# Nmap 7.92 scan initiated Sun Dec1819:35:402022as: nmap -vvv -sC -sV -oN nmap/soccer soccer.htb Nmap scan report for soccer.htb (10.129.88.250) Host is up, received reset ttl 63 (0.29s latency). Scanned at2022-12-1819:35:41 IST for73s Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |3072 ad:0d:84:a3:fd:cc:98:a4:78:fe:f9:49:15:da:e1:6d (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChXu/2AxokRA9pcTIQx6HKyiO0odku5KmUpklDRNG+9sa6olMd4dSBq1d0rGtsO2rNJRLQUczml6+N5DcCasAZUShDrMnitsRvG54x8GrJyW4nIx4HOfXRTsNqImBadIJtvIww1L7H1DPzMZYJZj/oOwQHXvp85a2hMqMmoqsljtS/jO3tk7NUKA/8D5KuekSmw8m1pPEGybAZxlAYGu3KbasN66jmhf0ReHg3Vjx9e8FbHr3ksc/MimSMfRq0lIo5fJ7QAnbttM5ktuQqzvVjJmZ0+aL7ZeVewTXLmtkOxX9E5ldihtUFj8C6cQroX69LaaN/AXoEZWl/v1LWE5Qo1DEPrv7A6mIVZvWIM8/AqLpP8JWgAQevOtby5mpmhSxYXUgyii5xRAnvDWwkbwxhKcBIzVy4x5TXinVR7FrrwvKmNAG2t4lpDgmryBZ0YSgxgSAcHIBOglugehGZRHJC9C273hs44EToGCrHBY8n2flJe7OgbjEL8Il3SpfUEF0= |256 df:d6:a3:9f:68:26:9d:fc:7c:6a:0c:29:e9:61:f0:0c (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIy3gWUPD+EqFcmc0ngWeRLfCr68+uiuM59j9zrtLNRcLJSTJmlHUdcq25/esgeZkyQ0mr2RZ5gozpBd5yzpdzk= |25657:97:56:5d:ef:79:3c:2f:cb:db:35:ff:f1:7c:61:5c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2Pj1mZ0q8u/E8K49Gezm3jguM3d8VyAYsX0QyaN6H/ 80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu) |_http-title: Soccer - Index | http-methods: |_ Supported Methods: GET HEAD |_http-server-header: nginx/1.18.0 (Ubuntu) 9091/tcp open xmltec-xmlmail? syn-ack ttl 63 | fingerprint-strings: | DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, RPCCheck, SSLSessionReq, drda, informix: | HTTP/1.1400 Bad Request | Connection: close | GetRequest: | HTTP/1.1404Not Found | Content-Security-Policy: default-src 'none' | X-Content-Type-Options: nosniff | Content-Type: text/html; charset=utf-8 | Content-Length: 139 |Date: Sun, 18Dec202214:06:23 GMT | Connection: close |<!DOCTYPE html> |<html lang="en"> |<head> |<meta charset="utf-8"> |<title>Error</title> |</head> |<body> |<pre>Cannot GET/</pre> |</body> |</html> | HTTPOptions: | HTTP/1.1404Not Found | Content-Security-Policy: default-src 'none' | X-Content-Type-Options: nosniff | Content-Type: text/html; charset=utf-8 | Content-Length: 143 |Date: Sun, 18Dec202214:06:23 GMT | Connection: close |<!DOCTYPE html> |<html lang="en"> |<head> |<meta charset="utf-8"> |<title>Error</title> |</head> |<body> |<pre>Cannot OPTIONS /</pre> |</body> |</html> | RTSPRequest: | HTTP/1.1404Not Found | Content-Security-Policy: default-src 'none' | X-Content-Type-Options: nosniff | Content-Type: text/html; charset=utf-8 | Content-Length: 143 |Date: Sun, 18Dec202214:06:24 GMT | Connection: close |<!DOCTYPE html> |<html lang="en"> |<head> |<meta charset="utf-8"> |<title>Error</title> |</head> |<body> |<pre>Cannot OPTIONS /</pre> |</body> |_ </html> 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port9091-TCP:V=7.92%I=7%D=12/18%Time=639F1E5D%P=x86_64-pc-linux-gnu%r(i SF:nformix,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\ SF:r\n\r\n")%r(drda,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\ SF:x20close\r\n\r\n")%r(GetRequest,168,"HTTP/1\.1\x20404\x20Not\x20Found\r SF:\nContent-Security-Policy:\x20default-src\x20'none'\r\nX-Content-Type-O SF:ptions:\x20nosniff\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nC SF:ontent-Length:\x20139\r\nDate:\x20Sun,\x2018\x20Dec\x202022\x2014:06:23 SF:\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lan SF:g=\"en\">\n<head>\n<meta\x20charset=\"utf-8\">\n<title>Error</title>\n< SF:/head>\n<body>\n<pre>Cannot\x20GET\x20/</pre>\n</body>\n</html>\n")%r(H SF:TTPOptions,16C,"HTTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Po SF:licy:\x20default-src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\ SF:nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20143 SF:\r\nDate:\x20Sun,\x2018\x20Dec\x202022\x2014:06:23\x20GMT\r\nConnection SF::\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<m SF:eta\x20charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre> SF:Cannot\x20OPTIONS\x20/</pre>\n</body>\n</html>\n")%r(RTSPRequest,16C,"H SF:TTP/1\.1\x20404\x20Not\x20Found\r\nContent-Security-Policy:\x20default- SF:src\x20'none'\r\nX-Content-Type-Options:\x20nosniff\r\nContent-Type:\x2 SF:0text/html;\x20charset=utf-8\r\nContent-Length:\x20143\r\nDate:\x20Sun, SF:\x2018\x20Dec\x202022\x2014:06:24\x20GMT\r\nConnection:\x20close\r\n\r\ SF:n<!DOCTYPE\x20html>\n<html\x20lang=\"en\">\n<head>\n<meta\x20charset=\" SF:utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot\x20OPTIONS SF:\x20/</pre>\n</body>\n</html>\n")%r(RPCCheck,2F,"HTTP/1\.1\x20400\x20Ba SF:d\x20Request\r\nConnection:\x20close\r\n\r\n")%r(DNSVersionBindReqTCP,2 SF:F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n") SF:%r(DNSStatusRequestTCP,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConnec SF:tion:\x20close\r\n\r\n")%r(Help,2F,"HTTP/1\.1\x20400\x20Bad\x20Request\ SF:r\nConnection:\x20close\r\n\r\n")%r(SSLSessionReq,2F,"HTTP/1\.1\x20400\ SF:x20Bad\x20Request\r\nConnection:\x20close\r\n\r\n"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Dec1819:36:542022-- 1 IP address (1 host up) scanned in 73.44 seconds
Web Enumeration
Running feroxbuster revil a directory tiny
Lets see what is tiny
Checking for default credential we find it to be admin:admin@123
lets try on the app and see what happens and that let us in.
Seeing the upload facility and tiny file manager being a php app lets upload a php shell and see what happen.
Lets execute it by opeing the endpoint
and we get a shell back
www-data -> player
Checking nginx config we find a subdomain as soc-player.soccer.htb
