SneakyMailer — HTB Walktrough

Dhanishtha Awasthi
7 min readJan 16, 2021

--

What ?? Another part of Sneaky HTB box ??? Might be. But was fun to solve it. Real life phishing attack practice. User part was definitely a level up. Let’s start.

ENUMERATION

Full port nmap scan for TCP ports reveals following

PORT 21 FTP Enumeration

— — anonymous login failed

PORT 80 HTTP ENUMERATION

Visiting website

Add to /etc/hosts

We get 3 info

— — Pip install can install python modules on server

— — We have to read mails for further exploitation

— — We get some username in teams and messages

Viewing source code we can see messages

Teams

The above images show the list of all emails and users we get from HTTP page.

Now normal enumeration like directory busting and all , gave us nothing of importance.

Failed Logics:

1) I am getting nothing on HTTP — gobuster etc.

2) I tried SMTP enum , it would be basically using username files and testing which exits, doing this won’t be of use I guess, because we already have users from HTTP port.

3) IMAP — to read mails, I need to login as any user , I don’t have creds of any till now

4) ftp anonymous login failed :(

Now what can we do? This box asks us to think logically. What about email harvesting and phishing attempt. Since we already have harvested emails by PORT 80 HTTP enumeration. We can now try to send some phishing mails. Let’s see how.

PORT 25 SMTP ENUMERATION

First of all let’s collect a list of emails and users separately.

EXPLOITATION

We will use SWAKS (can be downloaded from github) , to send the mails . For this first open netcat at port 80. We will send a phishing mail to users, to click on the link containing link to our IP, even if a single one clicks, we may get something juicy.

and so on.

While on netcat at port 80 we can see, the user Paul reverted us back

URL encoded username and password

Username : Paul && Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

I used evolution client for kali to see mails

Setup Evolution, by signing in as paul, to read mails, using his email and his password we got just now.

Mails

Hello administrator, I want to change this password for the developer account. Username: developer && Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C ;Please notify me when you do it

another mail is about python and PyPI.

The password worked for ftp we got worked for FTP

FTP Enumeration

Login in FTP using above username password

Register.php

I initially thought of registering as a user via curl request, but no we don’t have to do it . It is a rabbit hole.

Then what? can we upload files on server using PUT, I used php-reverse-shell by pentest monkey

But where to access it ??? time for subdomains and directory bursting. But we have already busted directories, so we can look for subdomains.

Wfuzzing sub domains I got dev.sneakycorp.htb

On browser.
On netcat

POST EXPLOITATION

Now that we are www-data, it’s time to get user

Let’s enumerate.We already know what it is in dev.sneakycorp.htb- the same content we see in ftp, now we see pypi.sneakycorp.htb — something new

Username: pypi

Password hash : $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

Seems april hash; Let’s crack it using hashcat

pypi:soufianeelhaoui

Let’s see what is happening on port 8080,which was open

Lot’s of connection on localhost:8080, Also on visitng pypi.sneakycorp.htb:8080/, I see

When I tried to access packages , I see we require to authenticate as user: pypi

Let’s use the creds we have

Seems no package is there.Same with “simple”

https://packaging.python.org/tutorials/packaging-projects/#generating-distribution-archives

https://www.linode.com/docs/applications/project-management/how-to-create-a-private-python-package-repository/

Let’s create a package in tmp directory

Nano and Vi did not work , so I made these files on my system and wget it.

First create a pair of ssh keys so that you can ssh into low, using your private key.

Wget all files under sample_package. Contents must look like this.

/README.md and /setup.cfg

/Setup.py and /sample_package/__init__.py

Now that our package is ready, we need to deploy it

1) compress it using sdist

Create a .pypirc in HOME folder

For this first export HOME folder to /tmp/sample_package : requirement of pypirc is it should be in home folder of user. Then wget the file as previous ones.

We see we have keys added to our low’s home directory

Ssh into low

user flag captured

PRIVILEGE ESCALATION

Easiest part of whole machine was escalating privilege.

We can exploit sudo on pip , using gtfobins

After a thinking a lot, I see that we can run pip3 not pip as sudo.

ROOTED!!!

--

--