Official SneakyMailer Discussion

@UrielY said:

cant find where to upload the package…

If you have a shell, you can use a variety of tools - curl, wget, nc etc.

I need nudge on this box i found mail address i am having trouble to list which one is a valid. Manually it’s frustrated any script or tool i can use to automate this validation process VIA S**P. or i am stuck at rabbit hole ? as i am not aware of this scenario much.

Thanks :slight_smile:

@parteeksingh said:

I need nudge on this box i found mail address i am having trouble to list which one is a valid. Manually it’s frustrated any script or tool i can use to automate this validation process VIA S**P. or i am stuck at rabbit hole ? as i am not aware of this scenario much.

Thanks :slight_smile:

Its not a rabbit hole, you might just need to think a bit broader. There are lots of things you can do with this information, including one of the most common initial steps of an attack.

@TazWake i tried more and used gobuster v***T and found one new sub domain. still i am struggling to find the valid user and what to do next. I have an idea i need to find some mail from the user form someone but ho i can do that is what i am not getting :frowning:

@parteeksingh said:

@TazWake i tried more and used gobuster v***T and found one new sub domain. still i am struggling to find the valid user and what to do next. I have an idea i need to find some mail from the user form someone but ho i can do that is what i am not getting :frowning:

Your idea isn’t quite right. You need to focus on how attacks in the real world work. You want to attack a user, so scanning with gobuster might not be the right idea.

Just started this box today. I’ve found multiple addresses and have been trying different bait to no avail. In real life you’d want to exploit a trust relationship between the sender and the targeted recipient to set the hook… Is the case here? Or does the sender field not matter?

@japh42 said:

Just started this box today.

At a very basic level, this is a CTF so there is no human reading things. It may be possible to set up a script which demands specific syntax in the various fields but that seems unlikely and would largely make it a guessing game.

In a nutshell, the important bit is something to “click” on.

@TazWake said:

In a nutshell, the important bit is something to “click” on.

Yeah, I figured they had something scripted up to automate reading mail and clicking on things or executing attachments or something. I haven’t stumbled upon the correct payload yet to get the target to reach back to my system…

@japh42 said:

@TazWake said:

In a nutshell, the important bit is something to “click” on.

Yeah, I figured they had something scripted up to automate reading mail and clicking on things or executing attachments or something. I haven’t stumbled upon the correct payload yet to get the target to reach back to my system…

A simple one can be super effective.

@TazWake Thanks for the nudges i found what is required to get and i have now www-data shell … IT took so long to figure what is the correct way. Till the shell the box is quite tricky …

Hi guys.
i am trying to use the mail swiss army knife and written s cript to automate mail sending and trying to catch responses. this does not seem to work. i am also not sure if something similar is possible on the other mail ports.
can someone let me know if i am on the right track?

@Parker said:

Hi guys.
i am trying to use the mail swiss army knife and written s cript to automate mail sending and trying to catch responses. this does not seem to work. i am also not sure if something similar is possible on the other mail ports.
can someone let me know if i am on the right track?

You are on the right path and you have the right tool. The simpler the attack here the better.

Type your comment> @TazWake said:

@Parker said:

Hi guys.
i am trying to use the mail swiss army knife and written s cript to automate mail sending and trying to catch responses. this does not seem to work. i am also not sure if something similar is possible on the other mail ports.
can someone let me know if i am on the right track?

You are on the right path and you have the right tool. The simpler the attack here the better.

it also only seems to work with the main port not the other 2. so i can stick to this port then.

@Parker said:

it also only seems to work with the main port not the other 2. so i can stick to this port then.

Yeah - you dont need to specify a port for this stage of the attack.

Holy. I just finished the machine. Very challenging, very ctf-like and full of rabbit holes.

Roller coaster of emotions throughout and learned a bunch of new techniques!

Thanks to the creator. As always, ping me if you need a nudge in the right track.

Cheers!

I enjoyed that box a lot. Slightly CTF-y but in a good way and to sort of make a natural situation acceptable in the HTB setup. The user flag was a bit tricky as i was trying to guess the intention of the creator and didn’t really get it… i thought the stuff we are supposed to create would be used/called/imported in a different way to what it actually is…

hi all
so HTB is about learning. it took my 2 days to get a script to work to receive credentials. with the script to receive credentials on my listener, what exactly happened? how did it get to send from that port to my listening port? i assume this is only a CTF thing and its running a script to do this. in the real world for a pen tester would this happen?

@Parker said:

hi all
so HTB is about learning. it took my 2 days to get a script to work to receive credentials. with the script to receive credentials on my listener, what exactly happened? how did it get to send from that port to my listening port? i assume this is only a CTF thing and its running a script to do this. in the real world for a pen tester would this happen?

The short answer is “possibly”, but this is, as you said, a CTF.

In a pentest (or an attack) you would be recreating these steps, you’d just have to do it in a different way.

Type your comment> @Parker said:

hi all
so HTB is about learning. it took my 2 days to get a script to work to receive credentials. with the script to receive credentials on my listener, what exactly happened? how did it get to send from that port to my listening port? i assume this is only a CTF thing and its running a script to do this. in the real world for a pen tester would this happen?

This particular scenario cannot happen. But my approach to this was initially to load an and see if i would get an answer. If yes, let’s see what i can do with it (cookies ?). It turns out you get served credentials on a platter, yes, that’s unrealistic, but the original idea is not.

Yeah - I think the idea is sound and very relevant, it just needed to be modified for the CTF environment.

Although, I have seen similar approaches used by an internally positioned pentester with responder.