SneakyMailer is a Medium CTF style box from HTB. It features a phishing lite approach of an intranet platform. Once we get credentials we use pypiserver to escalate. I begin every scan using AutoRecon:

After finishing the scans I noticed Port 80 was open. Visiting the website I was redirected over to SneakyCorp.HTB. I altered my host file to include the entry:

Upon visiting the website I was unable to do anything. Most links and UI elements were blocked off with a #. Noting the redirect existed at the IP level I began by running a subdomain search. I recently transitioned off of dirbuster wordlists to SecLists due to a recommendation from IPPSec however I decided to use it one last time for nostalgia sake.

GoBuster shows dev subdomain.

I would highly recommend reading THIS article regarding GoBuster and its capabilities specifically for Virtual Hosts. After running GoBuster I can see dev is another subdomain available. I edit my host file again and head over to the website.

Welcome to the dev sub domain

After viewing the website I attempted to register (unsuccessfully) and ran some brute force tools search for additional directories/domains. Eventually I moved onto the Team page which featured plenty of emails for consumption. I broke up the table into two files: emails/names.

Emails featured on the Team page.

This is probably where my biggest caveat of this box comes from as this next part took me a long time to figure out. This part requires you to approach the box from the standpoint that you are a user or working ‘internally’ at this point. I feel if they had the Dashboard locked down with an easy breadcrumb to make me feel like I ‘gained access’ would have helped drive this.

This next step requires you to send a ‘phishing’ style email to get credentials. I would recommend this website HERE for more information. I found it well studying for my OSCP and he has a really great script specifically tailored to mass emails.

Script running through each email.

Once the script completed I waited a few moments and got a hit on my nc session. Looking at the response I could see that it is a URL encoded message. This leads back to the caveat I spoke of because why would someone click a link (not form) and it provides me credentials?

Response from a user on nc listener.

I decoded the URL and saw what appeared to be a mail account. I decided to use Thunder Bird for this as I am lazy, had it already installed and a GUI is preferable.

Paul Byrd email settings for Thunderbird.

Once I got Thunderbird configured correctly I was able to see two emails in the Sent directory:

The emails Email with a developer password and PyPI information.

Using the credentials found in the email I logged into the FTP. Seeing I was in the dev website root I uploaded a PHP web shell; Unfortunately, the web shell kept dying within a minute of being live (probably cleanup from the box creator) so I used a standard php-reverse-shell.php with an nc session.

Testing the FTP and uploading a shell.

After getting a session I navigated to the tmp directory and created a folder to work from. I used WGET to grab LinPEAS from my attack machine and ran it. Normally I would do some manual discovery/enumeration but I was lazy today.

LinPEAS shows the PyPI subdomain and a .htpassword.

LinPEAS shows the PyPI subdomain and a .htpassword. I add the PyPI domain to my hosts file and switch over to my Windows environment to crack the .htpassword. I’m sure Hashcat because of THIS article telling me the hash can be decrypted this way.

Cracking the hash with hashcat.

After cracking the hash with hashcat I navigated over to the PyPI subdomain and logged in with the credentials. This next part I wasn’t a huge fan of as I am pretty unfamiliar with PyPI. I found an article on Medium by @bertusk HERE which helped give me an idea on how to proceed.

The next process took a lot of trial and error. If you are struggling I would recommend using the guide HERE provided by linode as it helped a lot. Next using the Python File writelines() Method and understanding its functionality. More information regarding that can be found HERE. Finally setting up the package (as the linode one did give some issues) I used the Packaging Project by Python HERE.

I began by building the required files as noted in the links above. I tried to get the remote execution with python setup.py sdist upload -r linode working but was unable to do so. Instead I created a local web server and pushed the files up via wget. I then realized you need to use the HOME=$(pwd) as your .pypirc file will not run without it.

My first few attempts I was simply writing a file to the directory I was working out of to make sure the script was working as intended. Once I got it worked I validated the .ssh directory for the low user.

My program finally working after like 100 failed attempts.

Logging into the low user with the SSH key.

After I SSH‘d into the box and began my enumeration. One of the first things I do in every box is sudo -l as it was one of the first privilege escalation methods I tried when I first started getting into HTB. A coworker was surprised I started with that command as it isn’t really applicable in the “real world”. That stuck with me and when I find myself on a Linux box that and LinPEAS are priority.

sudo -l shows pip escalation point.

This point it was extremely easy as GTFOBINS has a SUDO escalation point. I ran it and got root.

GTFOBins pip escalation.