TUTORIAL tentacle DISCUSSION
by blurghadurgh - January 23, 2021 at 11:02 PM
#1
Starting a thread to discuss tentacle (no progress yet). It has a squid proxy, a kerberos service running and a BIND server. Trying to use the squid proxy gives us a username '[email protected]'. 

DNS enumeration reveals ns.realcorp.htb (internal address), but we can't access it.

Using the squid proxy fails without a valid username/password. Maybe brute forcing kerberos is the starting point?
#2
Ok
(January 23, 2021 at 11:02 PM)blurghadurgh Wrote: Starting a thread to discuss tentacle (no progress yet). It has a squid proxy, a kerberos service running and a BIND server. Trying to use the squid proxy gives us a username '[email protected]'. 

DNS enumeration reveals ns.realcorp.htb (internal address), but we can't access it.

Using the squid proxy fails without a valid username/password. Maybe brute forcing kerberos is the starting point?

Kerberoasting thinks
#3
wfuzz -t32 -z range,1-65535 -p '10.10.10.224:3128' --hc 503 http://localhost:FUZZ/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://localhost:FUZZ/
Total requests: 65535

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000022:   200        2 L      5 W        57 Ch       "22"
000000088:   200        0 L      5 W        99 Ch       "88"
000000464:   200        0 L      4 W        96 Ch       "464"
000000953:   502        144 L    400 W      3676 Ch     "953"
000003128:   400        150 L    416 W      3546 Ch     "3128"
000000053:   502        142 L    387 W      3553 Ch     "53"

Total time: 0
Processed Requests: 13003
Filtered Requests: 12997
Requests/sec.: 0

This is when I use the squid as proxy in wfuzz to fuzz. Also, the vuln of request smuggling is here:
https://i.blackhat.com/USA-20/Wednesday/...lenges.pdf

plus, we can see that there is a user j.nakazawa which has no preauth.

GetNPUsers.py -dc-ip REALCORP.HTB REALCORP.HTB/j.nakazawa -no-pass -format hashcat
gave me an uncrackable hash
#4
(January 24, 2021 at 08:20 PM)lingling40hrs Wrote:
wfuzz -t32 -z range,1-65535 -p '10.10.10.224:3128' --hc 503 http://localhost:FUZZ/
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                        *
********************************************************

Target: http://localhost:FUZZ/
Total requests: 65535

=====================================================================
ID          Response  Lines    Word      Chars      Payload
=====================================================================

000000022:  200        2 L      5 W        57 Ch      "22"
000000088:  200        0 L      5 W        99 Ch      "88"
000000464:  200        0 L      4 W        96 Ch      "464"
000000953:  502        144 L    400 W      3676 Ch    "953"
000003128:  400        150 L    416 W      3546 Ch    "3128"
000000053:  502        142 L    387 W      3553 Ch    "53"

Total time: 0
Processed Requests: 13003
Filtered Requests: 12997
Requests/sec.: 0

This is when I use the squid as proxy in wfuzz to fuzz. Also, the vuln of request smuggling is here:
https://i.blackhat.com/USA-20/Wednesday/...lenges.pdf

plus, we can see that there is a user j.nakazawa which has  no preauth.

GetNPUsers.py -dc-ip REALCORP.HTB REALCORP.HTB/j.nakazawa -no-pass -format hashcat
gave me an uncrackable hash

The hash is a rabbithole
#5
Still only six users/roots on this box! It feels like we never see leaks/walkthroughs here until it hits about 100....
#6
I see there is a spike in people hitting user but not root so it looks like something is being shared . . .
#7
(January 25, 2021 at 07:55 PM)Buttmuncher Wrote: I see there is a spike in people hitting user but not root so it looks like something is being shared . . .
chain3 proxies together from what I heard. Working on it now.
#8
Also struggling with the proxies... If I make progress I will share it.
#9
edit
edit
edit
edit
edit
edit
edit
post removed
#10
(January 26, 2021 at 04:57 PM)osmanardanan Wrote: edit
edit
edit
edit
edit
edit
edit
post removed


any updates

post it here


Bumpppppppppppppppppppppppppppppppppppppppppp
#11
FUZZ FUZZ FUZZ Gentlemen , Find The Sub :D
#12
(January 26, 2021 at 06:22 PM)Hum12sa Wrote: FUZZ FUZZ FUZZ Gentlemen , Find The Sub :D
found it  and more internal addresses  just not quite sure as to what to do with them. Enumerate more it seems. I can help with the proxy chaining. When I get this part sorted.

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL ATTENDED [DISCUSSION] 0xvijay 55 14,131 10 hours ago
Last Post: sami92
TUTORIAL Weather App [Discussion] n3m3n91 18 2,496 March 04, 2021 at 09:25 PM
Last Post: loverboiz2403
TUTORIAL PWN Restaurant DISCUSSION n3m3n91 1 417 March 04, 2021 at 02:56 AM
Last Post: diceter

 Users browsing this thread: 1 Guest(s)