Unbalanced writeup | HackTheBox | by Darkrider88

 Enumeration:

Nmap scan:

nmap scan


There is an interesting port 873 running rsync.

Rsync enumeration:



Rsync is a most commonly used command for copying and synchronizing files and directories remotely as well as locally in Linux/Unix systems.

First I will try to list the files or folders inside it and dump all the files.

rsync -av rsync://unbalanced.htb/conf_bakcups ./rsync

enumerate rsync and dump all the files


There is an .encfs6.xml file in this folder which tells that encfs utility is used to encrypt all the files and folders.

Let us decrypt all the files

John:
There is script in john to extract the hash from .encfs6.xml.

Cracking the .encfs6.xml file 

$ locate ecnfs2john
$ sudo /usr/share/john/encfs2john.py ./rsync/ > encfs_hash
$ sudo john -wordlist=/usr/share/wordlists/rockyou.txt encfs_hash

Decrypt the rsync files and copy to other folder:

$ encfs ~/hackthebox/unbalanced/rsync/ ~/hackthebox/unbalanced/rsync_decrypted/


NOTE: rsync has encrypted file and rsync_decrypted is the empty folder.
And now we have a list of files.



I checked all the files but the real juice was in the squid.conf and that was quite obvious. So there I found a password and a new domain intranet.unbalanced.htb and some keywords like cache_mgr. So I searched for all of this and found a tool called Squidclient which could be used to access the proxy server or cache.

Squidclient:

$ squidclient  -h intranet.unbalanced.htb  -w 'Thah$Sh1' mgr:menu
output: 

squidclient -h hostname -w password mgr:menu

So I got the list of indices and I started to enumerate them one by one. just replace mgr:index 
and remaining command will be the same. The one index which stood out was fqdncache. 
On enumerating it I got

enumeration of squid proxy with squidclient

Now we are atleast getting something. 
I tried to access these domains but ofcourse they were not accessible because they are running on different IPs, but as we know Squid is a proxy and we need to access these domains with our proxy.

Enumerating sub domains:

Now add unbalanced.htb:3128 to foxy proxy, you can also add manually in the browser.
Then I tried to access these domain, remember to access all of these and enter their IP only.. and on all 3 IPs I got the same page.



Only one of them was valid for me it was 172.31.179.1
Enter something in the form and you will be presented with the message Invalid Credentials.
After testing a bit and asking for hints I got to know that there is a XPATH Injection in the form.

XPATH Injection testing

Reference: https://book.hacktricks.xyz/pentesting-web/xpath-injection
In the username field enter(with quotes): ' or true() or '
This will output all the usernames in systems. And we will do the same for extracting passwords.
I have made a script for this


Run the above script after getting all the usernames(change the usernames accordingly in the script)

User Flag:

So 'bryan' is our potential user and login with SSH. Grab the user flag and read TODO file.


The pi-hole service is running on port 8080 and I used ssh to forward this port on my local machine.

$ ssh -L 8080:localhost:8080 bryan@unbalanced

Opened it from a browser and tried most basic password 'admin' and I was in. Now I checked its version and found out public exploits. And there were quite a lot. I used this one https://github.com/team0se7en/CVE-2020-8816

I downloaded the binary and ran the exploit.


I got the reverse shell as www-data of docker container and after that little bit of enumeration and there was cleart text password in /root.
There is nothing much now.
                                                        - by DarkRider88

Comments

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some k...
Read more

LOOKING GLASS Write-up | TryHackMe | by Valerie23

Image
LOOKING  GLASS: https://tryhackme.com /room/lookingglass   NMAP Starting with a simple nmap scan to see which ports are open and what services are running on these ports. Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name). When we try connecting to port 9000 it tells us to go " lower " which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible. So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" . So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa. So lets try to find the real port while shrinking the range  ssh toii@10.10.128.154 -o StrictHostKeyCheckin...
Read more

GamingServer | TryHackMe | by Valerie23

Image
LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the fil...
Read more