Official SneakyMailer Discussion

is it try to send something?
I get mail list but nothing can do next

Yesterday I completed this machine. My feelings about this one is a bit mixed. Altogether the machine is above medium or medium based machines are getting harder then earlier, because of the complexity. The first path of the user was quickly solvable and I like these interactive machines but when you have at least 3 passwords, things are getting complex. You need to think out of the box a bit, and that’s why I liked this machine (even though I hit my head on the wall when realized it).

If you know the specific script language internals you are good to go and this machine will be easy especially the root path. But if you’re not that type of person, you will have some hard time like I had. That part was frustrating and also the language has some annoying restricts/features (e.g. ’ vs ").

My hints (if there is a spoiler, pls remove it):

User: check your notes and try to find some relationship between the open services and the @-s on the site. You need some fishing rods and some cats to catch that fish :slight_smile:
After that do some basic enumeration in the service (also check your notes and use google). The brainfuck part is coming; some hosts contains more h***s in it. You can guess or brute it, it’s up to you. Once you find it, you will understand how to get in. Just do what you wanted to do first on FT, but you couldn’t trigger it.

ShellZ: you don’t need to stick with the service user, just change to the other one you got earlier. Then you need to understand how things are going. Check the running processes, and you will get a clue, how should you get that user. Once you found out, you need a little GoogleFu how trick this internal service to get what you want. I think this is the hardest part. Yes, you need to upload something but it’s not the uploaded package what gives you the shell, so do not overcomplicate this.

Root: strongly related to the previous service. Basic privilege enumeration and GTFOBins will bring you the joy.

Thanks @sulcud for this machine, I learned a brand new thing what I didn’t find in other machines earlier.

This box is offline every 5 minutes?

@zeroes said:

This box is offline every 5 minutes?

Not that I’ve noticed.

Well, that was quite a road to user.txt. Liked part with s****.** a lot! Getting root itself was a matter of a few seconds

And done! A few good learning points from this one. The path to user takes several long steps. Root was a breeze compared to it! If things arent working remember to check your package :slight_smile:

I thought that was one of the best boxes I’ve done on here. It was super engaging, used things I hadn’t really done in other boxes, and seemed like something that would be ultra realistic. Root was a bit disappointing because it was so trivial, but given the setup that’s probably pretty realistic, heh.

Thanks to @j88001 for the nudge on how to go spear fishing

Thanks to @sulcud , this machine was for some steps amazing :slight_smile:

The foothold was amazing but i need to search some nudge because, i have never do that before, i have never seen something before in this enviroment, so great machine! Try to user diffrent easy list, don’t complicate

For the user part, it was confusing, thanks to @rulzgz to make me more clearly about steps. For the user, i can say, sometimes, if you write keeping a sequence , maybe you can try to invert that sequence. Googling, most common sequence didnt work for me.

THe root part was easy, it takes 5 minutes.

this machine was really hard for me took me ages to get the initial foothold but finally got root learned a lot of new things with this machine, thanks @schizo , @joenibe , @zaero and @CurioCT you all helped me rooting this box. really, appreciated your help!!

This was a really fun box! Big thanks to @rulzgz for the nudges in the right direction!

Am I meant to make a new gmail account just for this? Wouldn’t google be, you know, not cool with that?

@user29 said:

Am I meant to make a new gmail account just for this? Wouldn’t google be, you know, not cool with that?

You don’t need to make any gmail account.

@user29 said:

Am I meant to make a new gmail account just for this? Wouldn’t google be, you know, not cool with that?

No. Boxes on HTB are pretty much self contained.

Anyone have problem accessing website on port 80? I added record to hosts file and can ping it by a hostname but when accessing by browser I got 504 gateway timeout, but ping/traceroute works

@SovietBeast said:

Anyone have problem accessing website on port 80? I added record to hosts file and can ping it by a hostname but when accessing by browser I got 504 gateway timeout, but ping/traceroute works

It depends on how you are trying to access it. There are subtle but important differences between how ping (which sends an ICMP echo request) and a HTTP GET request work.

However, the first thing I’d check is that you aren’t trying to proxy your requests through Burp or something similar. A HTTP504 error normally means a proxy has failed and there shouldn’t be one between you and the box here, unless you’ve put it there.

@TazWake I didnt try proxy it, but I left it for ~15 mins and it is working now. Nothing changed in my end in meantime so idk what happend. But thanks for reply.

@SovietBeast said:

@TazWake I didnt try proxy it, but I left it for ~15 mins and it is working now. Nothing changed in my end in meantime so idk what happend. But thanks for reply.

Ok - maybe it was just some weirdness on the box.

Finally, I own this one.

The user part it’s the most difficult part. The root part is really easy.

These are my hints for those that are hanged on the initial foothold and the user part.

##Foothold

Don’t focus on enumeration. After a basic enum doesn’t waste your time.
As others said, the key it’s on the mail server
Test all of those email accounts. I ended up making my own script to do it.
You will need to listen for incoming things to your local machine

##User

The most interesting part by far
Check if some passwords that you got allow you to access to another user account. In the end, this part isn’t really needed. You can use the initial shell to go further.
Check the vhosts
Try to understand how the service is working and how to deploy new packages
Also, it’s a must to listen to what’s happening when you upload a new package.

##Root

The easiest part. Classical privesc.

Cheers!

Rooted.

100% agree with the comment above from @n3b0r. It feels like this box is in reverse - the foothold and user are the toughest parts. Enjoyable box.

Happy to hint if needed.

did anyone ever try smtp-user-enum.pl ? I had looked at it during the beginning, but out of curiosity I tried it. It isn’t giving me results I expected.