Official Unbalanced Discussion

Fun and challenging box. New skillz learned. Thanks to @m00ncake for a nudge.

This was an enjoyable box. Learned a new technique, developed a handy script for future use dumping similar data. Thanks @LMAY75 for the nudge along the correct path.

root@unbalanced:~# hostname
unbalanced
root@unbalanced:~# id
uid=0(root) gid=0(root) groups=0(root)
root@unbalanced:~# ip addr | awk '/10.10.10/ {print $2}'
10.10.10.200/24

Hi, I found a vulnerability for the version of sq*** that is running on the target. It is a vulnerability based on a buffer overflow present in the function H***Hea***::g**Au**() of the cache manager. I was wondering if anyone successfully exploited such a vulnerability, since it is known, but no public exploit is available. Is it a rabbit hole ?

Thanks !

@AlPasta said:

Hi, I found a vulnerability for the version of sq*** that is running on the target. It is a vulnerability based on a buffer overflow present in the function HHea::gAu() of the cache manager.

Good find but the fact a vulnerability exists in the same version of the software, doesn’t mean a vulnerability exists in this software. It might seem trivial but it is an important distinction.

I was wondering if anyone successfully exploited such a vulnerability, since it is known, but no public exploit is available. Is it a rabbit hole ?

The lack of a public exploit makes it very unlikely this is the correct path.

@TazWake Thank you for your answer, I also thought it was very unlikely to be the intended path, but wanted to know if it would have been theoretically possible to exploit such a vulnerability. Seems like I will just continue to look for other clues ! :smile:

Got root! User is nice. Root is easy.

Rooted.
Really nice box making you move from one thing to another with lot of enumeration in the beginning and more custom exploitation in the end.
Learned a lot.
Thx @polarbearer, @GibParadox for the box and @TazWake for the hints !

If you need some nudge do not hesitate.

My first post here - this really was an awesome box, thanks to @polarbearer and @GibParadox! It totally felt like a small network and was so much fun!

Thanks to all the small nudges here that pushed me in the right direction whenever I left the right path or got stuck.

Finally rooted! This was a great box! I was flowing through it pretty easily until I hit the “talkative” page. Thanks @TazWake for the hint!

Finally got it!
Learnt a lot doing user. I wasn’t used to interact with these services, so i acquired a lot of new knowledge and tools.
Last user step was a bit surprising, took me a long time to realize how to talk with that page… The forum put me on the right path at this time.

I found root to be less interesting, but i think the creator’s goal was to make it quick for us after having to deal with so many steps for user.

Great box overall!

Rooted. I’m in love with this box, thanks a lot to polarbearer & GibParadox !!!

I’m stuck as root…
I did the exploit to get in p***** I have a shell but I’m stuck in a c********…

I have the feeling that I’m missing something but I can’t figure what is is…

Some hint would be appreciated

at root *

Rooted… I hate myself…

Very cool box, I’ve learnt a lot of things, the way I’ve found the *p is kinda scandalous

Spoiler Removed

got root… I don’t know it was not THAT easy I still had to dance around some cidr and ports etc. the p* vulnerability you really need to pay attention to it its not a 1 shot exploit

just got the user. Wait me root !

and thats awesome,
i have root but there is no root.txt

incorrect flag!
whyy?!!!

@in3vitab13 said:

incorrect flag!
whyy?!!!

This comes up on every thread about once a week (Mostly Mondays). HTB uses dynamic hashes and sometimes they dont work. The hashes should change after every reset and be different on different VPNs - this means that hashes should be used as soon as you get them and that sometimes the process which registers the new hash in the scoring server will break.

If it is a box that is being hit with resets, it becomes imperative that the hash is used immediately as a reset will render it invalid.

Your choices are really:

  • Wait a while, repwn the the box and get a working a hash.
  • Report it to HTB via a jira ticket and get them to fix the problem.

This isn’t something that can be fixed by the forum or by tips from other users.