Saturday, October 5, 2024
Latest:
DNS Server linuxLinux serverNETWORK ADMINISTRATIONS

HackTheBox – Tentacle

00:00 – Intro
01:05 – Running nmap and giving it capabilities so we don’t need to use sudo
07:50 – Discovering an email on the SQUID Page
09:15 – Running GetNPUsers since Kerberos is running, end up getting a hash we can’t crack
11:50 – Attempting to enumerate DNS, coming up with nothing
12:45 – Using GoBuster to bruteforce DNS Names
11:50 – Using Curl to send requests through Squid to the new Domains
18:15 – Mistake here, swapped the IP Addresses 🙁
18:50 – Using ProxyChains to create a proxy through Squid
20:20 – Nmaping through our ProxyChains, need to use the -sT flag
23:30 – Enabling Quiet Mode of ProxyChains to make it less verbose
24:40 – Comparing nmap banners/version to see if these ports go to anything new
27:30 – Adding the third Squid Proxy and checking if we get anywhere else
29:00 – Downloading the wpad file to discover some new domains
30:50 – Using DNSRecon to perform a reverse lookup of a range of domains
38:00 – Running nmap against the new host to discover SMTP
41:40 – Running the Python OpenSMTPD Exploit Script CVE-2020-7247
48:15 – Troubleshooting payloads with the exploit
51:00 – Giving python the capability to listen on privilege ports, so we don’t need sudo with http.server
52:40 – Now my proxychains isn’t working… Turns out capabilities breaks proxychains?
56:44 – Shell on the box! Lets run LinPEAS
1:02:15 – Finding the msmtprc file which contains a password
1:04:30 – Configuring our parrot box’s kerberos to connect to Tentacle’s KDC
1:08:20 – Running NTPQ / NTPDate to sync our time with the server
1:09:30 – Running kinit to generate a kerberos ticket that lets us into SSH
1:14:45 – SSH into the box as j.nakazawa then discovering a Cron that lets us write into ~admin
1:17:00 – After failing to put an SSH Key, putting a .k5login file which behaves similiarly
1:21:50 – Running find to show files owned by the user/group of admin and discovering the KeyTab File
1:25:45 – Using the KeyTab file to become users in it, taking an admin cred to create a new root principal
1:27:25 – Box done, let’s explain whats going on and what the “.local” binaries let you do if you root a KDC
1:30:00 – Creating a new Kerberos user, kerberoasting again to see if John The Ripper can crack it
1:33:55 – Showing what is in the KeyTab File and doing a bad job parsing it by hand
1:47:20 – Finding scripts to dump hashes out of KeyTab

source

by IppSec

linux dns server

You May Also Like

Windows server 2019 Active Directory Tutorial for Beginners

Alice AUSTIN

Easily Manage Your Game Servers | Pterodactyl Installation Guide

Lynis – Open Source Security Auditing & Pentesting Tool In CentOS 7

Leave a Reply

Your email address will not be published. Required fields are marked *