Possibly Related Threads…

blurghadurgh · January 23, 2021 at 11:02 PM

Starting a thread to discuss tentacle (no progress yet). It has a squid proxy, a kerberos service running and a BIND server. Trying to use the squid proxy gives us a username '[email protected]'.

DNS enumeration reveals ns.realcorp.htb (internal address), but we can't access it.

Using the squid proxy fails without a valid username/password. Maybe brute forcing kerberos is the starting point?

Kali76 · January 24, 2021 at 07:20 PM

Ok

(January 23, 2021 at 11:02 PM)blurghadurgh Wrote: Starting a thread to discuss tentacle (no progress yet). It has a squid proxy, a kerberos service running and a BIND server. Trying to use the squid proxy gives us a username '[email protected]'.

DNS enumeration reveals ns.realcorp.htb (internal address), but we can't access it.

Using the squid proxy fails without a valid username/password. Maybe brute forcing kerberos is the starting point?

Kerberoasting thinks

lingling40hrs · January 24, 2021 at 08:20 PM

wfuzz -t32 -z range,1-65535 -p '10.10.10.224:3128' --hc 503 http://localhost:FUZZ/

********************************************************

* Wfuzz 3.1.0 - The Web Fuzzer                         *

********************************************************

Target: http://localhost:FUZZ/

Total requests: 65535

=====================================================================

ID           Response   Lines    Word       Chars       Payload

=====================================================================

000000022:   200        2 L      5 W        57 Ch       "22"

000000088:   200        0 L      5 W        99 Ch       "88"

000000464:   200        0 L      4 W        96 Ch       "464"

000000953:   502        144 L    400 W      3676 Ch     "953"

000003128:   400        150 L    416 W      3546 Ch     "3128"

000000053:   502        142 L    387 W      3553 Ch     "53"

Total time: 0

Processed Requests: 13003

Filtered Requests: 12997

Requests/sec.: 0

This is when I use the squid as proxy in wfuzz to fuzz. Also, the vuln of request smuggling is here:
https://i.blackhat.com/USA-20/Wednesday/...lenges.pdf

plus, we can see that there is a user j.nakazawa which has no preauth.

GetNPUsers.py -dc-ip REALCORP.HTB REALCORP.HTB/j.nakazawa -no-pass -format hashcat

gave me an uncrackable hash

0xvijay · January 25, 2021 at 03:26 AM

(January 24, 2021 at 08:20 PM)lingling40hrs Wrote:
wfuzz -t32 -z range,1-65535 -p '10.10.10.224:3128' --hc 503 http://localhost:FUZZ/ ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://localhost:FUZZ/ Total requests: 65535 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000022: 200 2 L 5 W 57 Ch "22" 000000088: 200 0 L 5 W 99 Ch "88" 000000464: 200 0 L 4 W 96 Ch "464" 000000953: 502 144 L 400 W 3676 Ch "953" 000003128: 400 150 L 416 W 3546 Ch "3128" 000000053: 502 142 L 387 W 3553 Ch "53" Total time: 0 Processed Requests: 13003 Filtered Requests: 12997 Requests/sec.: 0

This is when I use the squid as proxy in wfuzz to fuzz. Also, the vuln of request smuggling is here:
https://i.blackhat.com/USA-20/Wednesday/...lenges.pdf

plus, we can see that there is a user j.nakazawa which has no preauth.

GetNPUsers.py -dc-ip REALCORP.HTB REALCORP.HTB/j.nakazawa -no-pass -format hashcat
gave me an uncrackable hash

The hash is a rabbithole

Buttmuncher · January 25, 2021 at 11:14 AM

Still only six users/roots on this box! It feels like we never see leaks/walkthroughs here until it hits about 100....

Buttmuncher · January 25, 2021 at 07:55 PM

I see there is a spike in people hitting user but not root so it looks like something is being shared . . .

JustMeAndYou · January 25, 2021 at 08:29 PM

(January 25, 2021 at 07:55 PM)Buttmuncher Wrote: I see there is a spike in people hitting user but not root so it looks like something is being shared . . .

chain3 proxies together from what I heard. Working on it now.

thegrey1981 · January 25, 2021 at 09:57 PM

Also struggling with the proxies... If I make progress I will share it.

osmanardanan

edit
edit
edit
edit
edit
edit
edit
post removed

0xvijay · January 26, 2021 at 05:26 PM

(January 26, 2021 at 04:57 PM)osmanardanan Wrote: edit
edit
edit
edit
edit
edit
edit
post removed

any updates

post it here

Bumpppppppppppppppppppppppppppppppppppppppppp

Hum12sa · January 26, 2021 at 06:22 PM

FUZZ FUZZ FUZZ Gentlemen , Find The Sub :D

JustMeAndYou · January 27, 2021 at 11:47 AM

(January 26, 2021 at 06:22 PM)Hum12sa Wrote: FUZZ FUZZ FUZZ Gentlemen , Find The Sub :D

found it and more internal addresses just not quite sure as to what to do with them. Enumerate more it seems. I can help with the proxy chaining. When I get this part sorted.

Possibly Related Threads…
Thread	Author	Replies	Views	Last Post
TUTORIAL ATTENDED [DISCUSSION]	0xvijay	55	14,131	10 hours ago Last Post: sami92
TUTORIAL Weather App [Discussion]	n3m3n91	18	2,496	March 04, 2021 at 09:25 PM Last Post: loverboiz2403
TUTORIAL PWN Restaurant DISCUSSION	n3m3n91	1	417	March 04, 2021 at 02:56 AM Last Post: diceter