SneakyMailer

There is a public list of company emails on the port 80 webserver

Aside from this there is not much going on. I scanned all the other ports and didn't find anything worth digging into. Considering the box is called "SneakyMailer" I started thinking maybe phishing was the way forward considering this list of emails.

I sent out an email to everyone on the list found earlier, with the contents "Checkout our new webserver http://10.10.14.29" , and spun up a nc listener to see if we pick up any responses.

Decoding this string yields -

Username: paulbyrd@sneakymailer.htb
Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

These are Paul's email creds. I setup an email client with his details, and we are able to see the following 2 emails in sent folder

We got the dev user credentials

Username: developer
Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

These creds worked on FTP. There is a /dev/ directory that appears to be the same directory that is served on "dev.sneakycorp.htb" - in theory we should be able to drop a reverse shell in /dev/, and request that page in the browser to trigger the reverse connection back to our machine.

We got a shell as www-data. We still cant access the user.txt though, we will need to pivot to user "low" in order to read it. One of the standard linux privesc scripts picks up an open .htpasswd file

We can crack this with hashcat

username: pypi
password: soufianeelhaoui

This is for the port 8080 application, pypi.sneakycorp.htb

Remembering back to the email we previously discovered -

Every package in this pypi repository is executed!!

We can setup an evil pypi package which should execute our code under user lvl perms. According to pypi documentation, this involves setting up 2 files.

.pypirc (config)

setup.py (build script)

I setup the 2 files like so

And uploaded them to the pypi repository

We got a shell back as user low

User low has sudo permissions on pip3, this can be exploited using gtfobins to obtain root lvl access.