Delivery (Easy)
Delivery is a beginner-friendly box that does not require a lot of technical skills to solve. The foothold is about chaining logic flaws between OSTicket and Mattermost. The privesc is hashcat rule-based attack, based on a hint offered when getting the foothold.
Nmap
Visit port 80. The "Contact Us" page has two links:
Contact Us
To access these two links, edit
/etc/hosts:# HackTheBox
10.129.127.121 delivery.htb
10.129.127.121 helpdesk.delivery.htb
The idea is:
- 1.Create a ticket on OSTicket and get a
@delivery.htbemail address - 2.Register an account on Mattermost using the
@delivery.htbemail address - 3.Go back to OSTicket and abuse the "Check Ticket Status" feature to get the activation link from Mattermost
Grab the activation link:
Activation link
Enter Mattermost:
Mattermost
Here we learn that the credential is
maildeliverer:Youve_G0t_Mail!. The comment on hashcat is the hint for privesc.Login as the
maildeliverer user through SSH:
maildeliverer
Search for the keyword "mattermost":
find / -name mattermost 2>/dev/null
In
/opt/mattermost/config/config.json, we find a SQL credential mmuser:Crack_The_MM_Admin_PW:
SQL credential in config.json
The password itself is also a hint. Login as
mmuser through mysql:mysql -u mmuser -p
The
Users table from the mattermost database contains usernames and passwords:
Database
Dump the password of root:
MariaDB [mattermost]> SELECT Password from Users where Username="root";
+--------------------------------------------------------------+
| Password |
+--------------------------------------------------------------+
| $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
+--------------------------------------------------------------+
1 row in set (0.001 sec)
Identify hash type:
Hash analyzer
bcrypt hashes correspond to 3200 in hashcat:
bcrypt
Remember the hint from the Mattermost comment? Here we should use
PleaseSubscribe! as wordlist and conduct the hashcat rule-based attack. hashcat documentation says:The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
This idea is very similar to mutation in fuzzing.
The hashcat rules are located in
/usr/share/hashcat/rules. For this box, we use best64.rule:$ echo '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' > hash.txt
$ echo 'PleaseSubscribe!' > wordlist.txt
$ hashcat -a 0 -m 3200 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule -o password.txt
The flags in the hashcat command represents:
-a 0: set attack mode to "dictionary attack"-m 3200: set hash type tobcrypt-r /usr/share/hashcat/rules/best64.rule: usebest64.ruleto conduct rule-based attack-o password.txt: save the output topassword.txt
Once the password is cracked, switch to the root user:
root
Last modified 8mo ago