HackTheBox - Soccer
Key Takeaways
Uses nmap and Gobuster to discover and exploit vulnerabilities on the Soccer box
Original Description
00:00 - Introduction
01:00 - Start of nmap, assuming the web app is NodeJS based upon a 404 message
04:20 - Running Gobuster and discovering Tiny File Manager
06:00 - Looking for the source code and finding a default password of admin@123
06:45 - Navigating to uploads and attempting to upload a php shell to the website
07:45 - Getting a reverse shell with our php shell
09:00 - Reverse shell returned
09:30 - Talking about hidepid=2 is set, so we can't see processes for other users
10:00 - Looking at nginx configuration to see what port 9091 is and discovering a new subdomain (soc-player.soccer.htb)
11:00 - Navigating to soc-player.soccer.htb and discovering a few more pages
12:00 - The /check endpoint looks like it is vulnerable to Boolean SQL Injection
13:00 - Intercepting the websocket in BurpSuite and showing
15:20 - Using SQLMap to dump the database, first time I've used SQLMap with websockets
23:30 - Attempting to ssh with creds found in the database and logging in as player
26:50 - Running LinPEAS
30:50 - Looks like we can run doas, which is like sudo. Looking at the command we can run and seeing dstat
33:30 - Creating a dstat plugin, then executing it with doas
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from IppSec · IppSec · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
HHC2016 - Analytics
IppSec
HackTheBox - October
IppSec
HackTheBox - Arctic
IppSec
HackTheBox - Brainfuck
IppSec
HackTheBox - Bank
IppSec
HackTheBox - Joker
IppSec
HackTheBox - Lazy
IppSec
Camp CTF 2015 - Bitterman
IppSec
HackTheBox - Devel
IppSec
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
HackTheBox - Granny and Grandpa
IppSec
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
HackTheBox - Optimum
IppSec
HackTheBox - Charon
IppSec
HackTheBox - Sneaky
IppSec
HackTheBox - Holiday
IppSec
HackTheBox - Europa
IppSec
Introduction to tmux
IppSec
HackTheBox - Blocky
IppSec
HackTheBox - Nineveh
IppSec
HackTheBox - Jail
IppSec
HackTheBox - Blue
IppSec
HackTheBox - Calamity
IppSec
HackTheBox - Shrek
IppSec
HackTheBox - Mirai
IppSec
HackTheBox - Shocker
IppSec
HackTheBox - Mantis
IppSec
HackTheBox - Node
IppSec
HackTheBox - Kotarak
IppSec
HackTheBox - Enterprise
IppSec
HackTheBox - Sense
IppSec
HackTheBox - Minion
IppSec
VulnHub - Sokar
IppSec
VulnHub - Pinkys Palace v2
IppSec
HackTheBox - Inception
IppSec
Vulnhub - Trollcave 1.2
IppSec
HackTheBox - Ariekei
IppSec
HackTheBox - Flux Capacitor
IppSec
HackTheBox - Jeeves
IppSec
HackTheBox - Tally
IppSec
HackTheBox - CrimeStoppers
IppSec
HackTheBox - Fulcrum
IppSec
HackTheBox - Chatterbox
IppSec
HackTheBox - Falafel
IppSec
How To Create Empire Modules
IppSec
HackTheBox - Nightmare
IppSec
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
HackTheBox - Bart
IppSec
HackTheBox - Aragog
IppSec
HackTheBox - Valentine
IppSec
HackTheBox - Silo
IppSec
HackTheBox - Rabbit
IppSec
HackTheBox - Celestial
IppSec
HackTheBox - Stratosphere
IppSec
HackTheBox - Poison
IppSec
HackTheBox - Canape
IppSec
HackTheBox - Olympus
IppSec
HackTheBox - Sunday
IppSec
HackTheBox - Fighter
IppSec
HackTheBox - Bounty
IppSec
Related Reads
📰
📰
📰
📰
Stop Getting Drained by CAPTCHAs: How to Calculate Usable Responses per GB (The Retry Multiplier Math)
Dev.to · proxyvero
5 HIPAA Violations Hiding in Your Next.js Healthcare App Right Now
Dev.to · Francosimon53
Node.js patches six permission bypasses; Zeta2 improves accuracy
Dev.to · The Dev Signal
Kali Linux In VirtualBox Installation Guide
Medium · Cybersecurity
Chapters (17)
Introduction
1:00
Start of nmap, assuming the web app is NodeJS based upon a 404 message
4:20
Running Gobuster and discovering Tiny File Manager
6:00
Looking for the source code and finding a default password of admin@123
6:45
Navigating to uploads and attempting to upload a php shell to the website
7:45
Getting a reverse shell with our php shell
9:00
Reverse shell returned
9:30
Talking about hidepid=2 is set, so we can't see processes for other users
10:00
Looking at nginx configuration to see what port 9091 is and discovering a new
11:00
Navigating to soc-player.soccer.htb and discovering a few more pages
12:00
The /check endpoint looks like it is vulnerable to Boolean SQL Injection
13:00
Intercepting the websocket in BurpSuite and showing
15:20
Using SQLMap to dump the database, first time I've used SQLMap with websockets
23:30
Attempting to ssh with creds found in the database and logging in as player
26:50
Running LinPEAS
30:50
Looks like we can run doas, which is like sudo. Looking at the command we can
33:30
Creating a dstat plugin, then executing it with doas
🎓
Tutor Explanation
DeepCamp AI