InfoSec LAB

SneakyMailer_Web_80

Created: 4 min read

Web

Nmap discovered a web server running on the target port 80 The service running is nginx 1.14.2

Webroot re-directs users to a domain; sneakycorp.htb

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

Webroot It appears to be a communication platform for development There already is a user logged in and it seems to be working on making PyPi available locally and mailing services

/team.php

Clicking into the Team tab leads to the team.php file, revealing a bunch of users with their emails

There are some messages sent to the currently logged in user by other users

Username Extraction

I will copy the entire table and saved it to a file

┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ grep @ data | cut -f4 | cut -d '@' -f1 > users
 
┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ cat users
airisatou
angelicaramos
ashtoncox
bradleygreer
 
[...REDACTED...]

Then I will extract the usernames from the emails

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://sneakycorp.htb/FUZZ -ic -e .php,.txt,.html 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://sneakycorp.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .txt .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.php               [Status: 200, Size: 13543, Words: 3948, Lines: 335, Duration: 33ms]
img                     [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 32ms]
css                     [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 29ms]
team.php                [Status: 200, Size: 26518, Words: 11161, Lines: 660, Duration: 30ms]
js                      [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 28ms]
vendor                  [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 31ms]
pypi                    [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 30ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1398 req/sec :: Duration: [0:10:56] :: Errors: 0 ::

ffuf found a directory; /pypi/ It must be relevant to the PyPi service they are working on

/pypi/

403 on the /pypi/ directory

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://sneakycorp.htb/pypi/FUZZ -ic -e .php,.txt,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://sneakycorp.htb/pypi/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .txt .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
register.php            [Status: 200, Size: 3115, Words: 730, Lines: 82, Duration: 32ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1352 req/sec :: Duration: [0:10:59] :: Errors: 0 ::

Fuzzing the /pypi/ directory reveals a single PHP file; register.php

/pypi/register.php

There is a sign-up form

Attempting to create a testing account leads to nowhere Nothing happens afterword

Sub-Domain / Virtual Host Enumeration

┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.sneakycorp.htb' -fc 301
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.197/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.sneakycorp.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
dev                     [Status: 200, Size: 13742, Words: 4007, Lines: 341, Duration: 33ms]
:: Progress: [114441/114441] :: Job [1/1] :: 1384 req/sec :: Duration: [0:01:25] :: Errors: 0 ::

Found a single sub-domain / virtual host; dev

It’s been appended to the /etc/hosts file on Kali

dev.sneakycorp.htb

While dev.sneakycorp.htb appears to be about the same as the other one, this one contains the Register tab

dev.sneakycorp.htb/pypi/register.php

It has the sign-up form

FTP

It was suspected that a directory found in the FTP server might be serving the web root of dev.sneakycorp.htb Therefore, I placed a testing file and review it for confirmation

┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ curl -s 'http://dev.sneakycorp.htb/test.txt'
testing

Theory confirmed. The directory present in the FTP server is serving the web root of dev.sneakycorp.htb

Moving on to the Exploitation phase

Interactive Graph View

Backlinks