HackTheBox - Tentacle

00:00 - Intro 01:05 - Running nmap and giving it capabilities so we don't need to use sudo 07:50 - Discovering an email on the SQUID Page 09:15 - Running GetNPUsers since Kerberos is running, end up getting a hash we can't crack 11:50 - Attempting to enumerate DNS, coming up with nothing 12:45 - Using GoBuster to bruteforce DNS Names 11:50 - Using Curl to send requests through Squid to the new Domains 18:15 - Mistake here, swapped the IP Addresses :( 18:50 - Using ProxyChains to create a proxy through Squid 20:20 - Nmaping through our ProxyChains, need to use the -sT flag 23:30 - Enabling Quiet Mode of ProxyChains to make it less verbose 24:40 - Comparing nmap banners/version to see if these ports go to anything new 27:30 - Adding the third Squid Proxy and checking if we get anywhere else 29:00 - Downloading the wpad file to discover some new domains 30:50 - Using DNSRecon to perform a reverse lookup of a range of domains 38:00 - Running nmap against the new host to discover SMTP 41:40 - Running the Python OpenSMTPD Exploit Script CVE-2020-7247 48:15 - Troubleshooting payloads with the exploit 51:00 - Giving python the capability to listen on privilege ports, so we don't need sudo with http.server 52:40 - Now my proxychains isn't working... Turns out capabilities breaks proxychains? 56:44 - Shell on the box! Lets run LinPEAS 1:02:15 - Finding the msmtprc file which contains a password 1:04:30 - Configuring our parrot box's kerberos to connect to Tentacle's KDC 1:08:20 - Running NTPQ / NTPDate to sync our time with the server 1:09:30 - Running kinit to generate a kerberos ticket that lets us into SSH 1:14:45 - SSH into the box as j.nakazawa then discovering a Cron that lets us write into ~admin 1:17:00 - After failing to put an SSH Key, putting a .k5login file which behaves similiarly 1:21:50 - Running find to show files owned by the user/group of admin and discovering the KeyTab File 1:25:45 - Using the KeyTab file to become users in it, taking an admin cred to cre