Summary
SneakyMailer is a medium-rated Linux machine created by sulcud. Initial foothold is discovered by performing a social engineering attack to get a user hand over his credentials for the Internet Message Access Protocol(IMAP) service. Access to the FTP server is gained after finding credentials in one of the email in the Sent Items. User shell is obtained by uploading a PHP reverse shell in the FTP server and triggering it over the HTTP protocol. Lateral movement to user ‘low’ is performed by uploading a python package that contains malicious code which will be installed and executed by user ‘low’. Root privilege is gained by abusing pip3 which can be executed with sudo.
Reconnaissance
Nmap scan shows several ports open: 22(SSH), 25(SMTP), 80(HTTP), 143(IMAP), 993(another mail service) and another HTTP service on port 8080.
Visiting the HTTP service displays a dashboard with a user already logged in. Clicking the ‘team’ button on the panel leads to a list of possible users and their email addresses.
Using cURL and some command line-fu, I extracted the long list of email addresses to a file.
Since the logo of the box contains a person who’s fishing, I assumed it has something to do with social engineering attack or phishing. Knowing it is a CTF, it would be less likely. But during the time that I was working on this machine, CTFs where XSS and challenges where human interaction is necessary have been widely presented. IDK some AI or scheduled job or something does the job I guess. So I tried doing a social engineering attack to see if it will work.
I created a python script that will automate the process of sending the email since it would be really time consuming if it was done manually considering the amount of email addresses I extracted.
The python script above will send an email to every email address that I found with a link to access port 80 on my machine and I set up a listener hoping that someone gives me anything useful.
After running the script and waiting a little bit, I received a POST request which contains a first name, last name, email, and password.
I decoded the URL encoded information to find out what the password is.
Accessing IMAP
Since I have credentials, I tried using them to access services where authentication is necessary. I leaned more towards the mail protocols and managed to authenticate to IMAP port 143. With some google searches, I found a cheat sheet to work with the protocol. After playing around with some commands, I managed to find a couple of email in the Sent Items about a password reset which contains another set of credentials as well as a task for ‘low’ user to install and test python modules in the PyPI service.
Spawning a Shell
I was able to login to the FTP server with the new credentials that I found.
I found a dev directory that contains some web server files. I uploaded a PHP reverse shell and added dev.sneakycorp.htb to my hosts file. I ran gobuster to bruteforce vhosts as well and dev.sneakycorp.htb was also discovered.
Browsing to ‘dev.sneakycorp.htb/shell.php’ spawned a shell on my netcat listener.
Since I already know developer’s password and confirmed that the user exists, I switched to the user ‘developer’ and upgraded to a tty shell.
The user flag is in low’s home directory so I will have to compromise his account in order to grab it.
I enumerated more and found another vhost in the /var/www directory which is ‘pypi.sneakycorp.htb’
It contains an ‘.htpasswd’ file which contains pypi’s hash.
I cracked the hash with the use of John The Ripper.
Since the other email I found earlier says something about low testing and installing python modules, I concluded that I will have to upload a malicious python package that low will install and leverage that to get a shell with his privileges.
Lateral Movement to Low
In order to compromise user ‘low’, I created two files: .pypirc & setup.py.
The setup.py will contain our malicious code. In my case, I put a reverse shell in it. The ‘.pypirc’ file will contain information that will authenticate me as ‘pypi’ user.
The only important part in the ‘setup.py’ file is our malicious code. The other information at the bottom can be whatever. I just left it as is which is the same as the example from the python packaging documentation.
I downloaded the files to the target machine and proceeded to upload the package locally. After executing the command to upload and waiting a couple of moments, I got a shell on my netcat listener and was able to grab the user flag.
python3 setup.py sdist register -r local upload -r localPrivilege Escalation
Usual enumeration for privilege escalation discovered pip3 can be executed using sudo without supplying a password.
PIP has a section in GTFObins that can be used to escalate privileges. I created a bash script that will automate the process.
I uploaded it to the target machine and executed it to gain root privileges. Finished it off by grabbing the root flag.
Thank you for reading. Stay safe all!
