This box starts with a website that contains a subfolder named "/tiny", in this subfolder there is TinyFileManager version 2.4.3 vulnerable to CVE-2021-45010. It is necessary to have a user in order to exploit the vulnerability so I proceed with a bruteforce attack by setting the username to admin. Once the password is found and the vulnerability exploited, I enumerate the whole system until I find the nginx vhosts thus discovering the "soc-player.soccer.htb" site. The site uses a WebSocket to communicate with the backend and it is vulnerable to a Blind-SQL-Injection which allows me to obtain player's credentials. Finally to get root I enumerate the system again until I find the dstat software which allows the player's group to write plugins in a specific folder. In this way, however, I still don't have root permissions, to get them you have to enumerate the system again and find some binaries not usually installed such as doas which has a configuration that allows you to run dstat as root.