Official SneakyMailer Discussion

Official discussion thread for SneakyMailer. Please do not post any spoilers or big hints.

«13456711

Comments

  • All the best everyone!

  • Good luck everyone. I hope all enjoy the machine :)

  • thats a lot of possible users :(

  • User Blood image InfoSecJack 00 days, 03 hours, 45 mins, 53 seconds.
    Root Blood image InfoSecJack 00 days, 03 hours, 48 mins, 41 seconds.

    How you do it?
    Did you have BFG-9000 or Big F.. Silver Bullet?
    It's cool

  • edited July 11

    I'm confused -- machine went live less than 3 hours ago -- yet it shows bloods at 3 hours 45+ minutes from going live... huh? what am I missing? Do VIP members get early access?

    Ricm916

  • @ricm916 said:

    I'm confused -- machine went live less than 3 hours ago -- yet it shows bloods at 3 hours 45+ minutes from going live... huh? what am I missing? Do VIP members get early access?

    The bloods are always about 3 hours out. Its a glitch in the way they are calculated.

    TazWake

    Happy to help people but PLEASE explain your problem in as much detail as possible!

    Also: https://www.nohello.com/

  • Rooted it! This was an interesting box! Thanks @sulcud! Time to go to bed now....

    ArtemisFY
    OSCP

  • i only enumerate the users can any one give me a nudge please

  • Hey guys! I'm a bit new at this...having trouble finding a foothold...any nudges? I've done some basic enum, found several open ports/a dashboard, currently reading up on the whole SMTP/POP3/Courier IMAP stuff..

  • At least people waited more than the first 3 hours to ask for nudges. Looks like progress compared to normal release day!

  • any nudges!!
    bruteforcing!!

  • edited July 12
    *post removed by user*
  • edited July 12

    I created a user and I can verify that he exists (or his mailbox). But i am not able to authenticate. Is this the right way? or is it a rabbit hole? I tried using curl too but no luck there.

  • edited July 12

    I have got creds for user p*pi , what to do next can someone give a nudge... am i in a rabbithole?

    nvm rooted the box

  • Type your comment> @joenibe said:

    I created a user and I can verify that he exists (or his mailbox). But i am not able to authenticate. Is this the right way? or is it a rabbit hole? I tried using curl too but no luck there.

    Rabbit hole ;)

    'These violent delights have violent ends'

  • edited July 12

    Type your comment> @Caracal said:

    Type your comment> @joenibe said:

    I created a user and I can verify that he exists (or his mailbox). But i am not able to authenticate. Is this the right way? or is it a rabbit hole? I tried using curl too but no luck there.

    Rabbit hole ;)

    damnnnnn I have been trying that path for 6 hours

  • root nice box

  • edited July 12

    The flags rotation system become more and more laggy... specially with new boxes, it's kind of frustrating.
    I mean i'm still trying to submit those flags, it's been 1 hour...

    Thanks for the box @sulcud.

    uid=0(root) gid=0(root) groups=0(root)
    sneakymailer

    'These violent delights have violent ends'

  • Type your comment> @Caracal said:

    The flags rotation system become more and more laggy... specially with new boxes, it's kind of frustrating.
    I mean i'm still trying to submit those flags, it's been 1 hour...

    Thanks for the box @sulcud.

    uid=0(root) gid=0(root) groups=0(root)
    sneakymailer

    You should as @TazWake says... submit a ticket about this so that HTB can fix it. If enough of us keep submitting tickets eventually they will get the point.

  • Does anyone have a nudge for the foothold? I think I've looked into all possible msf exploits and some other exploits without luck.

  • This box is interesting so far. I haven't really gotten anywhere yet, but I've learned loads about mail servers.

    kneedeep

    Reality is often disappointing.

  • Type your comment> @Jfly said:

    Does anyone have a nudge for the foothold? I think I've looked into all possible msf exploits and some other exploits without luck.

    Enumeration, that's all, no need for exploit.

    'These violent delights have violent ends'

  • Type your comment> @Caracal said:

    Type your comment> @Jfly said:

    Does anyone have a nudge for the foothold? I think I've looked into all possible msf exploits and some other exploits without luck.

    Enumeration, that's all, no need for exploit.

    Thank you! Changing my approach then! :)

  • edited July 12

    Finally ... a foothold turned user... alas, doesn't look that that was what I needed. Back to the drawing board!

    Edit:
    [email protected]:~# id
    uid=0(root) gid=0(root) groups=0(root)

    Still more to learn about mail thats for sure! Good box. The first 2/3 were at times frustrating, the last third was trivial. Will think about a proper set of Hints to be posted later on after people get a fair crack at the box

  • emoji hint for foothold:

    🎣

  • Spoiler Removed


    Hack The Box
    defarbs.com | Retired Machine Writeups! - "Let me just quote the late, great Colonel Sanders, who said, 'I'm too drunk... to taste this chicken.'”

  • edited July 13

    For the user part, someone could send me a good link/article to exploit the p*** server in PM? I think it is necessary to add my own key... Thanks!

    Update: I found!

    Fr0Ggi3sOnTour

  • Finally rooted.
    Nice machine. Learnt bunch of things.
    My hints:

    Initial Foothold - Fishing and your local machine is the bait.
    User - Enumeration - Google FU - Packages
    Root - The user has a super power.

    Thanks @sulcud for a interesting machine.

    A Chemist doing Penetration Testing - Check the Story here: BinaryBiceps

  • finally rooted

  • Spoiler Removed

Sign In to comment.