# 8 box enum developer ``` developer@sneakymailer:/var/www$ ls -la total 24 drwxr-xr-x 6 root root 4096 May 14 2020 . drwxr-xr-x 12 root root 4096 May 14 2020 .. drwxr-xr-x 3 root root 4096 Jun 23 2020 dev.sneakycorp.htb drwxr-xr-x 2 root root 4096 May 14 2020 html drwxr-xr-x 4 root root 4096 May 15 2020 pypi.sneakycorp.htb drwxr-xr-x 8 root root 4096 Jun 23 2020 sneakycorp.htb developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ ls -la total 20 drwxr-xr-x 4 root root 4096 May 15 2020 . drwxr-xr-x 6 root root 4096 May 14 2020 .. -rw-r--r-- 1 root root 43 May 15 2020 .htpasswd drwxrwx--- 2 root pypi-pkg 4096 Jun 30 2020 packages drwxr-xr-x 6 root pypi 4096 May 14 2020 venv developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ cat . ./ ../ .htpasswd developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ cat .htpasswd pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/ $ hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt --show $apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui developer@sneakymailer:/home/low$ cat /etc/passwd | grep pypi pypi:x:998:998::/var/www/pypi.sneakycorp.htb:/usr/sbin/nologin # can't su to pypi; password fails # added domain to hosts, nothing special in UI. # checking for nginx config files to confirm, developer@sneakymailer:/tmp$ cat /etc/nginx/nginx.conf [truncated] ## Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; # following the path to sites-enabled; developer@sneakymailer:/tmp$ ls -la /etc/nginx/sites-enabled/ total 8 drwxr-xr-x 2 root root 4096 May 26 2020 . drwxr-xr-x 8 root root 4096 May 14 2020 .. lrwxrwxrwx 1 root root 46 May 14 2020 pypi.sneakycorp.htb -> /etc/nginx/sites-available/pypi.sneakycorp.htb lrwxrwxrwx 1 root root 41 May 14 2020 sneakycorp.htb -> /etc/nginx/sites-available/sneakycorp.htb developer@sneakymailer:/etc/nginx/sites-available$ cat pypi.sneakycorp.htb server { listen 0.0.0.0:8080 default_server; listen [::]:8080 default_server; server_name _; } server { listen 0.0.0.0:8080; listen [::]:8080; server_name pypi.sneakycorp.htb; location / { proxy_pass http://127.0.0.1:5000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } } # its running on port 8080 but and going to 8080 witll proxy throuh localhost:5000 http://pypi.sneakycorp.htb:8080/ welcome to pypi server developer@sneakymailer:/home$ ls -la total 16 drwxr-xr-x 4 root root 4096 May 14 2020 . drwxr-xr-x 18 root root 4096 May 14 2020 .. drwxr-xr-x 8 low low 4096 Jun 8 2020 low drwx------ 5 vmail vmail 4096 May 19 2020 vmail ``` ## PEAS ``` # running process pypi 683 0.0 0.6 36800 25888 ? Ss 20:52 0:04 /var/www/pypi.sneakycorp.htb/venv/bin/python3 /var/www/pypi.sneakycorp.htb/venv/bin/pypi-server -i 127.0.0.1 -p 5000 -a update,download,list -P /var/www/pypi.sneakycorp.htb/.htpasswd --disable-fallback -o /var/www/pypi.sneakycorp.htb/packages low 1086 0.0 0.5 29952 20796 ? Ss 20:52 0:03 /home/low/venv/bin/python /opt/scripts/low/install-modules.py ╣ Binary processes permissions lrwxrwxrwx 1 low low 7 May 16 2020 /home/low/venv/bin/python -> python3 lrwxrwxrwx 1 root pypi 16 May 14 2020 /var/www/pypi.sneakycorp.htb/venv/bin/python3 -> /usr/bin/python3 ╣ Active Ports tcp 0 0 127.0.0.1:5000 0.0.0.0:* LISTEN - ╣ Users with console root:x:0:0:root:/root:/bin/bash developer:x:1001:1001:,,,:/var/www/dev.sneakycorp.htb:/bin/bash low:x:1000:1000:,,,:/home/low:/bin/bash uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg) ╣ Analyzing Htpasswd Files (limit 70) -rw-r--r-- 1 root root 43 May 15 2020 /var/www/pypi.sneakycorp.htb/.htpasswd pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/ ╣ Readable files belonging to root and readable by me but not world readable -rwxr-x--- 1 root developer 405 May 26 2020 /opt/scripts/developer/clean-ftp.py ``` ## Enumerating /opt ``` developer@sneakymailer:/opt/scripts$ ls -la total 20 drwxr-xr-x 5 root root 4096 May 26 2020 . drwxr-xr-x 3 root root 4096 May 15 2020 .. drwxr-x--- 2 root developer 4096 May 26 2020 developer drwxr-x--- 2 root low 4096 Jun 23 2020 low drwxr-x--- 2 root vmail 4096 Jun 23 2020 vmail developer@sneakymailer:/opt/scripts$ find . -type f -ls find: ‘./vmail’: Permission denied find: ‘./low’: Permission denied 146330 4 -rwxr-x--- 1 root developer 405 May 26 2020 ./developer/clean-ftp.py developer@sneakymailer:/opt/scripts$ cat developer/clean-ftp.py import os import shutil def main(): for root, directories, files in os.walk("/var/www/dev.sneakycorp.htb"): for directory in directories: try: shutil.rmtree(os.path.join(root, directory)) except PermissionError: pass for file in files: try: os.remove(os.path.join(root, file)) except PermissionError: print(os.path.join(root, file)) if __name__ == "__main__": main() ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/sneakymailer/8-box-enum-developer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.