Delivery (Easy)

Summary

Delivery is a beginner-friendly box that does not require a lot of technical skills to solve. The foothold is about chaining logic flaws between OSTicket and Mattermost. The privesc is hashcat rule-based attack, based on a hint offered when getting the foothold.

Nmap

Nmap

Enumeration

Visit port 80. The "Contact Us" page has two links:
Contact Us
To access these two links, edit /etc/hosts:
# HackTheBox
10.129.127.121 delivery.htb
10.129.127.121 helpdesk.delivery.htb

User Shell: Chaining Logic Flaws

The idea is:
  1. 1.
    Create a ticket on OSTicket and get a @delivery.htb email address
  2. 2.
    Register an account on Mattermost using the @delivery.htb email address
  3. 3.
    Go back to OSTicket and abuse the "Check Ticket Status" feature to get the activation link from Mattermost
Grab the activation link:
Activation link
Enter Mattermost:
Mattermost
Here we learn that the credential is maildeliverer:Youve_G0t_Mail!. The comment on hashcat is the hint for privesc.
Login as the maildeliverer user through SSH:
maildeliverer

Privilege Escalation: hashcat Rule-based Attack

Search for the keyword "mattermost":
find / -name mattermost 2>/dev/null
In /opt/mattermost/config/config.json, we find a SQL credential mmuser:Crack_The_MM_Admin_PW:
SQL credential in config.json
The password itself is also a hint. Login as mmuser through mysql:
mysql -u mmuser -p
The Users table from the mattermost database contains usernames and passwords:
Database
Dump the password of root:
MariaDB [mattermost]> SELECT Password from Users where Username="root";
+--------------------------------------------------------------+
| Password |
+--------------------------------------------------------------+
| $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
+--------------------------------------------------------------+
1 row in set (0.001 sec)
Identify hash type:
Hash analyzer
bcrypt hashes correspond to 3200 in hashcat:
bcrypt
Remember the hint from the Mattermost comment? Here we should use PleaseSubscribe! as wordlist and conduct the hashcat rule-based attack. hashcat documentation says:
The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
This idea is very similar to mutation in fuzzing.
The hashcat rules are located in /usr/share/hashcat/rules. For this box, we use best64.rule:
$ echo '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' > hash.txt
$ echo 'PleaseSubscribe!' > wordlist.txt
$ hashcat -a 0 -m 3200 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule -o password.txt
The flags in the hashcat command represents:
  • -a 0: set attack mode to "dictionary attack"
  • -m 3200: set hash type to bcrypt
  • -r /usr/share/hashcat/rules/best64.rule: use best64.rule to conduct rule-based attack
  • -o password.txt: save the output to password.txt
Once the password is cracked, switch to the root user:
root