Official Tentacle Discussion

rooted. really fun box that taught me a lot about the app it is named after, the main tool needed to exploit it, and finally the k dog. thanks @itsdafafo for a steer near the end.

great box @polarbearer!

pm if you need a nudge.

Type your comment> @camk said:

rooted. really fun box that taught me a lot about the app it is named after, the main tool needed to exploit it, and finally the k dog. thanks @itsdafafo for a steer near the end.

great box @polarbearer!

pm if you need a nudge.
this is a mad box… glad you rooted it! nice. ?

Rooted, i learned a lot. Pm me for hints.

Would someone help me understand why I can’t run gobuster through p*********s ? nmap works perfectly well (I found and nmap’ed w—.r-------.—) but gobuster keeps timing out. I tried writing my own script but it’s far from being as effective as gobuster (1h30 in and not even 20k requests sent ><).

@dragonista said:

Would someone help me understand why I can’t run gobuster through p*********s ? nmap works perfectly well (I found and nmap’ed w—.r-------.—) but gobuster keeps timing out. I tried writing my own script but it’s far from being as effective as gobuster (1h30 in and not even 20k requests sent ><).

No need for gobuster, here. Just try to imagine what might be served by that server :wink:

Type your comment> @HomeSen said:

@dragonista said:

Would someone help me understand why I can’t run gobuster through p*********s ? nmap works perfectly well (I found and nmap’ed w—.r-------.—) but gobuster keeps timing out. I tried writing my own script but it’s far from being as effective as gobuster (1h30 in and not even 20k requests sent ><).

No need for gobuster, here. Just try to imagine what might be served by that server :wink:

Mmmh, okay, found it ! Well… I’d like to make gobuster run still, but at least I can move on :open_mouth: Thanks !

I’m a bit stuck as well. I slapped some hashes for a while but no luck there. However, poking at names got me an internal IP, but I’m really not sure how I could route myself into that subnet. Any tips?

@thecog said:

I’m a bit stuck as well. I slapped some hashes for a while but no luck there. However, poking at names got me an internal IP, but I’m really not sure how I could route myself into that subnet. Any tips?

Use the services the system provides to you.

Phheeew… great box so far, but really confusing ^^
I’m a**** now, retrieved some hashes from k****b but I’m a bit lost for the next steps. Most of the docs I find talk about Windows.
If anyone has either an idea or a good article to send in my direction, that’d be awesome :slight_smile:

Edit : Rooted. I really enjoyed the beginning, I was new to this type of things. The privesc part had me crying :smiley:

Oh my lord, my first hard box !

Dude, never messed with almost any of this things but bit by bit i was able to progress (not fast, but progress at least). Took me a WHOLE week, but i assume that when familiar with the technologies is not something out of this world !

But, without any doubt, an awesome box to learn new stuff and it was fun!!

Foothold: Oh boy, the hardest is to reach there (might need to hop like a rabbit)
User: well, if you look carefully when landing you can see that only you are missing the trio party ! use what you found in clear
Root: Quite straightforward if you know how to move in the 3headK world

If you need help, just reach out to me and i’ll try to help you out in the best of my capabilities :slight_smile:

I am adding the root p******** into the k***** but it gets removed after a short time which does not give me enough time to a**h

Got it. Seemed to be an issue of convolution.
Great box. Learned lots, thanks.

Before I do anything crazy like instrument and compile the exact version of s**** to figure out how todo c**** p***** or req**** sm*******. I would like to talk about my current thoughts. Just like what has already been discussed in this thread I also can hit all i******* s******* but nothing seems to talk h*** so an s*** seems unlikely. Who knows maybe my enum is bad and I missed something. So I guess PM me if your willing to provide a nudge.

well, I recently rooted this box. My enum is bad and I really should feel bad. Additionally, You have to be really specific with your interactions with this really picky underworld’s authentication gatekeeper.

I’m stuck at priv esc. I know I have to get a***n first but not getting anywhere. I already tried to crack the hashes. I also tried fiddling with that unusual s***pt which belongs to a***n. SOS!

Type your comment> @psychohamster said:

I’m stuck at priv esc. I know I have to get a***n first but not getting anywhere. I already tried to crack the hashes. I also tried fiddling with that unusual s***pt which belongs to a***n. SOS!


Send a PM if still looking for a privesc nudge


Tentactle and Crossfit are without a doubt my top 2 favorite HTB boxes, out of the 40 or so I have completed.
While Crossfit will always hold a special place in my heart because it took me about 5 days to cross the massive chasm between the user and the root flag, I still had a lot more fun doing Tentacle because the path through the machine felt realistic. Even the exploitable vulnerability at the end of that rainbow made sense; there are plenty of sad, forgotten machines out there that no one maintains and no one knows for sure if they still fulfil some type of niche function, yet can still be used as the keys to the kingdom.
Some additional notes that I hope wont be seen as spoilers:
  1. I distinctively recall encountering an issue caused by the default configuration of a specific well-known tool. If you feel you are on the right track, but for some reason cannot get the outcome you are expecting, I highly suggest you double check the corresponding config files. (The solution was not that easy to find. The relationship between the lines in the config and the executed command is not intuitive as it references only the current standard and not the particular implementation)

  2. The privesc has two steps. I wont say anything about the first portion, but the latter one involves a fundamental methodology that everyone on HTB is already familiar with, but just not in this way. i.e. if you have had no previous exposure to what’s at the center of this box, it may be difficult to quickly determine what is valuable and what’s not.

After a long time I was able to look at this again. Getting user was as hard as I remember it but working through the typical attack steps gets you there in the end:
Find things, look into the things, exploit the things.

Getting root was actually easier IMHO - by the time I’d got user, I’d read so much about the thing I was attacking, the attack made sense relatively quickly.

Finally rooted. This honestly felt like and insane box to me

Foothold: Look out for the rabbit holes. Keep enumerate and climb the chain.
User: If you really want to attend the show you must have the ticket!
Root: At this point you should have understood the main theme of the box. On lateral step and then point straight to the finish line (enumeration tool should point you into the right path). Don’t panic if you’re not really into mythology, goole will help you!

Thanks for the box!

Could someone give a hand on a foothold part? I’m stuck with w***.r*******.***. Dont know how to get the needed file. IP is unreachable

Guys, I have 2 Questions. Can anyone please help me understand? I know box is retired but I’m just curious.

Here is ippsec’s video link: HackTheBox - Tentacle - YouTube

At 1:32:45, We are already entering the password for that user while creating a principal name. So, It is extraneous to obtain hash, right? Since we already know the password.
I know you are demonstrating if we can crack the hash.

2nd que is “can we add any user without a password? For privesc! In peculiar situations”.
Example: Let’s say instead of “admin” we add “root” without a password. So can we obtain hash for “root” using GetNPusers.py, like we did for “admin” or is it obligatory to enter a password for user when adding to database.