HTB: Delivery
Rubytox, 21th May 2021
Hello everyone!
Today, I'm publishing a new writeup for HackTheBox's box Delivery. This machine was made by ippsec and has been rated as easy difficulty. It has been given a rating of 4.6.
This machine was really interesting: it is really suitable for beginners in the field of pentest as it contains a lot of basic stuff. A significant part of the exploitation is not strictly speaking technical, which might prevent beginners from quickly giving up.
Foothold & user
First, let's append the IP address of the machine to our /etc/hosts file so that we will be able to designate it by the domain name delivery.htb. Once this is done, let's run a classic nmap port scan:
$ nmap -sC -sV -oA nmap/delivery delivery.htb Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-21 17:35 CEST Nmap scan report for delivery.htb (10.10.10.222) Host is up (0.038s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA) | 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA) |_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519) 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Welcome Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.59 secondsThe options used in this command are:
-sC: this option instructsnmapto run basic enumeration scripts against the target machine,-sV: this option allows us to get the version of the services running on the identified open ports,-oA: the output of the port scan will be saved under several formats.
We can see we have two open ports:
- port 22: an OpenSSH server is running on this port, it may be useful for us if we want to connect to a user's account on the machine,
- port 80: an nginx web server is running on this port.
After a quick search, those two services do not seem to be vulnerable to any public exploit. Let's take a look at the website that is running on port 80:
Clicking on the "Contact us" button opens the following text box:
This contact box provides us with two new addresses:
helpdesk.delivery.htb: we have to add this domain name to the/etc/hostsin order to access it,delivery.htb:8065: this seems to be a Mattermost server.
After carefully reading the contact box, we can have an idea of what is expected from us: in order to access the Mattermost server, we want to get an @delivery.htb email address, and to do so we must go to the HelpDesk page. So let's do that! Browsing to the HelpDesk gives the following page:
Let's try and open a new ticket to see what it does. We are asked for an e-mail address, a name and a description of the issue. After having filled all the fields and submitted the form, we get the following message:
Our ticket has been successfully created, and we have been given an @delivery.htb email address. Using it is actually quite simple: the purpose of this email address is to allow the person who opened the ticket to provide more information to their request. Hence sending an email to this address should add the content of the email to the ticket status page.
We are going to use this to create ourselves a Mattermost account on the machine:
As we can see, we successfully received a validation link, and our Mattermost account has been properly created. When connecting to it, we can read the following messages in the main channel:
We are given the following information:
- The user
maildelivereruses the passwordYouve_G0t_Mail!, - A lot of users are using a password that is a variation of
PleaseSubscribe!.
Let's try the first credentials on the SSH server:
$ ssh maildeliverer@delivery.htb
maildeliverer@delivery.htb's password: Youve_G0t_Mail!
maildeliverer@Delivery:~$ cat user.txt
9dfd3[-- REDACTED --]ee6cb
We owned user! :)
Root
Now on to owning root. If we recall correctly the information provided in the Mattermost server, user root said that if someone were to get the hash of a password of one of the developers, they could easily crack it. One idea would be to look for a hash in Mattermost's database.
Mattermost's documentation states that database credentials are located in the file config.json, in the field SqlSettings.DataSource. We were able to find the root directory of Mattermost in the directory /opt, and we read the following in the configuration file:
So we learn that the user used to access the database is called mmuser and it uses the password Crack_The_MM_Admin_PW. We connect using mysql, we select the correct database and display the usernames and password hashes of all the users:
$ mysql --user="mmuser" --password="Crack_The_MM_Admin_PW" MariaDB [(none)]> use mattermost; MariaDB [mattermost]> select Username, Password from Users; +----------------------------------+--------------------------------------------------------------+ | Username | Password | +----------------------------------+--------------------------------------------------------------+ | surveybot | | | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | | channelexport | | | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | +----------------------------------+--------------------------------------------------------------+ 7 rows in set (0.000 sec)
We got a hash for the password of the user root. We can try to crack it using John the Ripper or hashcat. I prefer using John the Ripper, so I will show how it works using this tool. We first copy root's hash in a file hash. We then need a wordlist: we write PleaseSubscribe! in a file wordlist. Now, as root said it in the Mattermost server, running John on this wordlist or a larger one such as rockyou won't work: this correct password is not inside those wordlists. However, we can instruct John to apply rules on the provided wordlist: it will try cracking the hash using several variations of the words in the wordlist. In our case, our wordlists contains only one word, but we know the hash is a variation of this word. We can use the set of rules best64: they contain the mostly used password variations.
$ john hash --wordlist=wordlist --rules=best64 Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 5 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status PleaseSubscribe!21 (?) 1g 0:00:00:00 DONE (2021-05-21 18:43) 4.347g/s 195.6p/s 195.6c/s 195.6C/s PleaseSubscribe!..PleaseSubscribe! Use the "--show" option to display all of the cracked passwords reliably Session completed.
So John identified the hash as a bcrypt hash. We could have used other tools such as hashid to identify the hash type as well. John cracked the hash and came up with the password PleaseSubscribe!21.
Now, we got the password of the user root of the Mattermost server. Nothing guarantees that this password is the same as the password of the root user of the machine. We might try it anyways:
maildeliverer@Delivery:~$ su - root
Password: PleaseSubscribe!21
root@Delivery:~# cat /root/root.txt
37f6a[-- REDACTED --]e2006
We got root! :)
I really liked doing this machine: as I didn't do any pentest challenge for a while, it was pretty refreshing to work on an easy-rated box that was actually easy. I think completing such a box is really appropriate for beginners in this field as they are going to learn a lot about the spirit of pentesting doing so.
So this is over for this box! If you have any comments or suggestions, feel free to open an issue on this website's GitHub page.
1.
gobuster's GitHub page↩
2. Adminer's home page↩