Laboratory ~ Hack The Box

Apr 18, 2021

Prerequisite

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

echo "10.10.10.222	delivery.htb" >> /etc/hosts
echo "10.10.10.222	helpdesk.delivery.htb" >> /etc/hosts

Okay now onto the hacking!


Reconnaissance

As always, I started off with an NMAP scan against the machine.

 nmap -Pn -sC -sV -A -p- -oN initial delivery.htb

From the scan, I was able to identify that ports 80 and 22 are open for HTTP and SSH respectively.

I also noticed that there's a MatterMost server running on port 8065. I went to inspect this further.

Scanning & Enumeration

Upon further enumeration, I realized that that there's a helpdesk which users can reach out to, to get their account registered/activated.

http://helpdesk.delivery.htb/

Exploitation

Upon successful ticket creation, I was given an email address that I can send mails to, to update my ticket.

At the same time, when creating an account on MatterMost, there was an option to send email confirmation to the email that was used to register.

Putting 2 and 2 together, I decided to use the email I got from the opening the ticket to create an account with MatterMost. This eventually gave me access to Delivery's internal messaging system and ultimately user level access into their server.

Ticket creation on helpdesk.delivery.htb
Successful ticket creation on helpdesk.delivery.htb

Now that I got MatterMost to send the verification email to the helpdesk's inbox, all that was left to do to gain access to the internal chat was head on to the helpdesk portal and see the "reply" which I mailed to [email protected]

Once I was in, I had access to their maildeliverer user on the server as the credentials were posted in chat. Furthermore, there were also some other hints which I kept in view for future use.

Gaining Access

Since I discovered that SSH was running on the server, I tried to SSH into the server with newly found credentials....and it worked!

Privilege Escalation

After poking around in the box for a bit, I realized that the MySQL database credentials were lying around in one of the MatterMost config files. The file path is as follows:

[email protected]:~$ cat /opt/mattermost/config/config.json 
"SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:[email protected](127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    }

Using the credentials, I logged into the MySQL database and retrieved the root account's password hash.

Now, It was time to crack the hash to retrieve the root password.

I recalled a text snippet that was posted in the internal chat which I uncovered earlier.

From this, I could conclude that the password was some iteration of PleaseSubscribe!. This I decided to use the rules built into hashcat.

- [ Basic Examples ] -

  Attack-          | Hash- |
  Mode             | Type  | Example command
 ==================+=======+==================================================================
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule
┌──(nee㉿kali)-[~/boxes/htb/machines/delivery]
└─$ hashcat -a 0 -m 3200 hash dict -r /usr/share/hashcat/rules/best64.rule

And that was it! I was able to get the root credentials.