HackTheBox - Tentacle

Name: HackTheBox - Tentacle
Uploaded: 2021-06-19T15:00:32Z
Channel: IppSec
Description: 00:00 - Intro 01:05 - Running nmap and giving it capabilities so we don't need to use sudo 07:50 - Discovering an email on the SQUID Page 09:15 - Runnin...

IppSec · Beginner ·🔐 Cybersecurity ·4y ago

00:00 - Intro 01:05 - Running nmap and giving it capabilities so we don't need to use sudo 07:50 - Discovering an email on the SQUID Page 09:15 - Running GetNPUsers since Kerberos is running, end up getting a hash we can't crack 11:50 - Attempting to enumerate DNS, coming up with nothing 12:45 - Using GoBuster to bruteforce DNS Names 11:50 - Using Curl to send requests through Squid to the new Domains 18:15 - Mistake here, swapped the IP Addresses :( 18:50 - Using ProxyChains to create a proxy through Squid 20:20 - Nmaping through our ProxyChains, need to use the -sT flag 23:30 - Enabling Quie…

Watch on YouTube ↗ (saves to browser)

Chapters (29)

Intro

1:05 Running nmap and giving it capabilities so we don't need to use sudo

7:50 Discovering an email on the SQUID Page

9:15 Running GetNPUsers since Kerberos is running, end up getting a hash we can't c

11:50 Attempting to enumerate DNS, coming up with nothing

12:45 Using GoBuster to bruteforce DNS Names

11:50 Using Curl to send requests through Squid to the new Domains

18:15 Mistake here, swapped the IP Addresses :(

18:50 Using ProxyChains to create a proxy through Squid

20:20 Nmaping through our ProxyChains, need to use the -sT flag

23:30 Enabling Quiet Mode of ProxyChains to make it less verbose

24:40 Comparing nmap banners/version to see if these ports go to anything new

27:30 Adding the third Squid Proxy and checking if we get anywhere else

29:00 Downloading the wpad file to discover some new domains

30:50 Using DNSRecon to perform a reverse lookup of a range of domains

38:00 Running nmap against the new host to discover SMTP

41:40 Running the Python OpenSMTPD Exploit Script CVE-2020-7247

48:15 Troubleshooting payloads with the exploit

51:00 Giving python the capability to listen on privilege ports, so we don't need su

52:40 Now my proxychains isn't working... Turns out capabilities breaks proxychains?

56:44 Shell on the box! Lets run LinPEAS

1:02:15 Finding the msmtprc file which contains a password

1:04:30 Configuring our parrot box's kerberos to connect to Tentacle's KDC

1:08:20 Running NTPQ / NTPDate to sync our time with the server

1:09:30 Running kinit to generate a kerberos ticket that lets us into SSH

1:14:45 SSH into the box as j.nakazawa then discovering a Cron that lets us write into

1:17:00 After failing to put an SSH Key, putting a .k5login file which behaves similia

1:21:50 Running find to show files owned by the user/group of admin and discovering th

1:25:45 Using the KeyTab file to become users in it, taking an admin cred to cre

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →