Official Unbalanced Discussion

Interesting box because of the networking aspect to it. It can be confusing and it definitely adds a level of difficulty to figure out what’s going on, who talks to who, etc…
First time for me i had to use that special type of injection and this caused me some troubles too.

So, I know its not the ahem, regular type of attack that kinda works.

But what is a good way to test for /observe the different types?

I’d like to add some generic stuff to my regular testing routine but I don’t even know some sort of basic truth test that would be true in e.g. various flavors.

Just rooted. Awesome and very enjoyable box. Thanks @polarbearer and @GibParadox for this experience!

For the comments, I think there is more than one path to root. The one I took was very straightforward, just a little more of enumeration after having gotten a shell for second user.

The path to first user was the most difficult as others already said, but in the end I ended up with a nice script that I will definitely keep for the future.

@Salts said:
So, I know its not the ahem, regular type of attack that kinda works.

But what is a good way to test for /observe the different types?

I’d like to add some generic stuff to my regular testing routine but I don’t even know some sort of basic truth test that would be true in e.g. various flavors.

Look for a kind of attack that is very similar to the one I think you are talking about. Google can return a few articles with examples that you can use and improve upon.

WOOO! I did it. The lag was so bad but it was worth it.

Hit a wall.

I got to the client, viewed all the things. found some internal listings but no idea what to do next. Can someone point me in the right direction?

@BINtendo said:

Hit a wall.

I got to the client, viewed all the things. found some internal listings but no idea what to do next. Can someone point me in the right direction?

Look at the internal listings. Does it look like something might be missing? If so, look at it directly to see if it is really missing.

Look at the internal listings. Does it look like something might be missing? If so, look at it directly to see if it is really missing.

@TazWake

either i’m not looking in the right spot, or i don’t know enough about networking to realize what’s missing. I don’t see it. The subnet i’m seeing is outside of what i can talk to as far as i know.

@BINtendo said:

either i’m not looking in the right spot, or i don’t know enough about networking to realize what’s missing. I don’t see it. The subnet i’m seeing is outside of what i can talk to as far as i know.

This is very difficult to explain further without spoilers so if you are really stuck drop me a message.

At a very high level, the tool you are using returns some information. If you read through it and focus on some of it, it might look like something is missing. This is important to note.

Next, it isn’t outside what you can talk to because the thing you got the information will act as a gateway for you. Life is a lot easier if you use a browser.

So I found what I assume is the talkative page (the missing one) and can get it to give me 3 different answers, but can’t get it to tell me anything else. I’ve tried the usual thing, the other thing which isn’t just that thing, putting in the stuff that could be how the back end DB works and a circus act (it was a long shot), but I can’t get any love. Can someone DM me some good references for the real technique?
P.S. I suspect it is actually the second one of the things I tried and I’m probably getting the syntax just slightly wrong, but I can’t find a way to test that either

Fun and challenging box. New skillz learned. Thanks to @m00ncake for a nudge.

This was an enjoyable box. Learned a new technique, developed a handy script for future use dumping similar data. Thanks @LMAY75 for the nudge along the correct path.

root@unbalanced:~# hostname
unbalanced
root@unbalanced:~# id
uid=0(root) gid=0(root) groups=0(root)
root@unbalanced:~# ip addr | awk '/10.10.10/ {print $2}'
10.10.10.200/24

Hi, I found a vulnerability for the version of sq*** that is running on the target. It is a vulnerability based on a buffer overflow present in the function H***Hea***::g**Au**() of the cache manager. I was wondering if anyone successfully exploited such a vulnerability, since it is known, but no public exploit is available. Is it a rabbit hole ?

Thanks !

@AlPasta said:

Hi, I found a vulnerability for the version of sq*** that is running on the target. It is a vulnerability based on a buffer overflow present in the function HHea::gAu() of the cache manager.

Good find but the fact a vulnerability exists in the same version of the software, doesn’t mean a vulnerability exists in this software. It might seem trivial but it is an important distinction.

I was wondering if anyone successfully exploited such a vulnerability, since it is known, but no public exploit is available. Is it a rabbit hole ?

The lack of a public exploit makes it very unlikely this is the correct path.

@TazWake Thank you for your answer, I also thought it was very unlikely to be the intended path, but wanted to know if it would have been theoretically possible to exploit such a vulnerability. Seems like I will just continue to look for other clues ! :smile:

Got root! User is nice. Root is easy.

Rooted.
Really nice box making you move from one thing to another with lot of enumeration in the beginning and more custom exploitation in the end.
Learned a lot.
Thx @polarbearer, @GibParadox for the box and @TazWake for the hints !

If you need some nudge do not hesitate.

My first post here - this really was an awesome box, thanks to @polarbearer and @GibParadox! It totally felt like a small network and was so much fun!

Thanks to all the small nudges here that pushed me in the right direction whenever I left the right path or got stuck.

Finally rooted! This was a great box! I was flowing through it pretty easily until I hit the “talkative” page. Thanks @TazWake for the hint!

Finally got it!
Learnt a lot doing user. I wasn’t used to interact with these services, so i acquired a lot of new knowledge and tools.
Last user step was a bit surprising, took me a long time to realize how to talk with that page… The forum put me on the right path at this time.

I found root to be less interesting, but i think the creator’s goal was to make it quick for us after having to deal with so many steps for user.

Great box overall!