{"id":237,"date":"2025-08-23T19:04:00","date_gmt":"2025-08-23T19:04:00","guid":{"rendered":"https:\/\/thecyberstaff.com\/?p=237"},"modified":"2025-12-28T19:12:27","modified_gmt":"2025-12-28T19:12:27","slug":"soccer-hackthebox-lab","status":"publish","type":"post","link":"https:\/\/thecyberstaff.com\/?p=237","title":{"rendered":"Soccer- Hackthebox lab"},"content":{"rendered":"\n

I began the engagement by performing a full TCP and UDP port scan with Nmap<\/strong> to identify open services running on the target. A SYN scan was used on all TCP ports for speed and stealth, while service detection and version enumeration were enabled to gather more detailed information. In parallel, a UDP scan was run against the most common ports to check for services that might not be visible over TCP.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

From the Nmap results, I identified a web service running on port 80<\/strong>. Since HackTheBox machines often rely on virtual hosts, I added the domain name soccer.htb<\/code> to my local \/etc\/hosts<\/code> file so I could properly resolve the webpage in a browser.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

With the main page loaded, I moved on to content discovery in case there were hidden paths or admin panels not linked directly on the site. I used Gobuster<\/strong> with a common wordlist (directory-list-2.3-medium.txt<\/code>) to enumerate directories. The scan revealed an interesting directory: \/tiny<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The \/tiny<\/code> directory revealed a TinyFileManager<\/strong> instance, a lightweight PHP-based file manager. Since these types of applications often ship with weak or publicly known default credentials, I checked the project\u2019s GitHub repository.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I found that the default login credentials are often: admin:admin@123<\/p>\n\n\n\n

Using these, I successfully authenticated to the file manager interface. Once inside, I explored the available directories and discovered I had permission to upload files.<\/p>\n\n\n\n

Reverse Shell Upload<\/h4>\n\n\n\n

To gain remote code execution, I generated a PHP reverse shell<\/strong> payload (using pentestmonkey\/php-reverse-shell.php<\/code> as a template) and uploaded it via the TinyFileManager interface.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

After pointing the shell\u2019s IP and port to my attacking machine, I set up a listener: nc -lvnp 4444<\/code><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Once I had a foothold on the system, I enumerated configuration files to uncover additional entry points. While reviewing the Nginx configuration<\/strong> in \/etc\/nginx\/sites-enabled\/<\/code>, I discovered a second virtual host: soc-player.soccer.htb<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

I added this new hostname to my \/etc\/hosts<\/code> file. Visiting this endpoint in the browser revealed a custom application that used WebSockets<\/strong> for client\u2013server communication.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n
\"\"<\/figure>\n\n\n\n

SQL Injection via WebSocket<\/h3>\n\n\n\n

During testing, I noticed user input was being sent through WebSocket requests to the backend. By intercepting the traffic (using Burp Suite<\/strong>), I confirmed that the WebSocket messages were not properly sanitized. Crafting malicious payloads allowed me to test for SQL Injection<\/strong>. Simple injection tests such as: \u2018 OR 1=1\u2013 revealed abnormal responses from the application, confirming that the backend database queries were injectable.<\/p>\n\n\n\n

This vulnerability provided a path to enumerate the underlying database and extract sensitive information through the WebSocket channel.<\/p>\n\n\n\n

Automating Blind SQL Injection over WebSockets<\/h3>\n\n\n\n

I came across a blog post by Rayhan0x01 that exactly addresses the challenge of exploiting blind SQL injection through WebSockets using SQLMap<\/strong>, by creating a middleware HTTP server to relay payloads. This method is ideal when traditional tools like SQLMap can\u2019t natively support the WebSocket protocol Rayhan0x01\u2019s Blog Post<\/a>.<\/p>\n\n\n\n

Reading the Approach<\/h4>\n\n\n\n
    \n
  1. Middleware Server Concept<\/strong>
    The idea is to stand up a simple HTTP server (e.g., in Python) that:\n
      \n
    • Receives SQLMap payloads via an HTTP GET parameter.<\/li>\n\n\n\n
    • Formats those payloads into the JSON expected by the WebSocket endpoint.<\/li>\n\n\n\n
    • Sends the payload over a WebSocket connection to the target application.<\/li>\n\n\n\n
    • Relays the response back to SQLMap through HTTP.
      This essentially \u201cbridges\u201d SQLMap to the WebSocket-based injection point.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
      \"\"<\/figure>\n\n\n\n

      Database Enumeration with SQLMap<\/h3>\n\n\n\n

      With the WebSocket-to-HTTP relay server in place, I began enumerating the backend database using SQLMap<\/strong>. To keep the process fully automated, I ran with the --batch<\/code> flag.<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      First, I enumerated the available databases:<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Next, I targeted the identified and dumped the database to extract its contents. SQLMap dumped several tables.<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Among them, a users<\/strong> table contained plaintext credentials. One set of credentials stood out, belonging to a player<\/strong> account:<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      With the credentials for the player<\/strong> account recovered from the soccer_db<\/code> dump, I tested them against common remote access services on the target. Since Nmap had earlier confirmed that port 22 (SSH)<\/strong> was open, I attempted to authenticate over SSH.<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Once I had a foothold as the player<\/strong> user, I began enumerating privilege escalation paths. Alongside the usual checks (sudo -l<\/code>, kernel exploits, cron jobs, SUID binaries, etc.), I ran linpeas and found a vulnerability in the system configuration for doas<\/strong>, a minimal alternative to sudo<\/code> often used on BSD-style systems but occasionally present on Linux.<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Privilege Escalation \u2013 Abusing doas with dstat<\/h3>\n\n\n\n

      Unlike sudo<\/code>, doas is a simpler privilege management tool that can allow users to execute commands as other accounts. Checking its configuration revealed that the player<\/code> user could run \/usr\/bin\/dstat<\/code> as root.<\/p>\n\n\n\n

      dstat<\/code> supports loading custom Python plugins<\/strong> from \/usr\/local\/share\/dstat\/<\/code>. This presented a clear opportunity to execute arbitrary code as root by creating a malicious plugin.<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      Crafting a Malicious dstat Plugin<\/h4>\n\n\n\n

      From the player<\/code> account, I created a Python plugin file (dstat_test2.py<\/code>) that modified permissions on \/bin\/bash<\/code> to set the SUID bit. Although the plugin threw a warning about a missing definition, it executed successfully and set the SUID bit on \/bin\/bash<\/code>. With \/bin\/bash<\/code> now running as root due to the SUID bit, I simply executed: \/bin\/bash -p<\/p>\n\n\n\n

      \"\"<\/figure>\n\n\n\n

      The command dropped me into a root shell fully compromising the box.<\/p>\n\n\n\n

      Exploitation Path<\/h4>\n\n\n\n
        \n
      • Enumeration of web service<\/li>\n\n\n\n
      • Exploiting TinyFileManager<\/li>\n\n\n\n
      • Pivot to soc-player.soccer.htb<\/code><\/li>\n\n\n\n
      • SQL injection over WebSockets \u2192 dumped soccer_db<\/code><\/li>\n\n\n\n
      • SSH access as player<\/strong><\/li>\n\n\n\n
      • Privilege escalation via malicious dstat<\/strong> plugin run with doas<\/code><\/li>\n\n\n\n
      • Root shell and full compromise<\/li>\n<\/ul>\n\n\n\n

        This machine highlights the importance of defense in depth<\/strong>: disabling or hardening default credentials, sanitizing user input (especially in WebSocket applications), and limiting file upload functionality are critical to reducing exposure. Administrators should audit privilege escalation vectors such as doas<\/code> or misconfigured applications like dstat<\/code>, restrict plugin paths, and regularly monitor for binaries with SUID permissions. Enforcing the principle of least privilege, keeping web applications updated, and applying secure coding practices would have mitigated every stage of this attack chain.<\/p>\n","protected":false},"excerpt":{"rendered":"

        I began the engagement by performing a full TCP and UDP port scan with Nmap to identify open services running on the target. A SYN scan was used on all TCP ports for speed and stealth, while service detection and version enumeration were enabled to gather more detailed information. In parallel, a […]<\/p>\n","protected":false},"author":1,"featured_media":238,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[],"class_list":["post-237","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-pentesting"],"brizy_media":[],"_links":{"self":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=237"}],"version-history":[{"count":2,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/237\/revisions"}],"predecessor-version":[{"id":385,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/posts\/237\/revisions\/385"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=\/wp\/v2\/media\/238"}],"wp:attachment":[{"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thecyberstaff.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}