Official SneakyMailer Discussion

I enjoyed that box a lot. Slightly CTF-y but in a good way and to sort of make a natural situation acceptable in the HTB setup. The user flag was a bit tricky as i was trying to guess the intention of the creator and didn’t really get it… i thought the stuff we are supposed to create would be used/called/imported in a different way to what it actually is…

hi all
so HTB is about learning. it took my 2 days to get a script to work to receive credentials. with the script to receive credentials on my listener, what exactly happened? how did it get to send from that port to my listening port? i assume this is only a CTF thing and its running a script to do this. in the real world for a pen tester would this happen?

@Parker said:

hi all
so HTB is about learning. it took my 2 days to get a script to work to receive credentials. with the script to receive credentials on my listener, what exactly happened? how did it get to send from that port to my listening port? i assume this is only a CTF thing and its running a script to do this. in the real world for a pen tester would this happen?

The short answer is “possibly”, but this is, as you said, a CTF.

In a pentest (or an attack) you would be recreating these steps, you’d just have to do it in a different way.

Type your comment> @Parker said:

hi all
so HTB is about learning. it took my 2 days to get a script to work to receive credentials. with the script to receive credentials on my listener, what exactly happened? how did it get to send from that port to my listening port? i assume this is only a CTF thing and its running a script to do this. in the real world for a pen tester would this happen?

This particular scenario cannot happen. But my approach to this was initially to load an and see if i would get an answer. If yes, let’s see what i can do with it (cookies ?). It turns out you get served credentials on a platter, yes, that’s unrealistic, but the original idea is not.

Yeah - I think the idea is sound and very relevant, it just needed to be modified for the CTF environment.

Although, I have seen similar approaches used by an internally positioned pentester with responder.

@lebutter said:

This particular scenario cannot happen. But my approach to this was initially to load an and see if i would get an answer. If yes, let’s see what i can do with it (cookies ?). It turns out you get served credentials on a platter, yes, that’s unrealistic, but the original idea is not.

Yeah, I rationalized it in my head by saying, “Well, maybe that user was attempting to authenticate to an unencrypted web-mail server link that I sent, except that’s not what I sent, but I could have.” :smiley:

Can someone send me a DM with any hints on how to upload my snake package? I found 2 sets of creds, and I believe one of them should allow me to upload it so that some intern does their job but all I get are 403s. Any help would be appreciated.

@run4w4ym0nk3y said:

Can someone send me a DM with any hints on how to upload my snake package? I found 2 sets of creds, and I believe one of them should allow me to upload it so that some intern does their job but all I get are 403s. Any help would be appreciated.

If you have the right creds you can log in and then use the application to upload things.

If you can’t log in, you might not have the right creds.

Interesting box - anyone got this error using a potential initial path with the proverbial “rod” method?
ERROR => TLS setup failed: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

@c140 said:

Interesting box - anyone got this error using a potential initial path with the proverbial “rod” method?
ERROR => TLS setup failed: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Have you tried connecting to a non-TLS port? Chances are this is a self-signed cert.

@TazWake : hey Thanks! But yes actually I did specify the classic non-TLS port for mail protocol (script allows server:port syntax) but same err msg was returned - perhaps I’m simply using the wrong script ¯_(ツ)_/¯ — it kind of felt like the one I need, but sometimes first impressions can be deceiving…anyway, thanks for that: will keep searching for more options…

@c140 said:

@TazWake : hey Thanks! But yes actually I did specify the classic non-TLS port for mail protocol (script allows server:port syntax) but same err msg was returned - perhaps I’m simply using the wrong script ¯_(ツ)_/¯ — it kind of felt like the one I need, but sometimes first impressions can be deceiving…anyway, thanks for that: will keep searching for more options…

Depending on what you are trying to do, and which stage you are at, you might be better writing your own.

I’ve managed to login successfully in ftp but I am getting a ‘425 failed to establish connection’ error. I’ve reset the box a couple of times but I still get the same error. Very weird because 1-2 days ago I logged into ftp with the same creds and it would respond to my commands. Any ideas on how to troubleshoot this?

@0xR3tr0z said:

I’ve managed to login successfully in ftp but I am getting a ‘425 failed to establish connection’ error. I’ve reset the box a couple of times but I still get the same error. Very weird because 1-2 days ago I logged into ftp with the same creds and it would respond to my commands. Any ideas on how to troubleshoot this?

Often that means a firewall is in the way or something similar. Do you get a 200 immediately before it?

This sw**s step has me incredibly, incredibly, confused.

How tf does this work? Good thing we like realism here…

@LMAY75 said:

This sw**s step has me incredibly, incredibly, confused.

How tf does this work? Good thing we like realism here…

Well, there are many tools that could be used here.

The reality is that recreating this step in a CTF is nearly impossible and adding the extra steps between A and B here would make the box tedious.

The reality is that you can achieve the end state via the path on the box, it just normally needs a lot more stages. Would it help to jump through the extra hoops?

There are even ways (UNC) that can be as simple as this.

I need nudge

Type your comment> @TazWake said:

@LMAY75 said:

This sw**s step has me incredibly, incredibly, confused.

How tf does this work? Good thing we like realism here…

Well, there are many tools that could be used here.

The reality is that recreating this step in a CTF is nearly impossible and adding the extra steps between A and B here would make the box tedious.

The reality is that you can achieve the end state via the path on the box, it just normally needs a lot more stages. Would it help to jump through the extra hoops?

There are even ways (UNC) that can be as simple as this.

Oh no I knew what to do I just thought it was kinda stupid. Saying ‘hello’ and getting full creds back is a little weird.

I understand its the only way you could do it for a box tho

Very stuck on the package step, any help would be greatly appreciated.

Especially links to documentation on the “exploit”. I mostly just don’t understand the concept and I can’t find anything about it.

@ToxicBiohazard said:

I need nudge

Look for open ports and exploit them.