2 :80
http://sneakycorp.htb/
sneakycorp website
| has 2 projects
| PyPi
| POP3 and SMTP
http://sneakycorp.htb/team.php
contains list of team members
# as all email contain a new domain, adding it
10.10.10.197 sneakycorp.htb sneakymailer.htb
# copied table-list format into user.txt
# used sublime search and repace (\s){2,} => space to uniform it
# using grep extract email
$ cat users| grep -oP '\w+@\w+.htb'
o: print only matched items
p: perl regex
\w: single character in regex
\w+: represents a word (does not include special characters)
\w+@\w+.htb: <word>@<word>.htb
$ cat users| grep -oP '\w+@\w+.htb' > email.txt
# can extract users easily using cut
$ cat email.txt| cut -d '@' -f 1 > users.txt
# can use this for smtp-user-enum
$ gobuster dir -u http://sneakycorp.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/img (Status: 301) [Size: 185] [--> http://sneakycorp.htb/img/]
/index.php (Status: 200) [Size: 13543]
/css (Status: 301) [Size: 185] [--> http://sneakycorp.htb/css/]
/team.php (Status: 200) [Size: 26518]
/js (Status: 301) [Size: 185] [--> http://sneakycorp.htb/js/]
/vendor (Status: 301) [Size: 185] [--> http://sneakycorp.htb/vendor/]
/pypi (Status: 301) [Size: 185] [--> http://sneakycorp.htb/pypi/]
http://sneakycorp.htb/vendor/ | http://sneakycorp.htb/pypi/
403 Forbidden
# trying vhosts if any?
$ gobuster vhost -u http://sneakycorp.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 80 130 ⨯
===============================================================
Found: dev.sneakycorp.htb (Status: 200) [Size: 13742]
# adding that to /etc/hosts
http://dev.sneakycorp.htb/
| similar but contains register page
http://dev.sneakycorp.htb/pypi/register.php
Create an account
# tried creating, but nothing?
# checked BURP, POST request is sent but nothing happens?
POST /pypi/register.php HTTP/1.1
Host: dev.sneakycorp.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://dev.sneakycorp.htb
Connection: close
Referer: http://dev.sneakycorp.htb/pypi/register.php
Upgrade-Insecure-Requests: 1
firstName=kashz&lastName=kashz&email=kashz%40sneakycorp.htb&password=kashz&rpassword=kashz
$ gobuster dir -u http://dev.sneakycorp.htb/pypi/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/register.php (Status: 200) [Size: 3115]
# seems like nothing else.
Last updated