SneakyMailer writeup | HackTheBox | by DarkRider88

 Starting with NMAP scan:

nmap -sV -Pn -A your-ip-address


Checking the website I got a lot of emails and since the box name is SneakyMailer I think that will be useful. Hence I used CEWL to scrap all the emails from the website.

$ cewl -d 5 -e --email_file emails.txt http://sneakycorp.htb/ 

After that I started to look for valid emails , we can do this by VRFY command of SMTP and also there are many tools to do it like iSMTP, metasploit module smtp_enum.
But at this point for me none of them worked so I thought may be here it is something related to phishing attack... like there must be some bot in the backend which may click on any link provided in the email but question is which email. Here I made a simple script to send mail to each them with a link to my listening socket.

First let me show you how to do this manually.. but it is time taking
getting reverse shell

Now automatic:
    
python script to automatically send emails to smtp server


And from the script we got password in response. Now I think I need to view all the emails sent or received by this user and for this I will be using Evolution email client.

Add the Paul's account and do the required settings and in the sent items folder you will two emails and one of them contains credential to the ftp account.
how to use evolution email client to access smtp server

FTP and Foothold:

connecting to ftp to enumerate it

At first I dumped all the data to find if there was something but I found nothing. But after searching I found out that there was another domain dev.sneakycorp.htb on the server and its file was hosted from this ftp server. So what we can do here is that we should upload a php reverse shell on this ftp and then access it from dev.sneakycorp.htb/shell.php to get the reverse shell.


User flag:

After some enumeration I found out there was another domain pypi.sneakycorp.htb:8080
but this domain requires authentication but it is simple as we can access /var/www/pypi.sneakycorp.htb/.htpasswd there we can find the password hash and crack it using Rockyou.txt

Also the same server is runninng on localhost:5000 
command to check running port on localhost

So I am going to create a python package and upload it on the pypi server. This python package will try to add our Public key to the authorized_keys of the Low user so that we could connect with our ssh as Low. 

To genereate the ssh key use:

$ ssh-keygen -b 2048 -t ed25519 -f key


So first create the setup.py and .pypirc files.
how to create setup.py for python package

Paste the content key.pub which you have generated in the above script

and .pypirc will include: 

[distutils]
index-servers = local

[local]
repository: http://127.0.0.1:5000/
username: pypi
password: soufianeelhaoui

Now, transfer both of these files to a folder on the victim machine and enter the following commands 
Here we are going to change HOME environment so that .pypirc could be executed from our directory and not from the Low's dir.


connecting to ssh


Privilege Escalation:

Umm.. This is the easy part.. type sudo -l and we see that the user can run pip3 as root, time for GTFObins.

exploit pip3 to gain root access

And I'm in!
                                                -by  DarkRider88

Comments

Post a Comment

Popular posts from this blog

THM: Blog Room Writeup

Image
Here is the link of this great room:  Blog by Nameless0ne . L et's start guys.. Enumeration First I ran the nmap scan: 1.First lets check out the Blog itself running on the port 80. From little enumeration we can say that this is a simple blog running on the Wordpress. 2. The blog contains a single post by a user named Karen Wheeler for Billy joel. 3. To enumerate the users on the blog I will be using WPscan.           wpscan --url blog.thm -e u This command will list all the users on the Blog, bjoel & kwheel. 4. Let's try to find out the password of these users using the same tool again.          wpscan -U username --password <pass file> -t 30 --password-attack wp-login --url blog.thm 5. Try to run your own command. It won't take long before the password pops. (hint: try Mom name) 6. After login into the wordpress I saw the user had very limited capabilities so there must be some other way to the shell or some k...
Read more

LOOKING GLASS Write-up | TryHackMe | by Valerie23

Image
LOOKING  GLASS: https://tryhackme.com /room/lookingglass   NMAP Starting with a simple nmap scan to see which ports are open and what services are running on these ports. Nmap scan results in a long list of open ports ranging from 9000 to 13783. And the ssh service is running on all these ports so lets try connecting to one of the Dropbear ports (for username - you can use any random name). When we try connecting to port 9000 it tells us to go " lower " which we cannot do since 9000 is the lowermost open port (apart from 22). And when we try connecting to the uppermost open port 13783 , it tell us to go higher which is again impossible. So now we visit tryhackme again and take the hint given in user flag which says "A looking glass is a mirror" . So the output messages are mirrored. When it prints "LOWER" we actually need to go higher and vice-versa. So lets try to find the real port while shrinking the range  ssh toii@10.10.128.154 -o StrictHostKeyCheckin...
Read more

GamingServer | TryHackMe | by Valerie23

Image
LINK TO THE ROOM:  GamingServer NMAP SCAN Let’s do nmap first and see what do we get. nmap -Pn -sV 10.10.159.106 The results come back showing : Port 22 & 80. Since we don't have any credentials lets enumerate port 80 first. GOBUSTER  Lets fireup a gobuster scan for finding hidden directories. gobuster dir -u http://10.10.159.106/ -w /usr/share/wordlists/dirb/common.txt -t 50 WEB ANALYSIS Visiting port 80. And checking its source code gives us a username. Lets visit some of the interesting directories that we found earlier from gobuster scan. /uploads It has a dictionary list that looks like a list of passwords. So we will just copy and paste the content into a new file. And now we are going to visit another directory /secret to find the secrets. Looks like a ssh key but encrypted. In order to decrypt the ssh key we first need to copy and paste it into a file then find its password. Used commands: locate ssh2john /usr/share/john/ssh2john.py sshkey > key_hash Now the fil...
Read more