HackTheBox Writeup — Unbalanced

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is 10.10.10.200

Port Scan

We see 3 Open Ports , Port 22 for SSH , Port 873 for Rsync and Port 3128 for Squid

Way To User

We have a folder conf_backups and we try to see the contents of that folder

We downloaded the files to our local machine and see that the files are encypted but we dont know currently what encryption is being used

Checking the .encfs6.xml file shows us that the encryption being used here is EncFS 1.9.5

Since this encryption is password based, we need to crack the password in order to decrypt the file, there is a python script which converts the encryption to the format crackable with John and cracked the password , i.e, bubblegum

Now we decrypt the files and see that there are alot of config files, and the one interesting here is the squid.conf file since we have Squid installed on the machine

Checking the enabled configurations on this file, we see that we have a domain intranet.unbalanced.htb which we put on our hosts file and also we see cachemgr_passwd being used where we have the password as well as the cache object being used

Checking the domain through the Squid proxy settings on the web, we see a nice web page but nothing much here

Getting some more details from the Squid leads us to 2 more extra domains along with its IP

Checking both of the domains through the IP, it is same as the first domain which we got before where we couldn’t do anything as nothing was dynamic here

The intranet-host2.unbalanced.htb being the same as well

We didnt get anything interesting , but looking at the domains and the IP , we can conclude that there might be a intranet-host1.unbalanced.htb with the IP 172.31.179.1 and checking that we see it has been taken out due to security issues

Since every domain were redirecting to the intranet.php page, we can assume that this domain should be having the same page and indeed it had the same page but here the Employee login functionality was working and we tried multiple injections

After trying XPATH Injection , we got some results

We found some users, but we don’t have the password so we try to get the password but before that we need to be sure about the password length of each user which we do here by doing a word count on the request and the correct one gives the unique answer

So we automate the stuff using python scripting after knowing the password length to get the password

Connecting through the SSH with the leaked credentials, we get in as user bryan which has the user flag

Way To Root

There was a recently CVE for Pi-Hole whose exploit we download on our local machine and then run and get shell as www-data on docker container of Pi-Hole

The /root directory is readable to all and we see the pihole_config.sh file here on which we have a password

Using that password on root lets us in and we get root on the main machine and then can get the root flag

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover