Open in app

Sign in

Write

Sign in

Delivery: Hack The Box Walk Through

Vikas Sharma
6 min readFeb 5, 2021

--

Delivery is literally one of the easy machines on HTB. This doesn’t took much time and much efforts to complete the check points(user and root flag).

Concepts Learnt:

Web Recon

HTML Injection

MySQL

Hashcat

Port Scanning

Using nmap, scanning the IP for the open ports and get details of the open ports as mentioned below:

We can observe that Port 80 and 22 are open, will be using both port in later.

Web Recon

Visiting the IP address (10.10.10.22 )for the website hosted and can observe the two different link i.e Helpdesk and Contact Us

Moving for the helpdesk, seems we have error for site not reached.

Solving this issue by adding helpdesk.delivery.htb in host(/etc/hosts) file with the machine IP

Now visiting the helpdesk , successfully got access to helpdesk.

We can observe that we can create tickets for complaint and sign in

HTML Injection

Trying to create new ticket with the HTML Injection payload

After submitting the tickets we have got the ticket number with the number.

Now checking the status of ticket for verifying that the text fields were vulnerable to HTML Injection or not!!

We can observe that fields were vulnerable to HTML Injection!!

Now visiting to the Contact-Us Page for more details

Here we can see that if we have an @delivery.htb email address which we have generated after creating ticket, we can access to MatterMost Server.

So trying to access the MatterMost Server and see if we can get something useful!!

Looks like we have to add this url to the hosts file to get access of the website. Thus adding delivery.htb to the hosts file

Here’s what we have got on the homepage of MatterMost Server

Since it is Login Page , tried SQLi and other method to bypass but failed. So we have only one option left i.e To create a new account!!

Thus creating new account with the @delivery.htb email address

After creating account, we need to verify the account which we can do by checking the status of ticket which get user sign in with the @delivery email id.

Verifying the account and then logging into the MatterMost Server.

After login we can access to private chats which reveals some of the sensitive data which could be used to get the access of the machine.

We can conclude that:

  1. The machine use the password starting with PleaseSubscribe!. We can call this as a rule which can be easily cracked by HashCat.

2. Got the credential of mail server i.e maildeliverer:Youve_G0t_Mail!

Now using ssh to connect to the mail server account with credential we have obtained

ssh maildeliverer@10.10.10.222

Completing the first checkpoint i.e obtaining the user flag.

Privilege Escalation

Now moving towards gaining root access.

Tried to check for binary vulnerability but could not succeed due to lack of sudo permission

Since it is using Matter Most server , finding the matter most file in the system.

Checking the MatterMost directory in hope to find something useful!!

Yipeee, we got the config file in the config folder. Going through the config file, found some sensitive data i.e SQL credentials

MySQL

Now using SQL credentials, logging into the database using command:

mysql -h localhost -u mmuser -pCrack_The_MM_Admin_PW

Now selecting MatterMost database and extracting data from the table, we could end up to credential of account having hash and the username.

Since this hash starts with $2*, it indicate that is encrypted with Bcrypt algorithm.

Tried using various hash decryptor for bcrypt cann’t get any positive output.

Then, all of sudden I remembered that before in server we got the info of cracking the hash with hashcat with the rules

HashCat

Creating a new file with the content where most common rules are to be applied and the hash!

Since we need to crack the hash with rules. Thus creating a wordlist with the inbuilt best rules provided by the hashcat (/usr/share/hashcat/rules/best64.rule)

Creating a wordlist with the hashcat with the help of rule:

Command: hashcat -r /usr/share/hashcat/rules/best64.rule --stdout rule > wordlist.txt

Here -r refers to the rule file and rule refers to the file which have the content where rules has to be applied and stored in Wordlist.txt

Now decrypting the bcrypt hash with the wordlist.

Command used: hashcat -m 3200 -a 0 hash wordlist.txt --force

Here: --force is optional , hash is the file where hash is stored and 3200 refers to the bcrypt algorithm in hashcat

Once it is completed, we could show command to check the decrypted password for the root

Command: hashcat -m 3200 -a 0 hash wordlist.txt --show

Since now we have got the root credentials, we could complete our second checkpoint(root flag)

Changing user to root with the credentials obtained and boom got the root shell!!

Completed both the checkpoints!!

For more such blogs, stay tuned!!

Thanks!!

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Htb
Htb Writeup
Penetration Testing
Pentesting
Walkthrough

--

--

Vikas Sharma
Vikas Sharma

Written by Vikas Sharma

104 Followers
10 Following

Exploring the Intersection of Tech and Spirituality | Cybersecurity Enthusiast and Concordia grad exploring the nexus of tech, security, and innovation | 🧑‍💻

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams