8 box enum developer

developer@sneakymailer:/var/www$ ls -la
total 24
drwxr-xr-x  6 root root 4096 May 14  2020 .
drwxr-xr-x 12 root root 4096 May 14  2020 ..
drwxr-xr-x  3 root root 4096 Jun 23  2020 dev.sneakycorp.htb
drwxr-xr-x  2 root root 4096 May 14  2020 html
drwxr-xr-x  4 root root 4096 May 15  2020 pypi.sneakycorp.htb
drwxr-xr-x  8 root root 4096 Jun 23  2020 sneakycorp.htb

developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ ls -la
total 20
drwxr-xr-x 4 root root     4096 May 15  2020 .
drwxr-xr-x 6 root root     4096 May 14  2020 ..
-rw-r--r-- 1 root root       43 May 15  2020 .htpasswd
drwxrwx--- 2 root pypi-pkg 4096 Jun 30  2020 packages
drwxr-xr-x 6 root pypi     4096 May 14  2020 venv
developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ cat .
./         ../        .htpasswd
developer@sneakymailer:/var/www/pypi.sneakycorp.htb$ cat .htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

$ hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt --show
$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/:soufianeelhaoui

developer@sneakymailer:/home/low$ cat /etc/passwd | grep pypi
pypi:x:998:998::/var/www/pypi.sneakycorp.htb:/usr/sbin/nologin
# can't su to pypi; password fails
# added domain to hosts, nothing special in UI.
# checking for nginx config files to confirm,

developer@sneakymailer:/tmp$ cat /etc/nginx/nginx.conf
[truncated]
## Virtual Host Configs
##
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

# following the path to sites-enabled;
developer@sneakymailer:/tmp$ ls -la /etc/nginx/sites-enabled/
total 8
drwxr-xr-x 2 root root 4096 May 26  2020 .
drwxr-xr-x 8 root root 4096 May 14  2020 ..
lrwxrwxrwx 1 root root   46 May 14  2020 pypi.sneakycorp.htb -> /etc/nginx/sites-available/pypi.sneakycorp.htb
lrwxrwxrwx 1 root root   41 May 14  2020 sneakycorp.htb -> /etc/nginx/sites-available/sneakycorp.htb

developer@sneakymailer:/etc/nginx/sites-available$ cat pypi.sneakycorp.htb
server {
        listen 0.0.0.0:8080 default_server;
        listen [::]:8080 default_server;
        server_name _;
}


server {
        listen 0.0.0.0:8080;
        listen [::]:8080;

        server_name pypi.sneakycorp.htb;

        location / {
                proxy_pass http://127.0.0.1:5000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
        }
}
# its running on port 8080 but and going to 8080 witll proxy throuh localhost:5000
http://pypi.sneakycorp.htb:8080/
welcome to pypi server

developer@sneakymailer:/home$ ls -la
total 16
drwxr-xr-x  4 root  root  4096 May 14  2020 .
drwxr-xr-x 18 root  root  4096 May 14  2020 ..
drwxr-xr-x  8 low   low   4096 Jun  8  2020 low
drwx------  5 vmail vmail 4096 May 19  2020 vmail

PEAS

# running process
pypi       683  0.0  0.6  36800 25888 ?        Ss   20:52   0:04 /var/www/pypi.sneakycorp.htb/venv/bin/python3 /var/www/pypi.sneakycorp.htb/venv/bin/pypi-server -i 127.0.0.1 -p 5000 -a update,download,list -P /var/www/pypi.sneakycorp.htb/.htpasswd --disable-fallback -o /var/www/pypi.sneakycorp.htb/packages
low       1086  0.0  0.5  29952 20796 ?        Ss   20:52   0:03 /home/low/venv/bin/python /opt/scripts/low/install-modules.py

╣ Binary processes permissions
lrwxrwxrwx 1 low  low        7 May 16  2020 /home/low/venv/bin/python -> python3
lrwxrwxrwx 1 root pypi      16 May 14  2020 /var/www/pypi.sneakycorp.htb/venv/bin/python3 -> /usr/bin/python3

╣ Active Ports
tcp        0      0 127.0.0.1:5000          0.0.0.0:*               LISTEN      -

╣ Users with console
root:x:0:0:root:/root:/bin/bash
developer:x:1001:1001:,,,:/var/www/dev.sneakycorp.htb:/bin/bash
low:x:1000:1000:,,,:/home/low:/bin/bash
uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)

╣ Analyzing Htpasswd Files (limit 70)
-rw-r--r-- 1 root root 43 May 15  2020 /var/www/pypi.sneakycorp.htb/.htpasswd
pypi:$apr1$RV5c5YVs$U9.OTqF5n8K4mxWpSSR/p/

╣ Readable files belonging to root and readable by me but not world readable
-rwxr-x--- 1 root developer 405 May 26  2020 /opt/scripts/developer/clean-ftp.py

Enumerating /opt

developer@sneakymailer:/opt/scripts$ ls -la
total 20
drwxr-xr-x 5 root root      4096 May 26  2020 .
drwxr-xr-x 3 root root      4096 May 15  2020 ..
drwxr-x--- 2 root developer 4096 May 26  2020 developer
drwxr-x--- 2 root low       4096 Jun 23  2020 low
drwxr-x--- 2 root vmail     4096 Jun 23  2020 vmail

developer@sneakymailer:/opt/scripts$ find . -type f -ls
find: ‘./vmail’: Permission denied
find: ‘./low’: Permission denied
   146330      4 -rwxr-x---   1 root     developer      405 May 26  2020 ./developer/clean-ftp.py
   
developer@sneakymailer:/opt/scripts$ cat developer/clean-ftp.py
import os
import shutil
def main():
        for root, directories, files in os.walk("/var/www/dev.sneakycorp.htb"):
                for directory in directories:
                        try:
                                shutil.rmtree(os.path.join(root, directory))
                        except PermissionError:
                                pass
                for file in files:
                        try:
                                os.remove(os.path.join(root, file))
                        except PermissionError:
                                print(os.path.join(root, file))


if __name__ == "__main__":
        main()

Last updated