SSH
A credential for the updated version of the soccer club web app, hosted on the soc-player.soccer.htb virtual host, has been exfiltrated via blind SQL injection. Given the player user also does exist as a valid system user, I will attempt to check for password reuse
┌──(kali㉿kali)-[~/archive/htb/labs/soccer]
└─$ sshpass -p 'PlayerOftheMatch2022' ssh player@$IP
Welcome to Ubuntu 20.04.5 LTS (GNU/Linux 5.4.0-135-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of tue dec 19 00:44:31 UTC 2023
system load: 1.29
usage of /: 77.2% of 3.84GB
memory usage: 35%
swap usage: 0%
processes: 233
users logged in: 0
ipv4 address for eth0: 10.10.11.194
ipv6 address for eth0: dead:beef::250:56ff:feb9:2727
0 updates can be applied immediately.
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
last login: Tue Dec 13 07:29:10 2022 from 10.10.14.19
player@soccer:~$ whoami
player
player@soccer:~$ hostname
soccer
player@soccer:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.194 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:2727 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:2727 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:27:27 txqueuelen 1000 (Ethernet)
RX packets 3345526 bytes 585622262 (585.6 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3389222 bytes 1280025526 (1.2 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 14250 bytes 4173081 (4.1 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 14250 bytes 4173081 (4.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Lateral Movement made to the player user via SSH