HackTheBox - Delivery

Brief

This is my writeup for HackTheBox’s machine called Delivery. This machine is created by the legend himself, ippsec. This machine is an easy machine which has a really interesting way to get a foothold. The machine is running OSTicket on helpdesk.delivery.htb and Mattermost on delivery.htb on port 8065. A conversation on the Mattermost server indicates that the password can possibly be cracked with the careful use of rules. Anyway lets begin.

Reconnaissance

I use a tool called nmapAutomator and it is something I can recommend, alternatively you can also use AutoRecon

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
PORT   STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Tue, 11 May 2021 13:55:47 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: tf83qex7hig9ub9m8d6pqjw7ry
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Tue, 11 May 2021 14:22:52 GMT

Nmap Higher Port Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
# Nmap 7.91 scan initiated Tue May 11 19:52:45 2021 as: nmap -sCV -p8065 -oN nmap/Full_Extra_delivery.htb.nmap --dns-server=1.1.1.1 --stats-every 2s delivery.htb
Nmap scan report for delivery.htb (10.10.10.222)
Host is up (0.082s latency).
rDNS record for 10.10.10.222: delivery

PORT STATE SERVICE VERSION
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Tue, 11 May 2021 13:55:47 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: tf83qex7hig9ub9m8d6pqjw7ry
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Tue, 11 May 2021 14:22:52 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Tue, 11 May 2021 14:22:52 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8065-TCP:V=7.91%I=7%D=5/11%Time=609A933C%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\
SF:x20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\
SF:r\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancesto
SF:rs\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Tue,\x2011\
SF:x20May\x202021\x2013:55:47\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\n
SF:X-Request-Id:\x20tf83qex7hig9ub9m8d6pqjw7ry\r\nX-Version-Id:\x205\.30\.
SF:0\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Tue,\x
SF:2011\x20May\x202021\x2014:22:52\x20GMT\r\n\r\n<!doctype\x20html><html\x
SF:20lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport
SF:\"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user
SF:-scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollo
SF:w\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>Matter
SF:most</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\"
SF:><meta\x20name=\"application-name\"\x20content=\"Mattermost\"><meta\x20
SF:name=\"format-detection\"\x20content=\"telephone=no\"><link\x20re")%r(H
SF:TTPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x2
SF:0Tue,\x2011\x20May\x202021\x2014:22:52\x20GMT\r\nContent-Length:\x200\r
SF:\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConten
SF:t-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n
SF:400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCon
SF:nection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
SF:);

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 11 19:54:17 2021 -- 1 IP address (1 host up) scanned in 92.08 seconds

Enumeration

HTTP / 80

So I began my enumeration with port 80 running an HTTP server. After I visited the webpage I was greeted with landing page like below

Landing Page.

I began my investigation by bruteforcing directories and inspecting the page source. After doing so I clicked on the Contact Us page which gave an interesting message.

Interesting message

1
2
CONTACT US
For unregistered users, please use our HelpDesk to get in touch with our team. Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server.

That is an interesting hint. We will keep that in mind. Continuing, we see it pointing us to helpdesk.delivery.htb we will add it to out /etc/hosts and poke it.

Visiting helpdesk.delivery.htb we see that its running OSTicket.

Helpdesk OSTicket Landing Page

After some poking around I submitted an issue on the panel.

Submitting an issue

Once the request was submitted I saw there an email was registered for us exactly to our ticket id.

The part where OSTicket says If you want to add more information to your ticket, just email : <email> is interesting. Looks like we can get emails on this temporarily generated email and read them. So looks like its time to pay MatterMost on port 8065 a visit.

MatterMost / 8065

Visiting MatterMost I failed some attempts to correctly register my account but after my second try I succeeded. I registered an account with that temporary email and I recieved an activation link for the same. I then could login to my newly generated account.

Logging In

Logged In

After logging in MatterMost I saw some messages from a user named root. He has provided credentials in clear text and is warning about their hash being cracked.

Conversation on Mattermost

Exploitation

Using the clear text credentials found on MatterMost we can now login via SSH as the user maildeliverer.

SSH logged in

Privilege Escalation

After some preliminary checks I visited the config directory of MatterMost in /opt/mattermost. An interesting file is found inside config folder of the MatterMost directory called config.json. In this the password to MatterMost‘s database is written in plain text.

"DataSource":"mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s"

This indicated the user being mmuser and password Crack_The_MM_Admin_PW.

Logging in to mysql as mmuser I got this

MYsql login

All hashes of registered users in MatterMost

Now, I wrote PleaseSubscribe! to a file and then I extracted the hashes from this table and then started cracking them with best64 rule and within the next minute I cracked the password to PleaseSubscribe!21

1
hashcat -m 3200 ../../dump/hash wordlist -r best64.rule

Proof

1
echo && echo -n "Hostname : " && hostname && echo && echo "IP Address : " && ifconfig 2>/dev/null || ip addr && echo && echo -n "root.txt : " && cat /root/root.txt && echo && echo -n "user.txt : " && cat /home/maildeliverer/user.txt && echo && echo -n "whoami : " && whoami && echo

Proof