Snoopy – HackTheBox Writeup

Machine Name: Snoopy
IP: 10.10.11.212
Difficulty: Hard

Summary

Snoopy is a hard machine that starts with discovering subdomains through DNS zone transfer, and exploiting an LFI to obtain site configuration files that revealed mailserver secret key. The key was used to update the mail server’s DNS records to receive mails on my local SMTP server. The mattermost subdomain discovered had an “email password reset link” page. The password was received on the SMTP server for user cbrown. Authenticated session of mattermost provided an option to interact with the server through SSH which was intercepted to perform a man-in-the-middle attack to fetch the SSH credentials of cbrown. The user cbrown could run “git apply” command as user sbrown which was exploited by using a known vulnerability that uses symbolic links to access files of the user running Git. This was used to write the SSH public key into sbrown and gain a SSH shell. Privilege escalation involved exploiting ClamAV’s XXE vulnerability to fetch the private key of root.

Read More