2 :80

http://sneakycorp.htb/
sneakycorp website
| has 2 projects 
	| PyPi
	| POP3 and SMTP
	
http://sneakycorp.htb/team.php
contains list of team members

# as all email contain a new domain, adding it
10.10.10.197 sneakycorp.htb sneakymailer.htb

# copied table-list format into user.txt
# used sublime search and repace (\s){2,} => space to uniform it
# using grep extract email
$ cat users| grep -oP '\w+@\w+.htb'
	o: print only matched items
	p: perl regex
	\w: single character in regex
	\w+: represents a word (does not include special characters)
	\w+@\w+.htb: <word>@<word>.htb

$ cat users| grep -oP '\w+@\w+.htb' > email.txt

# can extract users easily using cut
$ cat email.txt| cut -d '@' -f 1  > users.txt
# can use this for smtp-user-enum

$ gobuster dir -u http://sneakycorp.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/img                  (Status: 301) [Size: 185] [--> http://sneakycorp.htb/img/]
/index.php            (Status: 200) [Size: 13543]
/css                  (Status: 301) [Size: 185] [--> http://sneakycorp.htb/css/]
/team.php             (Status: 200) [Size: 26518]
/js                   (Status: 301) [Size: 185] [--> http://sneakycorp.htb/js/]
/vendor               (Status: 301) [Size: 185] [--> http://sneakycorp.htb/vendor/]
/pypi                 (Status: 301) [Size: 185] [--> http://sneakycorp.htb/pypi/]

http://sneakycorp.htb/vendor/ | http://sneakycorp.htb/pypi/
403 Forbidden

# trying vhosts if any?
$ gobuster vhost -u http://sneakycorp.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -t 80                                                                                                                 130 ⨯
===============================================================
Found: dev.sneakycorp.htb (Status: 200) [Size: 13742]
# adding that to /etc/hosts

http://dev.sneakycorp.htb/
| similar but contains register page

http://dev.sneakycorp.htb/pypi/register.php
Create an account

# tried creating, but nothing?
# checked BURP, POST request is sent but nothing happens?
POST /pypi/register.php HTTP/1.1
Host: dev.sneakycorp.htb
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 90
Origin: http://dev.sneakycorp.htb
Connection: close
Referer: http://dev.sneakycorp.htb/pypi/register.php
Upgrade-Insecure-Requests: 1

firstName=kashz&lastName=kashz&email=kashz%40sneakycorp.htb&password=kashz&rpassword=kashz

$ gobuster dir -u http://dev.sneakycorp.htb/pypi/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/register.php         (Status: 200) [Size: 3115]


# seems like nothing else.

Last updated