HackTheBox Writeup — SneakyMailer

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is 10.10.10.197

Port Scan

Running NMAP full port scan on it , we get

We get a lot of Open Ports, starting off with the web part

Web

Checking the IP in the browser redirects us to a domain

Adding it to our hosts file and checking again

We land to the dashboard of Sneaky Corp, clicking on the Team section

We get a lot of emails, since the box had SMTP enabled, we can potentially try phishing against all the emails

We used swaks to do the task with the help of simple bash scripting so that it tries with each email addresses and now we wait on our netcat listener to get a hit back

We see we got a response and in the response we have parameters which leaks the password but it is in URL encoded for so we decode it and get the password

We now login to the mail using Evolution and check the Sent Items

We have 2 mails here, checking both of them

One of the mail has credentials and the other one has a email sent about installing modules in the PyPI service

Testing the credentials into FTP

We logged into FTP successfully and now we move onto checking the contents inside it

Also checking the vhosts we having on this box

We got hit on dev.sneakycorp.htb and we add it to our hosts file and run it

We see it being the same as the main domain with only few changes, we upload a web shell through FTP and try to access it

We got shell successfully and now get a reverse shell and check the netcat listener

We can switch to developer user using the password which we got through the mail

Checking the webroot, we get a folder pointing to pypi.sneakycorp.htb subdomain

Inside the folder we have a .htpasswd folder which is readable by any user and inside of it contains the credentials for pypi

Using john , we crack the password successfully

Now we start creating the python package,

1. Create a ~/.pypirc file with content:

2. Install whell and twine:

sudo -H pip install wheel twine

3. Create dirs/files structure:

/pkg
/pkg/example_pkg
/pkg/example_pkg/__init__.py
/pkg/setup.py

4. In __init__.py can be anything but in setup.py should be "installing script" with reverse shell like this:

5. Then build a package: python setup.py sdist bdist_wheel

6. Upload package which should be immediately installed:

 python -m twine upload — repository mypypi dist/*

7. Run a nc listener

We got shell as user low and now can get the user flag

Privilege Escalation

Running the sudo -l command

Now we follow the traditional GTFOBin’s method and do the steps one by one

We got root

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover