Unbalanced — HackTheBox

8 min readDec 5, 2020

Summary

Unbalanced is a hard-rated Windows machine created by polarbearer & GibParadox. Initial foothold is discovered by downloading encrypted configuration files from the RSync service running on port 873. Hostnames are found on the squid configuration file after decrypting the files with EncFS. Boolean-based SQL Injection is performed to gather user credentials for SSH authentication after accessing the discovered hostnames through the squid proxy service. Root privileges are granted by exploiting a Code Execution vulnerability on a Pi-hole service listening locally and finding root’s password in the pi-hole config script.

Reconnaissance

Nmap discovered ports 22(SSH), 873(rsync), and 3128(Squid HTTP Proxy 4.6) on the target.

Accessing port 3128 on the browser displays an error “Requested URL could not be retrieved.” I tried fuzzing it for directories and files but no luck finding anything.

Initial Foothold

I went and checked what the rsync service is. I learned that rsync is used to copy files locally or remotely. After researching how to enumerate the service, I found a way to enumerate and copy files from the target. I found conf_backups and downloaded it to my machine. The files seem to be encrypted except for .encfs6.xml

Examining the .encfs6.xml gives me some information that can be used to figure out what I need to do next. tag shows EncFS 1.9.5 which is probably the program used for encryption.

Upon researching about EncFS, I found out that it is indeed used for encrypting files. I came across an article that demonstrates how to extract the password hash from the encrypted filesystem and pass it to John The Ripper for password cracking.

Using encfs2john, I was able to extract the password hash that John The Ripper understands.

Using JohnTheRipper, I cracked the hash using encfs format and retrieved the password ‘bubblegum’.

I used encfs to decrypt the files using the password I found. The decrypted directory contains a lot of configuration files which I can now examine to find any additional information.

I used grep in order to diminish the data that I will analyze. The following command will display the contents of all files without including commented lines: grep -v ‘#’ *. I found cachemgr_passwd : Thah$Sh1 in the squid.conf file.

I looked up squid proxy cache manager authentication online and found a linux command line tool for squidclient authentication. I also found an article that contains cache manager commands that can be used to enumerate further.

The mgr:menu displays a list of commands/pages that can be displayed with squidclient.

I used mgr:fqdncache to enumerate the host and found some hostnames that can be useful.

FQDN cache is a squid component that provides Hostname to IP translation.

I set up the target’s squid proxy configuration with foxyproxy plugin on my browser to try accessing the hostnames.

Visiting 172.31.179.2 brings me to /intranet.php which displays a login page. Trying SQL injection to bypass authentication did not work here. Accessing 172.31.179.3 also displays the same page and bypassing the authentication also does not work.

SQL Injection

I tried going to 172.31.179.1 which is not listed on the fqdncache output earlier and found an interesting page. It displays a message ‘Host temporarily taken out of load balancing for security maintenance.’

I tried accessing /intranet.php and it displayed a login page similar to the one from the other 2 hostnames. Except on this one, I was able to perform SQL injection.

Bypassing the authentication only displays users and their roles.

Since I’m already accessing the pages on a proxy, I used a browser plugin in order to manipulate the requests instead of my normal go to which is burp suite.

After numerous experiments on SQL queries, I was able to find a query that I can use to exfiltrate user passwords. Boolean-based SQL injection is abused on this page. I chose bryan as my target since his role is System Administrator.

Notice that on this POST request, entering ‘or Username=’bryan’ and substring(Password,1,1)=’a on the Password parameter returns ‘invalid credentials’.

The SUBSTRING function of the SQL query takes 3 parameters. SUBSTRING(string, start, length)
String — the value being queried, in our case, the Password.
Start — the starting position. 1 being the first character.
Length — the length from the starting position. 1 meaning, only the first character from the starting position.

or Username=’bryan’ and substring(Password,1,1)=’a — this payload compares the character ‘a’ to the first character of bryan’s password which is not true so it returns invalid credentials.

Meanwhile on this one, ‘or Username=’bryan’ and substring(Password,1,1)=’i on the Password parameter returns bryan’s information. This means that the first character of Bryan’s password is the character ‘i’.

I incremented the length of the password query by one to figure out the next character. After a few tests, I found the second character which is ‘r’.

I wrote a python script to automate this process and extracted all of the users’ passwords from the database just in case I’ll need them later on.

After a few minutes, I got all the passwords.

I logged in to SSH using Bryan’s password ‘ireallyl0vebubblegum!!!’ and I successfully got in and grabbed the user flag.

Accessing Pi-hole Service

In Bryan’s home directory, there is a file called ‘TODO’ which contains tasks about implementing a Pi-hole service in a docker container locally. The creation of configuration script is still in progress so maybe it can be abused to escalate privileges.

Since netstat is not installed on the target machine, I used netcat in order to enumerate open ports listening locally. The results show two additional ports, 5553 and 8080.

Running curl localhost:8080 returns an error message with ‘Invalid domain!’.

After adding a Host header flag on the curl command, the response displays a pi-hole page.

The response also shows a hostname and IP address.
pihole.unbalanced.htb / 172.31.11.3

Pi-Hole Code Execution

Accessing the page on my browser configured with the target’s squid proxy shows the pi-hole page and asks if I meant to go to the admin panel.

Clicking the link redirects me to the admin panel.

Clicking login on the left panel brings me to the Pi-hole login page. A temporary admin password was mentioned on the TODO note earlier. Trying admin as a password worked.

Scrolling down at the bottom of the page exposes the Pi-hole version which is 4.3.2. Further research discovered that it is vulnerable to Remote Code Execution CVE-2020–8816. I found a github repository that contains a proof of concept for it.

SSH Tunnel For Exploitation

Since the service is listening locally on the target machine, I created an SSH tunnel and performed the exploitation on my machine. Now I can access the service on my localhost on port 8001.

I started a netcat listener and ran the exploit providing the url, password, my ip, and port to connect to. After executing the exploit, I received a shell as www-data.