Unbalanced writeup | HackTheBox | by Darkrider88

 Enumeration:

Nmap scan:

nmap scan


There is an interesting port 873 running rsync.

Rsync enumeration:



Rsync is a most commonly used command for copying and synchronizing files and directories remotely as well as locally in Linux/Unix systems.

First I will try to list the files or folders inside it and dump all the files.

rsync -av rsync://unbalanced.htb/conf_bakcups ./rsync

enumerate rsync and dump all the files


There is an .encfs6.xml file in this folder which tells that encfs utility is used to encrypt all the files and folders.

Let us decrypt all the files

John:
There is script in john to extract the hash from .encfs6.xml.

Cracking the .encfs6.xml file 

$ locate ecnfs2john
$ sudo /usr/share/john/encfs2john.py ./rsync/ > encfs_hash
$ sudo john -wordlist=/usr/share/wordlists/rockyou.txt encfs_hash

Decrypt the rsync files and copy to other folder:

$ encfs ~/hackthebox/unbalanced/rsync/ ~/hackthebox/unbalanced/rsync_decrypted/


NOTE: rsync has encrypted file and rsync_decrypted is the empty folder.
And now we have a list of files.



I checked all the files but the real juice was in the squid.conf and that was quite obvious. So there I found a password and a new domain intranet.unbalanced.htb and some keywords like cache_mgr. So I searched for all of this and found a tool called Squidclient which could be used to access the proxy server or cache.

Squidclient:

$ squidclient  -h intranet.unbalanced.htb  -w 'Thah$Sh1' mgr:menu
output: 

squidclient -h hostname -w password mgr:menu

So I got the list of indices and I started to enumerate them one by one. just replace mgr:index 
and remaining command will be the same. The one index which stood out was fqdncache. 
On enumerating it I got

enumeration of squid proxy with squidclient

Now we are atleast getting something. 
I tried to access these domains but ofcourse they were not accessible because they are running on different IPs, but as we know Squid is a proxy and we need to access these domains with our proxy.

Enumerating sub domains:

Now add unbalanced.htb:3128 to foxy proxy, you can also add manually in the browser.
Then I tried to access these domain, remember to access all of these and enter their IP only.. and on all 3 IPs I got the same page.



Only one of them was valid for me it was 172.31.179.1
Enter something in the form and you will be presented with the message Invalid Credentials.
After testing a bit and asking for hints I got to know that there is a XPATH Injection in the form.

XPATH Injection testing

Reference: https://book.hacktricks.xyz/pentesting-web/xpath-injection
In the username field enter(with quotes): ' or true() or '
This will output all the usernames in systems. And we will do the same for extracting passwords.
I have made a script for this


Run the above script after getting all the usernames(change the usernames accordingly in the script)

User Flag:

So 'bryan' is our potential user and login with SSH. Grab the user flag and read TODO file.


The pi-hole service is running on port 8080 and I used ssh to forward this port on my local machine.

$ ssh -L 8080:localhost:8080 bryan@unbalanced

Opened it from a browser and tried most basic password 'admin' and I was in. Now I checked its version and found out public exploits. And there were quite a lot. I used this one https://github.com/team0se7en/CVE-2020-8816

I downloaded the binary and ran the exploit.


I got the reverse shell as www-data of docker container and after that little bit of enumeration and there was cleart text password in /root.
There is nothing much now.
                                                        - by DarkRider88

Comments

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some kind of RCE!! 7. Lil bit enumeration showed us that t
Read more

LOOKING GLASS Write-up | TryHackMe | by Valerie23

Image
LOOKING  GLASS: https://tryhackme.com /room/lookingglass   NMAP Starting with a simple nmap scan to see which ports are open and what services are running on these ports. Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name). When we try connecting to port 9000 it tells us to go " lower " which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible. So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" . So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa. So lets try to find the real port while shrinking the range  ssh toii@10.10.128.154 -o StrictHostKeyCheckin
Read more

Carpe-Diem | Tryhackme | Writeup

Image
Room:  Carpe - diem  Big shout out to the creator of this room:  4ndr34z Overview:   In this room we have retrieve the key which is used to encrypt a database file stored at /downloads/database.carpe. For me this room was too challenging and hence this writeup for all the coming folks. I have tried to explain everything so that the beginners could understand it easily. Enumeration: 1. A s usual we will start with NMAP scan From port scan we found there is nothing unique or interesting running except the port 80. So we should open the website and do some enumeration. 2. This website is asking us to send proof of our bitcoin address..and only after that you can retrieve the key..(I think thats what the theme of this room .. a perfect ransomware attack) 3. After that we review the source code of the webpage and always read those javascripts. Explanation:  first this code is checking that you don't copy the same address and send to proof and if you do that it pop ups an alert saying &q
Read more