Unbalanced is a (really) Hard CTF style box from HTB. It features a squid web proxy, some EncFS encrypted data, and a privilege escalation through Pi-Hole. This box definitely pushed me to my limit on my SQL Injection and python script knowledge. I begin every scan using AutoRecon:

After finishing the scans I notice that the typical Ports 80/8080 are not open. Looking through my results I see that 3128 ‘Squid HTTP Proxy’ is open and so is 873, showing rsync. Carlos Polop, creator of some of the best enumeration scripts also has an awesome resource for finding out information on ports HERE called HackTricks. I use the list-only flag for rsync to see a conf_backups folder available. I pull the conf_backups into my local directory.

I see a .encfs6.xml file in the directory. After reading through HERE and HERE which explains the decryption process and using john to crack the hash.

EncFS decryption ‘encode’ and ‘decode’.

I see a .encfs6.xml file in the directory. After reading through HERE and HERE which explains the decryption process and using john to crack the hash.

Using encfs2john to get the hash.

Password for the hash is bubblegum.

After cracking the password I read that you needed to (unfortunately) install encfs to decrypt (which I guess makes sense). I follow the guides HERE and HERE to do the install.

After decrypting all the data I use some command-line-fu to look through the files. This command removes the # (un-needed or not enabled configuration items in most cases) and the white-space to give something to go through:

Intranet subdomain is discovered.

cachemgr_passwd

Using the previously discovered open ports, 3128 ‘Squid HTTP Proxy’, I start up the squid service and put the IP into my FoxyProxy. I have run into the Squid web proxy service during my OSCP. For people new to it, I recommend reading THIS and THIS.

FoxyProxy Setup.

Employee Area

I visit the website visit the squid proxy which shows me an Employee Area page. I kick off a dirbuster and focus towards the cache manager password. I had squidclient previously installed but for those needing it, refer to the links above. Running the fdqncache command (Fully Qualified Domain Name Cache) shows me some additional hosts.

Visiting each hosts provides no additional results. Eventually I realize that the domains provided start at intranet-host2/intranet-host3. I try 172.31.179.1 and success: “Host temporarily taken out of load balancing for security maintenance.” This basically tells me, ‘this host has the form bypass or injection you’ve tried on every other site’.

I bypass the login with a standard bypass – ' or '1'='1. I take the users to begin doing a deeper dive. After failing to use Burp/SQLMap within squid I went the manual route. Using the add-on HTTP Header Live I eventually found the route to exfiltrate the needed passwords.

Whenever Bryans name appears the letter of his password is correct.

Next was a super manual process and a little bit of Wheel of Fortune as a kid. Eventually I got the password for Bryan and logged in via SSH. I capped the user flag and noticed a TODO in the same directory.

Capping the user flag.

After reading the TODO list I became extremely happy for two reasons:

1. I love Pi-Hole and suggest EVERYONE use it. Find out more HERE.
2. I use and have used Pi-Hole for a long time and read up on it… a lot.

TODO List mentioning Pi-Hole.

After reading the TODO list I became extremely happy for two reasons:

1. I love Pi-Hole and suggest EVERYONE use it. Find out more HERE.
2. I use and have used Pi-Hole for a long time and read up on it… a lot.

After running LinPEAS and checking sudo -l I noticed an interface I had not previously seen on a different range, 172.31.11.3. Navigating to the page showed my the Pi-Hole UI. I tried the default password for Administrator (admin) and logged in.

Pi-Hole in all its glory!

Next, a quick search of Google help me find this exploit HERE. Running it without issues required me to forward the Pi-Hole UI from local to my attack machine as running the script locally kept failing.

Running the Pi-Hole exploit.

Again, as I am extremely familiar with Pi-Hole I navigated to the pihole_config.sh looking to see if an Admin Password had been set. Sure enough, it had.

The Root Password.

I used my open SSH session to su to root and cap the flag.

Root Flag