Yet another box :)
Prerequisite
Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.
echo "10.10.10.222 delivery.htb" >> /etc/hosts echo "10.10.10.222 helpdesk.delivery.htb" >> /etc/hosts
Okay now onto the hacking!
Reconnaissance
As always, I started off with an NMAP scan against the machine.
nmap -Pn -sC -sV -A -p- -oN initial delivery.htb
From the scan, I was able to identify that ports 80 and 22 are open for HTTP and SSH respectively.
I also noticed that there's a MatterMost server running on port 8065. I went to inspect this further.
Scanning & Enumeration
Upon further enumeration, I realized that that there's a helpdesk which users can reach out to, to get their account registered/activated.
Exploitation
Upon successful ticket creation, I was given an email address that I can send mails to, to update my ticket.
At the same time, when creating an account on MatterMost, there was an option to send email confirmation to the email that was used to register.
Putting 2 and 2 together, I decided to use the email I got from the opening the ticket to create an account with MatterMost. This eventually gave me access to Delivery's internal messaging system and ultimately user level access into their server.
Ticket creation on helpdesk.delivery.htb
Successful ticket creation on helpdesk.delivery.htb
Now that I got MatterMost to send the verification email to the helpdesk's inbox, all that was left to do to gain access to the internal chat was to head on into the helpdesk portal and see the "reply" which I had mailed to 1411746@delivery.htb
Once I was in, I had access to their maildeliverer user on the server as the credentials were posted in chat. Furthermore, there were also some other hints which I kept in view for future use.
Gaining Access
Since I discovered that SSH was running on the server, I tried to SSH into the server with newly found credentials....and it worked!
Privilege Escalation
After poking around in the box for a bit, I realized that the MySQL database credentials were lying around in one of the MatterMost config files. The file path is as follows:
maildeliverer@Delivery:~$ cat /opt/mattermost/config/config.json
"SqlSettings": { "DriverName": "mysql", "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:..\u0026readTimeout=30s\u0026writeTimeout=30s", "DataSourceReplicas": [], "DataSourceSearchReplicas": [], "MaxIdleConns": 20, "ConnMaxLifetimeMilliseconds": 3600000, "MaxOpenConns": 300, "Trace": false, "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez", "QueryTimeout": 30, "DisableDatabaseSearch": false }
Using the credentials, I logged into the MySQL database and retrieved the root account's password hash.
Now, It was time to crack the hash to retrieve the root password.
I recalled a text snippet that was posted in the internal chat which I uncovered earlier.
From this, I could conclude that the password was some iteration of PleaseSubscribe!. Thus, I decided to use the rules built into hashcat.
[ Basic Examples ] -
Attack- | Hash- | Mode | Type | Example command ==================+=======+================================================================== Wordlist + Rules | MD5 | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
┌──(nee㉿kali)-[~/boxes/htb/machines/delivery] └─$ hashcat -a 0 -m 3200 hash dict -r /usr/share/hashcat/rules/best64.rule
And that was it! I was able to get the root credentials. Another great box by IppSec!