems that we need to redirect our files to another folder since the `/var/www/html` folder was not writeable.

Anyways, I uploaded the script to the `uploads` directory and it seems to work. I uploaded via URL by hosting the `cmd.php` file on a Python HTTP Server.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-c0805749070ae91b0ce08f5d78678be08349d3c5%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

From here, we can get RCE on the machine easily.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-9c5ae327621f49d96949a6cca77057add7ed4c15%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then, we can use this to spawn a reverse shell.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-604c2ed0ac1ea1881dfa44019a3cf5d867326944%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

We can find another user called `player`.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-6df54db4e0478665f6d0e76f8150d2a30e98f89d%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### soc-player.soccer.htb

When checking `netstat`, we find that port 3000 has a service running on it.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-93a2cb2a83a229a27206c72f90cc09cc83f885de%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

`/etc/hosts` file on the machine also presents another domain:

```
www-data@soccer:/dev$ cat /etc/hosts
cat /etc/hosts
127.0.0.1       localhost       soccer  soccer.htb      soc-player.soccer.htb
127.0.1.1       ubuntu-focal    ubuntu-focal
```

We can also check the nginx configuration files for this website:

```
www-data@soccer:/$ cat /etc/nginx/sites-available/soc-player.htb 
server {
        listen 80;
        listen [::]:80;

        server_name soc-player.soccer.htb;

        root /root/app/views;

        location / {
                proxy_pass http://localhost:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
}
```

The configuration files only tell me that this os some type of proxy..? Seeing that there's a `Connection 'upgrade'` bit, this service is definitely some type of WebSocket that is running on the machine.

We can proceed with enumeration of this host.