Official Unbalanced Discussion

Stuck on the login page, tried all the passwords combinations I had, looked for exploits, but couldn’t find anything. Any hints ?

@OrkaThaHacker said:

Stuck on the login page, tried all the passwords combinations I had, looked for exploits, but couldn’t find anything. Any hints ?

Possibly the wrong page. If you’ve found a vulnerable page, there is a way to do this. You almost certainly don’t have the right credentials or usernames unless you’ve found a way to make the page tell you this.

Then you need to use it somewhere else.

Type your comment> @TazWake said:

@OrkaThaHacker said:

Stuck on the login page, tried all the passwords combinations I had, looked for exploits, but couldn’t find anything. Any hints ?

Possibly the wrong page. If you’ve found a vulnerable page, there is a way to do this. You almost certainly don’t have the right credentials or usernames unless you’ve found a way to make the page tell you this.

Then you need to use it somewhere else.

Hmm ok I’ll make something out of that , thanks !

@OrkaThaHacker said:

Hmm ok I’ll make something out of that , thanks !

If you’ve found the odd one out, it is definitely exploitable. You just need to experiment on possible exploits, when you find it, it is the path to progress this box.

Just now rooted. The user part was harder than the root. Learned some good stuff. Thanks for the box creator.

Scripting saves time than firing Burp. My hints:

For User - If you see any unknown words or strings, Google it. The user is all about googling.
For System - See what services are running in the machine and it is straight forward.

I got the encrypted files, tried decrypting using en**s and it prompts for a password. I don’t know the password and am unable to find it. Can anyone provide a hint. Thanks!!

@gs4l said:

I got the encrypted files, tried decrypting using en**s and it prompts for a password. I don’t know the password and am unable to find it. Can anyone provide a hint. Thanks!!

Google is your friend here.

Type your comment> @gs4l said:

I got the encrypted files, tried decrypting using en**s and it prompts for a password. I don’t know the password and am unable to find it. Can anyone provide a hint. Thanks!!

One hint! What will you do if you have an SSH key encrypted with unknown passphrase?

Awesome machine

I learned a some tricks about some vulnerabilities that I haven’t ever touched

my hints

user: try to download everything and read the comments on the initial part previous to download. After that get some research about the other service. There is a file telling you some functions. After that enumerate other IPs and try all basic test. There is a vulnerabilities that looks like a classic injection but is other kind of injection (very similar). Apply your scripts abilities or use burp if you can and extract the info

Root: Classic enumeration scripts will tell you something. Focus on interfaces very close (I got stuck here cause a didn’t put enough attention). Enumerate and search exploit. When you are in, just read files and that’s it

I’ve crafted my own squidclient, the functionality of which is sufficient to go through the c****mgr enum stage. Someone may find it useful: GitHub - limitedeternity/squidclient: SquidClient. HTB Unbalanced edition.

I could use a slight nudge towards user. I’ve identifed other IPs, and everyone keeps saying one is different, but they all look the same to me, right down to the php file they return. 2 and 3 are obviously different class Bs than 1 but I can’t find any material difference between any of them. I even tried looking at the 127s.

I did find a vulnerability on the internet but can’t seem to find an exploit for it.
I could use a small push forward, before I waste time trying to write a buffer overflow.

I don’t think you found the “other” IP. Think about the name of the box and what role the IPs are playing. Watch the traffic when you hit each IP.

@cyberpathogen said:

I could use a slight nudge towards user. I’ve identifed other IPs, and everyone keeps saying one is different,

If you cant find the odd one out, then you need to look more closely.

but they all look the same to me, right down to the php file they return. 2 and 3 are obviously different class Bs than 1

This makes me suspect you haven’t found the one you need.

but I can’t find any material difference between any of them. I even tried looking at the 127s.

If you look at what happens when you make a request, you will see that one is different than the others. This is the one to concentrate on.

I did find a vulnerability on the internet but can’t seem to find an exploit for it.
I could use a small push forward, before I waste time trying to write a buffer overflow.

I strongly suspect this is a rabbit hole. You haven’t found the IP you need to hit, so the exploitation path you are looking for may be at the wrong stage.

Thanks to the creators! Cool box!
Also thanks to BlindHero and Nimli for redirecting me onto the right learning path for user. This was totally new for me.

The thread has a lot of good hints already. So if you are stuck feel free to send a PM, I’ll do my best to point you onto the right path

@polarbearer & @GibParadox thanks so much for such a cool box. I think that this is the best box I’ve done so far.

I actually haven’t even gotten user yet but I’ve already had so much fun doing it!

The box is designed so well that it totally blows my mind. It almost feels like trying to own a small network. I wish all the boxes were done in such a way.

It is also very straitforward, not much stuff where to get lost.

Rooted the box. Was very nice
There are plenty of hints here. Take it step by step and choose one IP to test your possible credentials (it returns different results, thus strange :smile: )

I do have a list of possible users, i also found a login page that i think is the right one. Not sure how to proceed from here, hints are welcome :slight_smile:
Really great box so far! Already learned a lot!

@yaagn said:

I do have a list of possible users, i also found a login page that i think is the right one. Not sure how to proceed from here, hints are welcome :slight_smile:
Really great box so far! Already learned a lot!

One address gives the correct login page to attack. If you have the users, you probably have the right one.

Normally you need at least two things to log into a system - a user name and something else. You need to get the something else. It’s a similar approach to getting usernames.

Edit to add - when you get a full set of things you need to login, think about where you want to use them.

Finally rooted, for me both the user and root were annoying.Learnt a lot from this box.
thanks @limeternity for the heap of nudges
This box is full of turns,
For User, get the files,get the password,read the file, 8 arms has all the answers. Look at how he is made and then you can get to the place you need to be at. There you just need to ask if something is true or not
For root, Go for the manual exploit or the script which ever works for you.

PM if you need help

I’m having trouble accessing the site. Anyone who can help? Already asked the htb for it but still no reply!