Delivery
Writeup for Delivery from Hack the Box
Recon
nmap -sV -T4 -p- 10.10.10.222
From the website, there are two links:
http://delivery.htb:8065/
http://helpdesk.delivery.htb/
Add the following to the /etc/hosts
file:
Note the information here:
We don't have a @delivery.htb
account, so we won't be able to access the MatterMost server just yet.
helpdesk.delivery.htb
When submitting a ticket, the system is vulnerable to XSS.
1st Try: Cookie Stealing
Unfortunately this doesn't work, anything with <script></script>
is removed.
2nd Try: Look Closer
Note that after creating a ticket, it says:
"If you want to add more information... just email ..."
So does this email simply forward everything it receives to the ticket?
delivery.htb:8065
This is a MatterMost server. I went ahead and created an account with 7317917@delivery.htb as the email address. This was previously not possible because
We needed a
@delivery.htb
email andWe needed email verification
The email does indeed forward everything to the ticket content:
By navigating to the link in the email, we can verify our account.
And we can log in to view some sensitive information:
Foothold
We can use the maildeliverer:Youve_G0t_Mail!
credential combination to authenticate and obtain SSH access to the server.
User Flag
Right after we authenticate in, we are greeted by the user.txt
flag.
Privesc
After a bit of exploring:
cat /opt/mattermost/config/config.json
Under the SqlSettings
, the mmuser:Crack_The_MM_Admin_PW
is used for the mysql
database credentials. We can login to the 'local' MariaDB server:
mysql -u mmuser -p
(-u USERNAME -p
, then enter the password when prompted)
MariaDB
SHOW DATABASES;
Use the mattermost
database: USE mattermost;
Dump mattermost.Users
table: SELECT * FROM Users;
I copied this into a text file.
Compile the password hashes into a users.hash
file:
Remember the message in the MatterMost channel earlier? Most of these passwords should be variations of "PleaseSubscribe!"
We were also hinted to use hashcat rules.
Result of Googling: https://www.4armed.com/blog/hashcat-rule-based-attack/
Rules file: cp /usr/share/hashcat/rules/best64.rule rules
Running hashcat on my host MacOS: hashcat -m 3200 users.hash wordlist -r rules
(since hashcat requires a GPU)
Show cracked hash: hashcat -m 3200 users.hash --show
Cross-checking with the users.hash
file, the root
password is PleaseSubscribe!21
.
Root Flag
From the maildeliverer
bash shell: su
, then use the PleaseSubscribe!21
password.
Last updated