┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.222
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Welcome
|_http-server-header: nginx/1.14.2
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=22%CT=1%CU=32936%PV=Y%DS=2%DC=I%G=Y%TM=65B0
OS:DE4A%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)
OS:SEQ(SP=108%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53AS
OS:T11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1=
OS:FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=
OS:M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)
OS:T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S
OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=
OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.222
631/udp open|filtered ipp
5353/udp open|filtered zeroconf
Too many fingerprints match this host to give specific OS details
Network Distance: 2 hops
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1038.41 seconds
Based on the OpenSSH version, the host is likely running Debian Buster (10). The HTTP scripts for TCP 8065 show the string “Mattermost”, so it could be an instance of that open source Slack alternative.
Enumeration: HTTP Port 80/tcp
The site is not really for anything, but does mention checking out the helpdesk for email related support:
The link goes to helpdesk.delivery.htb. I’ll add both that subdomain and the base domain (delivery.htb) to my local /etc/hosts file.
The HelpDesk link is the as the one above. The MatterMost server link is to helpdesk.htb:8065, which explains the other port. There’s also some hint here as to the path. I need to get a @delivery.htb email to get access to the MatterMost server.
As a guest user, I can create a ticket:
And it will give me a page saying it’s been accepted:
The email to add to the ticket is interesting. I’ll note that.
exodus,
You may check the status of your ticket, by navigating to the Check Status page using ticket id: 4264890.
If you want to add more information to your ticket, just email 4264890@delivery.htb.
Thanks,
Support Team
The Sign In link has a form, as well as a registration link: On clicking “Create an account” and filling out the form, it gives me a page that says a link has been sent to the email to activate it. On HTB, that’s basically a deadend. If I try to log in, it returns this error: If I click the Check Ticket Status link, it asks for an email or ticket number. Because no validation was done of my email when submitting a ticket as a Guest User, I can enter that email and ticket number: This page gives the current ticket, with the option to update it:
The create account link leads to another form:
Submitting also leads to an email confirmation step:
Without an email address, not much I can do here.
Shell as maildeliverer
Access to MatterMost:
The note above suggested that I needed a @delivery.htb email address to get an account. It looks like it will work without one, but practically, I can’t receive emails at an outside account because HTB labs are not connected to the internet.
I did note that when I created a ticket, it offered the ability to update the ticket over email. I can use that to get the verification email.
I’ll create a ticket and get the email address for it. Then sign up for a MatterMost account:
4264890@delivery.htb
exodus
Password123$$
http://helpdesk.delivery.htb/tickets.php
---- Registration Successful ----
Please activate your email by going to:
http://delivery.htb:8065/do_verify_email?token=49zi8zjpe1sabof8xy7ygj5um7hqxex5gmg9ajdancddfspujrdo9siwhfj9kxc8&email=4264890%40delivery.htb
Mattermost lets you share messages and files from your PC or phone, with instant search and archiving. For the best experience, download the apps for PC, Mac, iOS and Android from:
Visiting the link in the ticket verifies the account:
One logging in, there’s a chance to join a team:
On joining that team, there’s a single channel, with some chat from root:
root
9:29 AM
@developers Please update theme to the OSTicket before we go live. Credentials to the server are
maildeliverer:Youve_G0t_Mail!
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
I’ll note creds for the account maildeliverer, as well as a hint that a lot of the passwords on the box are variants of “PleaseSubscribe!”, and a note about how Hashcat rules will find the variants.
The database password is there, along with a hint as to where to go next.
SQL:
I’ll connect to the DB with the creds in the config above:
}maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -pCrack_The_MM_Admin_PW mattermotMariaDB [mattermost]>
There’s only the default DB and mattermost:
MariaDB [mattermost]> show databases;+--------------------+| Database |+--------------------+| information_schema || mattermost |+--------------------+
I can see from the prompt that I’m already using the mattermost db, but if I needed to switch, use mattermost would do that. The mattermost database has a lot of tables:
Now I can run with a rule file to get different variations on the passwords in the file (just one in this case). There are many in /usr/share/hashcat/rules, but why not start with the one called “best”:
