8 box enum developer
developer@sneakymailer:/var/www$ ls -la
total 24
drwxr-xr-x 6 root root 4096 May 14 2020 .
drwxr-xr-x 12 root root 4096 May 14 2020 ..
drwxr-xr-x 3 root root 4096 Jun 23 2020 dev.sneakycorp.htb
drwxr-xr-x 2 root root 4096 May 14 2020 html
drwxr-xr-x 4 root root 4096 May 15 2020 pypi.sneakycorp.htb
drwxr-xr-x 8 root root 4096 Jun 23 2020 sneakycorp.htb
developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ ls -la
total 20
drwxr-xr-x 4 root root 4096 May 15 2020 .
drwxr-xr-x 6 root root 4096 May 14 2020 ..
-rw-r--r-- 1 root root 43 May 15 2020 .htpasswd
drwxrwx--- 2 root pypi-pkg 4096 Jun 30 2020 packages
drwxr-xr-x 6 root pypi 4096 May 14 2020 venv
developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ cat .
./ ../ .htpasswd
developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ cat .htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
$ hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt --show
$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui
developer@sneakymailer:/home/low$ cat /etc/passwd | grep pypi
pypi:x:998:998::/var/www/pypi.sneakycorp.htb:/usr/sbin/nologin
# can't su to pypi; password fails
# added domain to hosts, nothing special in UI.
# checking for nginx config files to confirm,
developer@sneakymailer:/tmp$ cat /etc/nginx/nginx.conf
[truncated]
## Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
# following the path to sites-enabled;
developer@sneakymailer:/tmp$ ls -la /etc/nginx/sites-enabled/
total 8
drwxr-xr-x 2 root root 4096 May 26 2020 .
drwxr-xr-x 8 root root 4096 May 14 2020 ..
lrwxrwxrwx 1 root root 46 May 14 2020 pypi.sneakycorp.htb -> /etc/nginx/sites-available/pypi.sneakycorp.htb
lrwxrwxrwx 1 root root 41 May 14 2020 sneakycorp.htb -> /etc/nginx/sites-available/sneakycorp.htb
developer@sneakymailer:/etc/nginx/sites-available$ cat pypi.sneakycorp.htb
server {
listen 0.0.0.0:8080 default_server;
listen [::]:8080 default_server;
server_name _;
}
server {
listen 0.0.0.0:8080;
listen [::]:8080;
server_name pypi.sneakycorp.htb;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
# its running on port 8080 but and going to 8080 witll proxy throuh localhost:5000
http://pypi.sneakycorp.htb:8080/
welcome to pypi server
developer@sneakymailer:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 May 14 2020 .
drwxr-xr-x 18 root root 4096 May 14 2020 ..
drwxr-xr-x 8 low low 4096 Jun 8 2020 low
drwx------ 5 vmail vmail 4096 May 19 2020 vmail
PEAS
# running process
pypi 683 0.0 0.6 36800 25888 ? Ss 20:52 0:04 /var/www/pypi.sneakycorp.htb/venv/bin/python3 /var/www/pypi.sneakycorp.htb/venv/bin/pypi-server -i 127.0.0.1 -p 5000 -a update,download,list -P /var/www/pypi.sneakycorp.htb/.htpasswd --disable-fallback -o /var/www/pypi.sneakycorp.htb/packages
low 1086 0.0 0.5 29952 20796 ? Ss 20:52 0:03 /home/low/venv/bin/python /opt/scripts/low/install-modules.py
╣ Binary processes permissions
lrwxrwxrwx 1 low low 7 May 16 2020 /home/low/venv/bin/python -> python3
lrwxrwxrwx 1 root pypi 16 May 14 2020 /var/www/pypi.sneakycorp.htb/venv/bin/python3 -> /usr/bin/python3
╣ Active Ports
tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN -
╣ Users with console
root:x:0:0:root:/root:/bin/bash
developer:x:1001:1001:,,,:/var/www/dev.sneakycorp.htb:/bin/bash
low:x:1000:1000:,,,:/home/low:/bin/bash
uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)
╣ Analyzing Htpasswd Files (limit 70)
-rw-r--r-- 1 root root 43 May 15 2020 /var/www/pypi.sneakycorp.htb/.htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/
╣ Readable files belonging to root and readable by me but not world readable
-rwxr-x--- 1 root developer 405 May 26 2020 /opt/scripts/developer/clean-ftp.py
Enumerating /opt
developer@sneakymailer:/opt/scripts$ ls -la
total 20
drwxr-xr-x 5 root root 4096 May 26 2020 .
drwxr-xr-x 3 root root 4096 May 15 2020 ..
drwxr-x--- 2 root developer 4096 May 26 2020 developer
drwxr-x--- 2 root low 4096 Jun 23 2020 low
drwxr-x--- 2 root vmail 4096 Jun 23 2020 vmail
developer@sneakymailer:/opt/scripts$ find . -type f -ls
find: ‘./vmail’: Permission denied
find: ‘./low’: Permission denied
146330 4 -rwxr-x--- 1 root developer 405 May 26 2020 ./developer/clean-ftp.py
developer@sneakymailer:/opt/scripts$ cat developer/clean-ftp.py
import os
import shutil
def main():
for root, directories, files in os.walk("/var/www/dev.sneakycorp.htb"):
for directory in directories:
try:
shutil.rmtree(os.path.join(root, directory))
except PermissionError:
pass
for file in files:
try:
os.remove(os.path.join(root, file))
except PermissionError:
print(os.path.join(root, file))
if __name__ == "__main__":
main()
Last updated