Hack The Box Writeup - Delivery

Delivery is easy box from Hack The Box (HTB). Those who don't know, HTB is online practice platform to learn penetration testing.

Summary

  1. Run nmap to find open ports
  2. As port 80 opens, check in browser
  3. Click on HelpDesk and Contact Us page
  4. Open a new ticket on HelpDesk page
  5. Click on Mattermost on Contact Us page
  6. Sign up using @delivery.htb email address on Mattermost generated after creation of new ticket
  7. Check Ticket Status
  8. Login on Mattermost
  9. Use username and password to SSH
  10. Found user.txt
  11. Check config file and found mysql username, password
  12. Login mysql and check User table
  13. Found username and hashed password (bcrypt)
  14. Use hashcat tool to decrypt password from hash
  15. SSH to box and found root.txt

Start with Nmap

nmap 10.10.10.222

Run default scripts available in Nmap Database using -sC option, -sV is used to enumerate versions

nmap -sC -sV 10.10.10.222

Scan all ports with Nmap by using -p- options

nmap -p- 10.10.10.222

Run UDP scan with Nmap by using -sU option

nmap -sU 10.10.10.222

Do below entry in /etc/hosts

10.10.10.222 delivery.htb

Browse http://delivery.htb on Firefox

http://delivery.htb

Click on Contact us.

Read message on page carefully

"For unregistered users, please use our HelpDesk to get in touch with our team. Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server."

As mentioned in webpage, Click on HelpDesk.

Click on Open a New Ticket

Fill form and Create a new ticket. You received a below message after successful creation of ticket.

Click on MatterMost server. As you don't have a account, Click on Create one now. Remember to use @delivery.htb email id for creation of account.

After successful creation of account, Check status again and you got a new message.

As suggest in message, activate email by copying url and paste it in browser. You got below message if you have paste correctly.

After successful login, Found credentials to the server.

As SSH port is also open, use credentials to connect remote host.

ssh maildeliverer@10.10.10.222

Just do ls and you found user.txt flag.

Privilege escalation

For privilege escalation, check config file. Config file contains a mysql username and password

Refer /opt/mattermost/config/config.json. Use below command for mysql credentials:

cat /opt/mattermost/config/config.json | grep user

Connect mysql

mysql -u mmuser -p

Display available databases

show databases;

Use database mattermost

use mattermost;

Use below command to display tables and Users table seems to be interesting.

show tables;

Just display username and password from table Users

select Username, Password from Users;

Save username and password in hash file. If you rehttps://allabouttesting.org/wp-content/uploads/2021/05/root-password-db.jpgfer messages, last message is saying related to password "PleaseSubscribe!"

Save it in file password.

Use hashcat command to create a wordlist and bruteforce to find match of exact password.

hashcat -m 3200 hash password --user -r /usr/share/hashcat/rules/best64.rule

Finally got matched password

Now just type su - to root

su -

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published.