Sneaky — HTB walkthrough

Difficulty : Medium


TCP scan
Nmap UDP Scan
SNMP : Simple Network Management Protocol 161
Not included unwanted ports output. 161 UDP SNMP port is of importance here.
Visiting home page of website
/dev directory found. Confirmed the same using WFUZZ
Login option
Capturing request on burp and watching response. Tried a little fuzzing with user/pass field
Reference strings
tried name=admin pass=‘ or 1=1#
Information before we start SNMP enum and exploitation
We get login successful for Public. Thus Public string is present there
onesixtyone a tool for port 161 enum, to detect pub and pri strings.
sysName value for sneaky
This IPv6 value is in Decimal and we need it in HEX.
cat snmp-v6 and locate HEX address


Note the way HEX IP is passed in param.
getting user.txt FLAG


/usr/local/bin/chal is executable file with SUID set.
It is using strcpy func which is exploitable.
Trying As once for 350 time and next for 400 times
So keeping length = 370 we will create a pattern using metasploit-framework
Sending this as input to chal on GDB we get Segmentation Fault at 0x316d4130
EIP has same value where we got segmentation fault, so this is where our pattern hit EIP
Exact macth found at 362.
EIP overwritten by Bs
calculating exact value of x42424242 on stack it is : 0xff8b8fdc
Ignore further errors, just see if breakpoint hits
Make shellcode using msfvenom
Format :
A’s hit on address 0xbffff56c
Modifying our eip to 0xbffff56c ; Running this again
First occurence of 90s in EIP
Here we see x90s return back after some space in ESP. Those spaces might be the bad chars
on gdb chosing EIP : 0xbffff7a0
On your machine we see a reverse shell spawned
after getting this EIP , I came out of gdb and ran chal from home of Thrasivoulos




OSCP | CEH | Cyber Security Enthusiast.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Tether Props up Toxic Crypto Carousel

Cryptonite makes the trusted network pledge

Introducing TR33 Protocol

Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

5 essential skills for aspiring cybersecurity professionals

Three Steps to Increasing Your Password Security by 100%

WHY DATA ETHICS IS A MUST FOR COMPANIES TODAY? — Data Ethics: What are they? Why do we need it?

Stop Thieves In Their Tracks With Delivery Verification

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.

More from Medium

How to stake CSPR on OriginStake using Casper Dash website

CupLand project

Project Apollo Clone

IndiGG and Skyweaver Leaderboard Reward Guide