Introduction

name Delivery
Release date 09 Jan 2021
IP 10.10.10.222
OS Linux
Creator ippsec
Points 20
Difficulty Easy
Retired date 22 May 2021

Delivery is an easy machine from HackTheBox it starts with tree open ports SSH on 22, HTTP on 80 and unknown service on 8065 that later on discovered to be mattermost that require @delivery.htb e-amil address that we get from the other service that is osTicket help desk system and combining thet two we get SSH credentials for user then we obtain MYSQL credentials and we dump root hash that we crack using Hashcat rules and hint obtained from mattermost.

Before starting I should mention the ip address of delivery looks different in this article because i have VIP+ which offers me a dedicated instance of target machines.

Table of Contents

Recon

Nmap

nmap full TCP scan shows us 3 open ports 22, 80 and 8065.

  • -p- to specify all 65535 port
  • --min-rate specifying number of packets sent per second
sudo nmap -p- --min-rate 5000 -oA recon/full-tcp 10.129.148.97
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-20 18:37 UTC
Nmap scan report for 10.129.148.97
Host is up (0.012s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8065/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds

nmap targeted scan with:

  • -sV to get versions of services
  • -sC run default scripts

The scan found three services running:

  • 22: SSH default ssh port normally not useful at beginning.
  • 80: Our first enumeration point.
  • 8065: According to nmap the service is unknown but looks like HTTP.
sudo nmap -p22,80,8065 -sC -sV -oA recon/targeted 10.129.148.97
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-20 18:52 UTC
Nmap scan report for 10.129.148.97
Host is up (0.0099s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Thu, 20 May 2021 18:35:09 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: fasw7gawcpy8tfkcrpb8f4zype
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Thu, 20 May 2021 18:52:39 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Thu, 20 May 2021 18:52:39 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8065-TCP:V=7.91%I=7%D=5/20%Time=60A6AFF4%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\
SF:x20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\
SF:r\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancesto
SF:rs\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Thu,\x2020\
SF:x20May\x202021\x2018:35:09\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\n
SF:X-Request-Id:\x20fasw7gawcpy8tfkcrpb8f4zype\r\nX-Version-Id:\x205\.30\.
SF:0\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Thu,\x
SF:2020\x20May\x202021\x2018:52:39\x20GMT\r\n\r\n<!doctype\x20html><html\x
SF:20lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport
SF:\"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user
SF:-scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollo
SF:w\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>Matter
SF:most</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\"
SF:><meta\x20name=\"application-name\"\x20content=\"Mattermost\"><meta\x20
SF:name=\"format-detection\"\x20content=\"telephone=no\"><link\x20re")%r(H
SF:TTPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x2
SF:0Thu,\x2020\x20May\x202021\x2018:52:39\x20GMT\r\nContent-Length:\x200\r
SF:\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConten
SF:t-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n
SF:400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCon
SF:nection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 91.35 seconds

HTTP port 80

Starting to enumerate port 80 which looks like a fancy web page.

port 80 port 80
The contact section had two interesting links that should be added to /etc/hosts:

contact us contact us

Edit /etc/hosts

Addling delivery.htb and helpdesk.delivery to /etc/hosts.

# add to /etc/hosts
10.129.148.97  delivery.htb helpdesk.delivery.htb

Now we can visit the two links and see the content.

edit /etc/hosts edit /etc/hosts

Mattermost

By visiting http://delivery.htb:8065/ we see mattermost and according to Wikipedia

mattermost is an open-source, self-hostable online chat service with file sharing, search, and integrations. It is designed as an internal chat for organisations and companies, and mostly markets itself as an open-source alternative to Slack and Microsoft Teams.

Searching exploitDB yielded no results. we can login or register a new account.

mattermost mattermost

Creating account in Mattermost

Ok time to register new account to explore the channels on the system.

registering account registering account
Oh no! looks like we need to verify our e-mail address but we can’t since HTB not allowing internet access to vulnerable machines and that means there is nothing more we can do here.
e-mail verification request e-mail verification request

Help Desk

Time to move on to http://helpdesk.delivery.htb/ which is help desk system.

osTicket is an open source help desk management solution that offers ticket management and IT asset management within a suite. The system can only be deployed in the cloud and is suited for small and midsize enterprise customers.

osTicket system osTicket system
Let’s Open a New Ticket
opening new ticket opening new ticket
Oh look at that we obtained @delivery.htb e-mail address which we can use to create an account in mattermost and there was a hint about this in the beginning contact us page.
obttaining @delivery.htb obttaining @delivery.htb
Let’s circle back to mattermost at http://delivery.htb:8065/ and create an account using the new @delivery.htb e-mail obtained from osTicket help desk system.
creating account creating account
Let’s login to osTicket by clicking on Check Ticket Status to verify the e-mail for the created account in mattermost.
check ticket status check ticket status
We got e-mail confirmation request, now we copy the link and paste in the browser to verify our e-mail address.
registration successful registration successful

Login to Mattermost

We got access to mattermost and we see one team exist internal.

joining internal team joining internal team
Nicely done we can see internal team messages and there are SSH credentials, and what looks like hint for root password.

# SSH credentials
maildeliverer:Youve_G0t_Mail!
juicy info juicy info

SSH Access

We use the previously obtained credentials to SSH to the server and retrieve the user.txt flag.

SSH access SSH access

Privilege Escalation

Finding config.json

After gaining access to the server as user and looking arround for any way to priv esc we found a juicy file in /opt/mattermost/config.

/opt/mattermost/config /opt/mattermost/config
Looking at the content of config.json we got MYSQL credentials with database name mattermost since they are in clear text.
config.json config.json

"SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false

Getting root hash

Accessing the database with the creds and getting root hash

mysql -u mmuser -p'Crack_The_MM_Admin_PW' mattermost
# there is table called Users that we use to extract root hash from
select Password from Users where Username = 'root';
extracting root hash extracting root hash

Cracking root hash

Getting the hash was easy part now time to crack it, from comment in the mattermost channel there was hint for cracking root hash, so we need to create a custom wordlist using hashcat rules for various variations of pleaseSubscrube! but instead of creating those rules manually we looked online for pre-made rules and we found Hob0Rules repo.

# cloning the hashcat rules repo
git clone git clone https://github.com/praetorian-inc/Hob0Rules.git
cd Hob0Rules
# creating wordlist with the hashcat rules
echo "PleaseSubscribe!" | hashcat -r d3adhob0.rule --stdout > wordlist.txt

creating custom wordlist creating custom wordlist
Now we use john to crackthe password (using john was just a personal choice).

# cracking hash.txt with john
sudo john -w=wordlist.txt hash.txt
crackign hash with john crackign hash with john

Su root

Using the password to su as root and get root.txt flag.

su root su root

Beyond Root

Hash cracking is an importent subject for any serious penetration tester and can be tricky like in this challenge we had, since we had to make variations of given password and we had to create a custom wordlist (custom wordlists in my opinion is right way for password cracking to not waste much time) so here very nice tutorial from TryHackMe to learn basics of hash cracking.

TryHackMe is an online platform that teaches cyber security through short, gamified real-world labs. We have content for both complete beginners and seasoned hackers, encorporating guides and challenges to cater for different learning styles.