Delivery Writeup / Walkthrough HackTheBox

TL;DR

This is a walkthrough writeup on Delivery which is a Linux box categorized as easy on HackTheBox, created by our messiah Ippsec. This box has Mattermost and osTicket running on it. The initial foothold was gained by impersonating email to read the Mattermost server chat which revealed the SSH credentials. Privilige Escalation required us to enumerate the box to find the root password hash & use a hashcat rule-based attack to crack the hash.

Delivery Writeup: Scanning Network

Running the usual Nmap port scan :

Command used : nmap -sC -sV -A -v -n -Pn -oN nmap.initial 10.10.10.222
Nmap scan report for 10.10.10.222
Host is up (0.17s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)

80/tcp   open  http    nginx 1.14.2
|_http-title: Welcome
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2

8065/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Thu, 09 Dec 2021 06:47:37 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: p1pj5pjd4if63xr8umufmyhxse
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Thu, 09 Dec 2021 07:09:06 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Thu, 09 Dec 2021 07:09:07 GMT
|_    Content-Length: 0

We got 3 ports to deal with :

port 22 : SSH
port 80 : web-server
port 8065 : unknown

Website Enumeration

Port 80

We went ahead and visited port 80 in our browser :

Delivery Writeup
website homepage on port 80
Delivery Writeup
contact us card on home page of port 80

Okay, so from this message it seems like that a mattermost server is running on the box, and only a user with @delivery.htb email address has access to Delivery’s mattermost server.

We also found an external link going to helpdesk.delivery.htb

Delivery Writeup

So, I edited the /etc/hosts file and added the following entry, to ensure DNS resolution by our local machine for this domain :

10.10.10.222    helpdesk.delivery.htb

We have a service called as osTicket running on helpdesk.delivery.htb .

What is osTicket ?

osTicket is a widely used and trusted open source support ticketing system which easily scales and streamline your customer service and drastically improve your customer's experience. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface.
You can read more about it here.
Delivery Writeup
osTicket homepage

We will come back to this later.

Port 8065

We have a Mattermost server running on this port.

What is Mattermost ?

Mattermost is an open-source, self-hostable online chat service with file sharing, search, and integrations. It is designed as an internal chat for organisations and companies, and mostly markets itself as an open-source alternative to Slack and Microsoft Teams.
You can read more about it here.
Delivery Writeup
Mattermost server on port 8065

We can create a new account here, but it will send a email verification link, and we can’t use third party email clients like gmail, because the machine is in HTB’s internal network and it wont be able to send anything outside the internal network.

Delivery Writeup

Also, deducing from the message that we got earlier (in the “contact us” panel), about being able to access the Mattermost server for Delivery only if a user has a @delivery.htb email address.

We might need to somehow get access to a @delivery.htb email address.


Enumerating the osTicket Service

I filled up the details & opened a new ticket.

Delivery Writeup
Opening a new ticket on osTicket

We are given a confirmation about a new ticket being opened.

Along with which, it also tell us that if we want to add more information to our ticket we can email it to <ticket_number>@delivery.htb

Delivery Writeup
Ticket confirmation

Obviously we can sense something potential here 😈

Checking the Ticket Status

On checking the ticket status we can see the information that we provided in the ticket.

Checking Ticket Status
Ticket Status page

Initial Foothold (email impersonation)

According to the message given earlier, we can add information to our ticket by sending a email to the following email address <ticket_num>@delivery.htb . So, we can use this email <ticket_num>@delivery.htb in the mattermost signup process, and the verification email link will be sent to it & added to the ticket information which we can view it here in the ticket status section.

Signing up on Mattermost with the above email :

Mattermost signup

Viewing the “email verification link” added in the ticket information :

email verification link

After completing the email verification process by visiting the the verification link, we can access the “Internal” channel on the Mattermost server.

Mattermost Internal server

There’s a lot of juicy information in the chat here :

Internal server chat
Credentials to the server ->  
user : maildeliverer
pass : Youve_G0t_Mail!

Delivery Writeup: User Flag β›³

SSH into the box using the obtained credentials :

β”Œβ”€[[email protected]]─[/opt/jd-gui]
└──╼ ssh [email protected]

[email protected]'s password: 


Last login: Thu Nov 24 08:12:11 2021 from 10.10.14.4


[email protected]:~$ whoami
maildeliverer

[email protected]:~$ cat user.txt
4twqf****************************

Delivery Writeup: Privilege Escalation

During system enumeration, we found this config file for mattermost :

[email protected]:/$ cat /opt/mattermost//config/config.json

It revealed the MySQL databse credentials :

SqlSettings": {                                                                          
        "DriverName": "mysql",                                                                
        "DataSource": "mmuser:[email protected](127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],                                                             
        "DataSourceSearchReplicas": [],                                                       
        "MaxIdleConns": 20,               
        "ConnMaxLifetimeMilliseconds": 3600000,                                               
        "MaxOpenConns": 300,                                                                  
        "Trace": false,                     
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",                               
        "QueryTimeout": 30,                                                                   
        "DisableDatabaseSearch": false                                                        
},

MySQL credentials

Database : mysql
user : mmuser
pass : Crack_The_MM_Admin_PW

We can see the obvious hint here that is been given off by the passsword. We need to find the password hash for the root user in the database and crack it πŸ™‚

So, I went ahead and tried to connect to the MySQL database:

[email protected]:/opt/mattermost/config$ mysql -u mmuser -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 91
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mattermost         |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mattermost]> show tables;
+------------------------+                                                                                                                                                           [8/439]
| Tables_in_mattermost   |
+------------------------+
| Audits                 |
| Bots                   |
| ChannelMemberHistory   |
| ChannelMembers         |
| Channels               |
| ClusterDiscovery       |
| CommandWebhooks        |
| Commands               |
| Compliances            |
| Emoji                  |
| FileInfo               |
| GroupChannels          |
| GroupMembers           |
| GroupTeams             |
| IncomingWebhooks       |
| Jobs                   |
| Licenses               |
| LinkMetadata           |
| OAuthAccessData        |
| OAuthApps              |
| OAuthAuthData          |
| OutgoingWebhooks       |
| PluginKeyValueStore    |
| Posts                  |
| Preferences            |
| ProductNoticeViewState |
| PublicChannels         |
| Reactions              |
| Roles                  |
| Schemes                |
| Sessions               |
| SidebarCategories      |
| SidebarChannels        |
| Status                 |
| Systems                |
| TeamMembers            |
| Teams                  |
| TermsOfService         |
| ThreadMemberships      |
| Threads                |
| Tokens                 |
| UploadSessions         |
| UserAccessTokens       |
| UserGroups             |
| UserTermsOfService     |
| Users                  |
+------------------------+
46 rows in set (0.001 sec)

MariaDB [mattermost]> select * from Users;

-----------SNIP-------------------

0 | root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL     |      
       | [email protected]       |             1 |          |                    |          |          | system_admin system_user |              1 | {}    | {"channel":"true","comments":"n
ever","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1609157893370 |                 0 |    

-----------SNIP-------------------


----- Writing a query to get a readable output  -----


MariaDB [mattermost]> select username,password,email,roles from Users where username='root';
+----------+--------------------------------------------------------------+-------------------+--------------------------+
| username | password                                                     | email             | roles                    |
+----------+--------------------------------------------------------------+-------------------+--------------------------+
| root     | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | [email protected] | system_admin system_user |
+----------+--------------------------------------------------------------+-------------------+--------------------------+
1 row in set (0.001 sec)

We found root’s password hash:

root hash
root : $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO

Instead of straightaway rushing to hashcat or johnTheRipper, let’s look back & recall the message that we got in the mattermost server chat about cracking the hashes of passwords like PleaseSubscribe! by using hashcat rules.

Internal server chat

We can generate a wordlist containing different variations of the word PleaseSubscribe! using hashcat rules. It will generate a very small wordlist.

What is hashcat rule-based attack ?

The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
You can read more about it here.

You can check all available hashcat rules in /usr/share/hashcat/rules/. We will be using the best64 rule in our case to generate the wordlist.

β”Œβ”€β”€(rootπŸ’€kali)-[~/Desktop/Boxes/HTB/Delivery]                                                
└─ echo PleaseSubscribe! | hashcat -r /usr/share/hashcat/rules/best64.rule --stdout > wordlist.txt

β”Œβ”€β”€(rootπŸ’€kali)-[~/Desktop/Boxes/HTB/Delivery]
└─ wc -l wordlist.txt 
77 wordlist.txt

Now, using JohnTheRipper to crack the hash with help of the wordlist that we just created.

β”Œβ”€β”€(rootπŸ’€kali)-[~/Desktop/Boxes/HTB/Delivery]
└─# john hash.txt --wordlist=wordlist.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
PleaseSubscribe!21 (?)
1g 0:00:00:00 DONE (2021-12-09 05:40) 2.702g/s 97.29p/s 97.29c/s 97.29C/s PleaseSubscribe!..PleaseSubscrio
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We have successfully cracked the password hash for root.

user : root
pass : PleaseSubscribe!21

All we need to do now is change the user to root using the su root command.


Delivery Writeup: Root Flag β›³

[email protected]:/opt/mattermost/config$ su root
Password: 

[email protected]:/opt/mattermost/config# id
uid=0(root) gid=0(root) groups=0(root)

[email protected]:/opt/mattermost/config# cat /root/root.txt
2dbd****************************

Kudos for successfully rooting Delivery.

Until next time, do checkout other informative writeups and blogs here.

Posts created 7

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Back To Top