Official Unbalanced Discussion

‘J’en ai chié’ with this one!
Congrats to the creators and thanks @TazWake for your help.
As usual, there are plenty of comments but tbh I found most to be quite cryptic so I’m throwing in my 2cents.
User: Use the service that is essentially a directory share to get some files. One of those is all you need to figure out the target. Once you get there, an injection vulnerability will give you both usernames and passwords (but not at the same time tho), and you have user.
Root: The easy part. The file on the user’s home literally tells you what to do. msf if you’re lazy.

Really fun box! I have learnt a few new things!!
Congrats @GibParadox and @polarbearer !!

A really enjoyable box with great learning opportunities, thank you @polarbearer and @GibParadox for helping me move forward.

Many thanks to @TakWake for seemingly everlasting patience. Very much appreciated.

My only tips on this box would be to not rush, see what you see, read more and type less. If I had spent more time reading and researching about what I saw I’d found exploitation quicker and easier. Enumerate, enumerate, enumerate…

Really confused… I know I’m supposed to some sort of injection exploit on the login page, but am not getting any responses whatsoever no matter what I type in. Is this an issue with the box or me? Or am I just going down a rabbit hole?

@Aydeen said:

Really confused… I know I’m supposed to some sort of injection exploit on the login page, but am not getting any responses whatsoever no matter what I type in. Is this an issue with the box or me? Or am I just going down a rabbit hole?

You might be hitting the wrong login page.

This box was great. I learnt a lot
thanks again to @TazWake (i think he should be seriously going for beatification for his kindness) and to @trab3nd0 for the sanity checks.
foothold: enumerate…enumerate…enumerate. mind the gap: " is not ’
user: very funny…if you’re lucky like i am, you already done something similar in the past, so you can simpy adapt and reuse the code: it’s always a joy to see the string grow…
root: well, this is a simple yet original path…the hint is in there. just read and sploit it.

Stuck on finding the CIDRs any tips will be appriciated :slight_smile:

@abogaida said:

Stuck on finding the CIDRs any tips will be appriciated :slight_smile:

There is a client for the thing you need to query. You may have to install it though.

Once you install it, you can use the loot you find in the files to access the thing you need to query and get information such as this.

Finally:

root@unbalanced:~# id
uid=0(root) gid=0(root) groups=0(root)
root@unbalanced:~#

Thanks to @m1r3x for the bit of help! Thanks to the creators for such a good box, I got the opportunity to learn so much! Also the tips from this thread were pretty helpful for keeping my sanity :smiley:
Even if I spent some time on this machine, it was definitely worth it!
If anybody is looking for a little help, feel free to dm me!

Can someone help me, I can’t find the file which contains the info to foothold. I had downloaded all the files from the rsync, the day this box was released. Went through each of them for the 5th time now but can’t find anything useful. Maybe I don’t have the knowledge of something required to move forward and overlooking important things. I don’t know.

@gs4l said:

Can someone help me, I can’t find the file which contains the info to foothold. I had downloaded all the files from the rsync, the day this box was released. Went through each of them for the 5th time now but can’t find anything useful. Maybe I don’t have the knowledge of something required to move forward and overlooking important things. I don’t know.

You might be overlooking the important bit. Remember the things you are looking for can be spelt in a few different ways depending on how people shorten the word.

Do i must bruteforce to decrypt hash files?

Edit: nevermind i got it

I have the sq***.conf, now what? any nudge?

root@unbalanced:/# id&&date
uid=0(root) gid=0(root) groups=0(root)
Tue 15 Sep 2020 12:49:50 PM EDT

Thanks @polarbearer and @GibParadox

very well designed and fun box!

@0xstain said:

I have the sq***.conf, now what? any nudge?

Use the information it contains. It will allow you to use a client for that server which gets very useful data.

Ah the bottomless sq***.conf file :joy:

well… I can’t do anything more. What do I do after getting the e**fs encrypted files? I need to break it? how?

Type your comment> @tBaD said:

well… I can’t do anything more. What do I do after getting the e**fs encrypted files? I need to break it? how?

Google it

How am I supposed to inject the command I need without Burp? I can’t feed it through both proxies.

Nvm… I swear every time I ask something I figure it out right after