# Laboratory ~ Hack The Box

### Prerequisite

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985129510/152e3d64-68ae-4a02-a8ce-33fdba98da6b.jpeg)

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

    echo "10.10.10.222	delivery.htb" >> /etc/hosts
    echo "10.10.10.222	helpdesk.delivery.htb" >> /etc/hosts

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985131165/eaf426c8-41f5-415e-b5f3-648807469a69.png)

Okay now onto the hacking!

* * *

### Reconnaissance

As always, I started off with an NMAP scan against the machine.

     nmap -Pn -sC -sV -A -p- -oN initial delivery.htb

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985133012/aff66419-74d7-463b-a6b0-497f55fd36de.png)

From the scan, I was able to identify that ports 80 and 22 are open for `HTTP` and `SSH` respectively.

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985135033/bc93f63b-1bbd-4649-9e07-a84630ccae2b.png)

I also noticed that there's a MatterMost server running on port `8065`. I went to inspect this further.

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985136604/55262b86-16ee-49d7-b883-2926e5fb602d.png)

### Scanning & Enumeration

Upon further enumeration, I realized that that there's a helpdesk which users can reach out to, to get their account registered/activated.

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985138807/d0bffe17-4eb0-4a01-9dae-85522489dbb9.png)

[http://helpdesk.delivery.htb/](http://helpdesk.delivery.htb/)

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985140242/72efe096-0545-43c6-b739-53a4b0f3ade3.png)

### Exploitation

Upon successful ticket creation, I was given an email address that I can send mails to, to update my ticket.

At the same time, when creating an account on MatterMost, there was an option to send email confirmation to the email that was used to register.

Putting 2 and 2 together, I decided to use the email I got from the opening the ticket to create an account with MatterMost. This eventually gave me access to Delivery's internal messaging system and ultimately user level access into their server.

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985141337/d2c82d39-0954-46e4-93f0-4ab5c08f63f6.png)

Ticket creation on helpdesk.delivery.htb

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985142508/e5815b47-cfd6-4603-bb08-d78a91f086c1.png)

Successful ticket creation on helpdesk.delivery.htb

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985143622/00144ea8-664f-434d-980b-d366b188604c.png)

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985144963/72b40ad1-a362-4ba9-9258-a202a1c8a160.png)

Now that I got MatterMost to send the verification email to the helpdesk's inbox, all that was left to do to gain access to the internal chat was head on to the helpdesk portal and see the "reply" which I mailed to `1411746@delivery.htb`

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985146245/f6ef4a4e-6151-4f29-b265-559c83efceef.png)

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985147335/c99128b5-bbe7-4e42-8483-a323ffdd1a0f.png)

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985149023/e624bab0-e256-4404-994d-a3202d5c35a7.png)

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985150357/dd8008c3-bf82-4ab1-8fd0-4ecb736456f8.png)

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985151395/bb2d7128-f9ea-4da7-b0f8-aacf5da65d53.png)

Once I was in, I had access to their `maildeliverer` user on the server as the credentials were posted in chat. Furthermore, there were also some other hints which I kept in view for future use.

### Gaining Access

Since I discovered that SSH was running on the server, I tried to SSH into the server with newly found credentials....and it worked!

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985152744/ab6c6e82-a31e-459c-8c99-ca2add14be90.png)

### Privilege Escalation

After poking around in the box for a bit, I realized that the MySQL database credentials were lying around in one of the MatterMost config files. The file path is as follows:

    maildeliverer@Delivery:~$ cat /opt/mattermost/config/config.json 
    

    "SqlSettings": {
            "DriverName": "mysql",
            "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
            "DataSourceReplicas": [],
            "DataSourceSearchReplicas": [],
            "MaxIdleConns": 20,
            "ConnMaxLifetimeMilliseconds": 3600000,
            "MaxOpenConns": 300,
            "Trace": false,
            "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
            "QueryTimeout": 30,
            "DisableDatabaseSearch": false
        }

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985154487/bc30afa8-f16c-4ab7-a261-20f0c7b153de.png)

Using the credentials, I logged into the MySQL database and retrieved the root account's password hash.

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985156175/67edcf76-8f25-4def-8d3b-ad9b51d444ac.png)

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985157860/8c4c6858-6aca-45fb-ae80-39b8e3965e32.png)

Now, It was time to crack the hash to retrieve the root password.

I recalled a text snippet that was posted in the internal chat which I uncovered earlier.

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985159458/3e64e144-fa4e-468d-8669-fa11c4310699.png)

From this, I could conclude that the password was some iteration of `PleaseSubscribe!`. This I decided to use the rules built into hashcat.

    - [ Basic Examples ] -
    
      Attack-          | Hash- |
      Mode             | Type  | Example command
     ==================+=======+==================================================================
      Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
    

    ┌──(nee㉿kali)-[~/boxes/htb/machines/delivery]
    └─$ hashcat -a 0 -m 3200 hash dict -r /usr/share/hashcat/rules/best64.rule

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985160588/6d80d78e-4aff-440d-992f-4b8a3ec64bc9.png)

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985162417/31d62b75-364f-4adf-907e-6a8ea1c838f6.png)

And that was it! I was able to get the root credentials.

![Laboratory ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985163538/951f1943-aa4a-4577-82e5-6e5c375b411e.png)
