This is my writeup for HackTheBox’s machine called Delivery. This machine is created by the legend himself, ippsec. This machine is an easy machine which has a really interesting way to get a foothold. The machine is running OSTicket on helpdesk.delivery.htb and Mattermost on delivery.htb on port 8065. A conversation on the Mattermost server indicates that the password can possibly be cracked with the careful use of rules. Anyway lets begin.
Reconnaissance
I use a tool called nmapAutomator and it is something I can recommend, alternatively you can also use AutoRecon
# Nmap 7.91 scan initiated Tue May 11 19:52:45 2021 as: nmap -sCV -p8065 -oN nmap/Full_Extra_delivery.htb.nmap --dns-server=1.1.1.1 --stats-every 2s delivery.htb Nmap scan report for delivery.htb (10.10.10.222) Host is up (0.082s latency). rDNS record for 10.10.10.222: delivery
PORT STATE SERVICE VERSION 8065/tcp open unknown | fingerprint-strings: | GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Accept-Ranges: bytes | Cache-Control: no-cache, max-age=31556926, public | Content-Length: 3108 | Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com | Content-Type: text/html; charset=utf-8 | Last-Modified: Tue, 11 May 2021 13:55:47 GMT | X-Frame-Options: SAMEORIGIN | X-Request-Id: tf83qex7hig9ub9m8d6pqjw7ry | X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false | Date: Tue, 11 May 2021 14:22:52 GMT | <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Date: Tue, 11 May 2021 14:22:52 GMT |_ Content-Length: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8065-TCP:V=7.91%I=7%D=5/11%Time=609A933C%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x SF:20Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\ SF:x20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\ SF:r\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancesto SF:rs\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nConten SF:t-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Tue,\x2011\ SF:x20May\x202021\x2013:55:47\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\n SF:X-Request-Id:\x20tf83qex7hig9ub9m8d6pqjw7ry\r\nX-Version-Id:\x205\.30\. SF:0\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Tue,\x SF:2011\x20May\x202021\x2014:22:52\x20GMT\r\n\r\n<!doctype\x20html><html\x SF:20lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport SF:\"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user SF:-scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollo SF:w\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>Matter SF:most</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\" SF:><meta\x20name=\"application-name\"\x20content=\"Mattermost\"><meta\x20 SF:name=\"format-detection\"\x20content=\"telephone=no\"><link\x20re")%r(H SF:TTPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x2 SF:0Tue,\x2011\x20May\x202021\x2014:22:52\x20GMT\r\nContent-Length:\x200\r SF:\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConten SF:t-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n SF:400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close SF:\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x2 SF:0Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCon SF:nection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain; SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request" SF:);
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue May 11 19:54:17 2021 -- 1 IP address (1 host up) scanned in 92.08 seconds
Enumeration
HTTP / 80
So I began my enumeration with port 80 running an HTTP server. After I visited the webpage I was greeted with landing page like below
I began my investigation by bruteforcing directories and inspecting the page source. After doing so I clicked on the Contact Us page which gave an interesting message.
1 2
CONTACT US For unregistered users, please use our HelpDesk to get in touch with our team. Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server.
That is an interesting hint. We will keep that in mind. Continuing, we see it pointing us to helpdesk.delivery.htb we will add it to out /etc/hosts and poke it.
Visiting helpdesk.delivery.htb we see that its running OSTicket.
After some poking around I submitted an issue on the panel.
Once the request was submitted I saw there an email was registered for us exactly to our ticket id.
The part where OSTicket says If you want to add more information to your ticket, just email : <email> is interesting. Looks like we can get emails on this temporarily generated email and read them. So looks like its time to pay MatterMost on port 8065 a visit.
MatterMost / 8065
Visiting MatterMost I failed some attempts to correctly register my account but after my second try I succeeded. I registered an account with that temporary email and I recieved an activation link for the same. I then could login to my newly generated account.
After logging in MatterMost I saw some messages from a user named root. He has provided credentials in clear text and is warning about their hash being cracked.
Exploitation
Using the clear text credentials found on MatterMost we can now login via SSH as the user maildeliverer.
Privilege Escalation
After some preliminary checks I visited the config directory of MatterMost in /opt/mattermost. An interesting file is found inside config folder of the MatterMost directory called config.json. In this the password to MatterMost‘s database is written in plain text.
This indicated the user being mmuser and password Crack_The_MM_Admin_PW.
Logging in to mysql as mmuser I got this
Now, I wrote PleaseSubscribe! to a file and then I extracted the hashes from this table and then started cracking them with best64 rule and within the next minute I cracked the password to PleaseSubscribe!21