😚Soccer htb

• First of all i have scan the ip

  
• Here we find ssh and http port open & we don’t have credential to log into ssh server

• then i am going to fuzz the url to show which sites we can go into

• then i am goin to add /tiny to the url

• then we found login page but we don’t have cred let’s try to find default credential for that site

  

  • then i find that in their repo in github have a default passowrd

  
• after login as admin i find that i can upload files let’s try to upload php reverse shell

  

  

  • it’s success let’s try to make listener and try to order the reverse shell from url

• here we success and get into machine then make shell stability with : python -c 'import pty;pty.spawn("/bin/bash")'

• let’s try to enumerate the machine with linpeas

• i found that we have another subdomain lets add it to /etc/hosts to get it in browser

• here we get into and this site provide services such as make tickets for match

• then i try to get sqli and search for script to get the request in my terminal

  
• then i try to use multiple argument with sqlmap tool

  

  
• after we get cred try to log in ssh server with this credential

  

  • after that i can read user.txt file and get flag

    
• then i run linpeas in machine to make enumeration and get that i can write in dstat directory then lets show it

• you can know more than about dstat here :https://linux.die.net/man/1/dstat

  
• after search i find that script that lead to privilege techniques and way to exploit it - i put it in his path and execute it with doas

• **doas it executes commands as other users according to the rules in the doas.conf configuration file you can know about it in :**https://man.openbsd.org/doas.conf.5

  

  • here i finished and get root flag