DNS Server linuxLinux serverNETWORK ADMINISTRATIONS

HackTheBox – Tentacle

00:00 – Intro
01:05 – Running nmap and giving it capabilities so we don’t need to use sudo
07:50 – Discovering an email on the SQUID Page
09:15 – Running GetNPUsers since Kerberos is running, end up getting a hash we can’t crack
11:50 – Attempting to enumerate DNS, coming up with nothing
12:45 – Using GoBuster to bruteforce DNS Names
11:50 – Using Curl to send requests through Squid to the new Domains
18:15 – Mistake here, swapped the IP Addresses 🙁
18:50 – Using ProxyChains to create a proxy through Squid
20:20 – Nmaping through our ProxyChains, need to use the -sT flag
23:30 – Enabling Quiet Mode of ProxyChains to make it less verbose
24:40 – Comparing nmap banners/version to see if these ports go to anything new
27:30 – Adding the third Squid Proxy and checking if we get anywhere else
29:00 – Downloading the wpad file to discover some new domains
30:50 – Using DNSRecon to perform a reverse lookup of a range of domains
38:00 – Running nmap against the new host to discover SMTP
41:40 – Running the Python OpenSMTPD Exploit Script CVE-2020-7247
48:15 – Troubleshooting payloads with the exploit
51:00 – Giving python the capability to listen on privilege ports, so we don’t need sudo with http.server
52:40 – Now my proxychains isn’t working… Turns out capabilities breaks proxychains?
56:44 – Shell on the box! Lets run LinPEAS
1:02:15 – Finding the msmtprc file which contains a password
1:04:30 – Configuring our parrot box’s kerberos to connect to Tentacle’s KDC
1:08:20 – Running NTPQ / NTPDate to sync our time with the server
1:09:30 – Running kinit to generate a kerberos ticket that lets us into SSH
1:14:45 – SSH into the box as j.nakazawa then discovering a Cron that lets us write into ~admin
1:17:00 – After failing to put an SSH Key, putting a .k5login file which behaves similiarly
1:21:50 – Running find to show files owned by the user/group of admin and discovering the KeyTab File
1:25:45 – Using the KeyTab file to become users in it, taking an admin cred to create a new root principal
1:27:25 – Box done, let’s explain whats going on and what the “.local” binaries let you do if you root a KDC
1:30:00 – Creating a new Kerberos user, kerberoasting again to see if John The Ripper can crack it
1:33:55 – Showing what is in the KeyTab File and doing a bad job parsing it by hand
1:47:20 – Finding scripts to dump hashes out of KeyTab

source

by IppSec

linux dns server

Leave a Reply

Your email address will not be published. Required fields are marked *