Soccer Hack The Box Write UP

This CTF emphasises enumeration success.

The nmap enumeration first produced the results 22/tcp[SSH], 80/tcp[HTTP], and 9091/tcp, the last of which appears to be custom.

Change your hosts if the website redirects you to “soccer.htb” on your first try to access it.

The web page is non-interactive when we navigate to it, and looking at the source code doesn’t reveal anything either. For this, we will now use Gobuster and the 2.3-medium wordlist. It will eventually produce the “/tiny” page.

Navigating to ‘/tiny’ you will find the name ‘tiny file manager’, looking this up we can find the GitHub repository for this, along with its default credentials.

Since PHP is indicated as the language used in the project description on GitHub, a PHP reverse shell will be used in this. Make sure to modify your ipv4 and port settings.

You will encounter a permission problem on your first try to upload the file to the website; you must use ‘./tiny/uploads/’ instead. Once the file has been uploaded, you can now click on it and select “Open” from the context menu.

Enumeration-wise, I found nothing noteworthy outside noting the “player” player’s home directory. However, because of the nmap results, I also looked for the Nginx sites, and in doing so, I made another fascinating discovery.

There is a new website now. The buttons for Match, Login, and Signup indicate that this one has more functionality. When we go to “Match,” we discover that we get a free ticket when we join up.

After registering and logging in, you will see an input field to confirm the existence of the purchased ticket. This seems to point to SQLi.

Before testing this input for SQLi, I looked at the page’s source code and found a reference on how to enumerate the possible SQLi’s.