<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
  <channel>
    <title>Doas on appl3b0y</title>
    <link>https://appl3b0y.com/tags/doas/</link>
    <description>Recent content in Doas on appl3b0y</description>
    <generator>Hugo</generator>
    <language>en-us</language>
    <lastBuildDate>Mon, 08 Jun 2026 00:00:00 +0000</lastBuildDate>
    <atom:link href="https://appl3b0y.com/tags/doas/index.xml" rel="self" type="application/rss+xml" />
    <item>
      <title>Soccer</title>
      <link>https://appl3b0y.com/writeups/soccer/</link>
      <pubDate>Mon, 08 Jun 2026 00:00:00 +0000</pubDate>
      <guid>https://appl3b0y.com/writeups/soccer/</guid>
      <description>&lt;h2 id=&#34;introduction&#34;&gt;Introduction&lt;/h2&gt;&#xA;&lt;p&gt;&lt;strong&gt;Soccer&lt;/strong&gt; is an easy Linux box that moves through three distinct users, and each hop teaches something different: a default-credentials web RCE, a SQL injection delivered over a &lt;strong&gt;WebSocket&lt;/strong&gt; (the part that makes this box memorable), and a &lt;code&gt;doas&lt;/code&gt;/&lt;code&gt;dstat&lt;/code&gt; plugin hijack for root.&lt;/p&gt;&#xA;&lt;p&gt;We start by finding a &lt;strong&gt;Tiny File Manager&lt;/strong&gt; install with the vendor&amp;rsquo;s default admin login, which gives an authenticated file upload and therefore a shell as &lt;code&gt;www-data&lt;/code&gt;. On the host, the nginx config points us to a second virtual host whose signup flow talks to a &lt;strong&gt;WebSocket on port 9091&lt;/strong&gt; (the odd port nmap could not fingerprint). That WebSocket takes a JSON &lt;code&gt;id&lt;/code&gt; straight into a query, so a blind SQL injection dumps the &lt;code&gt;player&lt;/code&gt; account&amp;rsquo;s password, which is reused for SSH. Finally, &lt;code&gt;player&lt;/code&gt; can run &lt;strong&gt;&lt;code&gt;dstat&lt;/code&gt; as root via &lt;code&gt;doas&lt;/code&gt;&lt;/strong&gt;, and &lt;code&gt;dstat&lt;/code&gt; loads Python plugins from a world-writable directory, so we drop a malicious plugin and it runs as root.&lt;/p&gt;</description>
    </item>
  </channel>
</rss>
