Oh boy… I got sick reading the doggy docs.
Nice machine, thank you @polarbearer
Got root! Learned a lot about Kerberos)
Type your comment> @PencilNeck said:
Oh boy… I got sick reading the doggy docs.
Nice machine, thank you @polarbearer
rooted. really fun box that taught me a lot about the app it is named after, the main tool needed to exploit it, and finally the k dog. thanks @itsdafafo for a steer near the end.
great box @polarbearer!
pm if you need a nudge.
Type your comment> @camk said:
rooted. really fun box that taught me a lot about the app it is named after, the main tool needed to exploit it, and finally the k dog. thanks @itsdafafo for a steer near the end.
great box @polarbearer!
pm if you need a nudge.
this is a mad box… glad you rooted it! nice. ?
Rooted, i learned a lot. Pm me for hints.
Would someone help me understand why I can’t run gobuster through p*********s ? nmap works perfectly well (I found and nmap’ed w—.r-------.—) but gobuster keeps timing out. I tried writing my own script but it’s far from being as effective as gobuster (1h30 in and not even 20k requests sent ><).
@dragonista said:
Would someone help me understand why I can’t run gobuster through p*********s ? nmap works perfectly well (I found and nmap’ed w—.r-------.—) but gobuster keeps timing out. I tried writing my own script but it’s far from being as effective as gobuster (1h30 in and not even 20k requests sent ><).
No need for gobuster, here. Just try to imagine what might be served by that server 
Type your comment> @HomeSen said:
@dragonista said:
Would someone help me understand why I can’t run gobuster through p*********s ? nmap works perfectly well (I found and nmap’ed w—.r-------.—) but gobuster keeps timing out. I tried writing my own script but it’s far from being as effective as gobuster (1h30 in and not even 20k requests sent ><).
No need for gobuster, here. Just try to imagine what might be served by that server
Mmmh, okay, found it ! Well… I’d like to make gobuster run still, but at least I can move on 
Thanks !
I’m a bit stuck as well. I slapped some hashes for a while but no luck there. However, poking at names got me an internal IP, but I’m really not sure how I could route myself into that subnet. Any tips?
@thecog said:
I’m a bit stuck as well. I slapped some hashes for a while but no luck there. However, poking at names got me an internal IP, but I’m really not sure how I could route myself into that subnet. Any tips?
Use the services the system provides to you.
Phheeew… great box so far, but really confusing ^^
I’m a**** now, retrieved some hashes from k****b but I’m a bit lost for the next steps. Most of the docs I find talk about Windows.
If anyone has either an idea or a good article to send in my direction, that’d be awesome 
Edit : Rooted. I really enjoyed the beginning, I was new to this type of things. The privesc part had me crying 
Oh my lord, my first hard box !
Dude, never messed with almost any of this things but bit by bit i was able to progress (not fast, but progress at least). Took me a WHOLE week, but i assume that when familiar with the technologies is not something out of this world !
But, without any doubt, an awesome box to learn new stuff and it was fun!!
Foothold: Oh boy, the hardest is to reach there (might need to hop like a rabbit)
User: well, if you look carefully when landing you can see that only you are missing the trio party ! use what you found in clear
Root: Quite straightforward if you know how to move in the 3headK world
If you need help, just reach out to me and i’ll try to help you out in the best of my capabilities
I am adding the root p******** into the k***** but it gets removed after a short time which does not give me enough time to a**h
Got it. Seemed to be an issue of convolution.
Great box. Learned lots, thanks.
Before I do anything crazy like instrument and compile the exact version of s**** to figure out how todo c**** p***** or req**** sm*******. I would like to talk about my current thoughts. Just like what has already been discussed in this thread I also can hit all i******* s******* but nothing seems to talk h*** so an s*** seems unlikely. Who knows maybe my enum is bad and I missed something. So I guess PM me if your willing to provide a nudge.
well, I recently rooted this box. My enum is bad and I really should feel bad. Additionally, You have to be really specific with your interactions with this really picky underworld’s authentication gatekeeper.
I’m stuck at priv esc. I know I have to get a***n first but not getting anywhere. I already tried to crack the hashes. I also tried fiddling with that unusual s***pt which belongs to a***n. SOS!
Type your comment> @psychohamster said:
I’m stuck at priv esc. I know I have to get a***n first but not getting anywhere. I already tried to crack the hashes. I also tried fiddling with that unusual s***pt which belongs to a***n. SOS!
Send a PM if still looking for a privesc nudge
Tentactle and Crossfit are without a doubt my top 2 favorite HTB boxes, out of the 40 or so I have completed.
While Crossfit will always hold a special place in my heart because it took me about 5 days to cross the massive chasm between the user and the root flag, I still had a lot more fun doing Tentacle because the path through the machine felt realistic. Even the exploitable vulnerability at the end of that rainbow made sense; there are plenty of sad, forgotten machines out there that no one maintains and no one knows for sure if they still fulfil some type of niche function, yet can still be used as the keys to the kingdom.
Some additional notes that I hope wont be seen as spoilers:
- I distinctively recall encountering an issue caused by the default configuration of a specific well-known tool. If you feel you are on the right track, but for some reason cannot get the outcome you are expecting, I highly suggest you double check the corresponding config files. (The solution was not that easy to find. The relationship between the lines in the config and the executed command is not intuitive as it references only the current standard and not the particular implementation)
- The privesc has two steps. I wont say anything about the first portion, but the latter one involves a fundamental methodology that everyone on HTB is already familiar with, but just not in this way. i.e. if you have had no previous exposure to what’s at the center of this box, it may be difficult to quickly determine what is valuable and what’s not.
After a long time I was able to look at this again. Getting user was as hard as I remember it but working through the typical attack steps gets you there in the end:
Find things, look into the things, exploit the things.
Getting root was actually easier IMHO - by the time I’d got user, I’d read so much about the thing I was attacking, the attack made sense relatively quickly.