Delivery

Linux · Easy

10.10.10.222

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.222

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)

80/tcp open  http    nginx 1.14.2
|_http-title: Welcome
|_http-server-header: nginx/1.14.2

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=22%CT=1%CU=32936%PV=Y%DS=2%DC=I%G=Y%TM=65B0
OS:DE4A%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)
OS:SEQ(SP=108%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53AS
OS:T11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1=
OS:FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=
OS:M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)
OS:T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Enumeration: SSH Port 22/tcp

OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

Based on the OpenSSH version, the host is likely running Debian Buster (10). The HTTP scripts for TCP 8065 show the string “Mattermost”, so it could be an instance of that open source Slack alternative.

Enumeration: HTTP Port 80/tcp

The site is not really for anything, but does mention checking out the helpdesk for email related support:

view-source:http://10.10.10.222/#

http://10.10.10.222/#contact-us @delivery.htb

http://helpdesk.delivery.htb/ http://delivery.htb:8065/ http://delivery.htb:8065/login

The link goes to helpdesk.delivery.htb. I’ll add both that subdomain and the base domain (delivery.htb) to my local /etc/hosts file.

The HelpDesk link is the as the one above. The MatterMost server link is to helpdesk.htb:8065, which explains the other port. There’s also some hint here as to the path. I need to get a @delivery.htb email to get access to the MatterMost server.

helpdesk.htb:8065 @delivery.htb

helpdesk.delivery.htb - TCP 80

This is an instance of osTicket:

http://helpdesk.delivery.htb/

As a guest user, I can create a ticket: And it will give me a page saying it’s been accepted: The email to add to the ticket is interesting. I’ll note that.

The Sign In link has a form, as well as a registration link: On clicking “Create an account” and filling out the form, it gives me a page that says a link has been sent to the email to activate it. On HTB, that’s basically a deadend. If I try to log in, it returns this error: If I click the Check Ticket Status link, it asks for an email or ticket number. Because no validation was done of my email when submitting a ticket as a Guest User, I can enter that email and ticket number: This page gives the current ticket, with the option to update it:

delivery.htb - TCP 8065

The main page here is a login form:

http://delivery.htb/ http://delivery.htb:8065/login

The create account link leads to another form: Submitting also leads to an email confirmation step: Without an email address, not much I can do here.

Shell as maildeliverer

Access to MatterMost: The note above suggested that I needed a @delivery.htb email address to get an account. It looks like it will work without one, but practically, I can’t receive emails at an outside account because HTB labs are not connected to the internet.

I did note that when I created a ticket, it offered the ability to update the ticket over email. I can use that to get the verification email.

I’ll create a ticket and get the email address for it. Then sign up for a MatterMost account:

Mattermost lets you share messages and files from your PC or phone, with instant search and archiving. For the best experience, download the apps for PC, Mac, iOS and Android from:

LogoHost Mattermost on Your Own InfrastructureMattermost.com

Visiting the link in the ticket verifies the account: One logging in, there’s a chance to join a team: On joining that team, there’s a single channel, with some chat from root:

I’ll note creds for the account maildeliverer, as well as a hint that a lot of the passwords on the box are variants of “PleaseSubscribe!”, and a note about how Hashcat rules will find the variants.

SSH: Those creds do work to SSH to the box:

Shell as root

Enumeration: MM Config Mattermost stores it’s configuration in /opt/mattermost/config/config.json. The database connection information is in here:

The database password is there, along with a hint as to where to go next.

SQL: I’ll connect to the DB with the creds in the config above:

There’s only the default DB and mattermost:

I can see from the prompt that I’m already using the mattermost db, but if I needed to switch, use mattermost would do that. The mattermost database has a lot of tables:

I’ll start with the users table:

A lot of those look like other users or me. I’ll focus on the root user.

Crack Password: I’ll drop the hash into a file:

Based on the comments from Mattermost, I’ll create a file with the password:

Now I can run with a rule file to get different variations on the passwords in the file (just one in this case). There are many in /usr/share/hashcat/rules, but why not start with the one called “best”:

It cracks pretty quickly.

su: That password works for the root account on Delivery:

PreviousMagicNextPaper

Last updated