Delivery (Easy)

Delivery Hackthebox Walkthrough

Enumeration

Nmap

nmap -sC -sV -oA nmap/delivery 10.10.10.222
# Nmap 7.91 scan initiated Tue May 18 11:26:53 2021 as: nmap -sC -sV -oA nmap/delivery 10.10.10.222
Nmap scan report for 10.10.10.222
Host is up (0.14s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 18 11:27:26 2021 -- 1 IP address (1 host up) scanned in 33.21 seconds

We can see that port 80 is open. Lets navigate to that.

After some exploration, I found out that CONTACT US and HELPDESK will lead us to another link.

Contact us will lead us to a service called Mattermost

Meanwhile, notice that we can't access this link as it redirects to this domain, we need to add the IP and the domain to the /etc/host file.

After that, we will get a completely new webpage.

After poking around, we can create a new ticket by clicking the Open New Ticket

After submitting, a ticket will be created.

From the message above, we can see that if we want to add more information to the ticket, just email the email provided at the body message.

When we explore the account creation for the Mattermost service, when we use our own gmail to register, we can't seem to receive the email verification (or should I say we must use the domain email to register)

Link with the email provided above, we can use that email to register.

Then, we can use check ticket status by input the email and ticket ID that provided just now.

Wow, got the verification. We proceed to verify it and login.

There are some messages provided by root and there is a credentials given.

maildeliverer:Youve_G0t_Mail!

Remember there is a port 22 open? Lets SSH into it.

Finally got a foothold.

Privilege Escalation

After poking around for some time, we found that MySQL is running and we found a config.json that is inside the /opt/Mattermost/config directory.

    "SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    },

We can see the credentials above which is

mmuser:Crack_The_MM_Admin_PW

Log in to the mysql server and we can output the data records for table Users

Note: I just select username and password because the full output is too messy

Notice that we got the hash of root password.

Recalling back the root messages from Mattermost service, it is hint to use hashcat rules to crack the password.

Hashcat

We first need to create a wordlist for cracking the password. For this round we just need to input PleaseSubscribe!

Then we need to specify the type of the attack which the hash is in Bcrypt and the rules for attacking it.

We going to use the rules from /usr/share/hashcat/rules/best64.rule

hashcat -a 0 -m 3200 hash wordlist -r /usr/share/hashcat/rules/best64.rule -o cracked.txt -w 3 -O

After running the command above, we finally crack the hash which is PleaseSubscribe!21

Finally we can su to root!

Congrats!

PreviousSymfonos 5 <NOT WORKING>NextSpectra (Easy)

Last updated