Delivery: Hack The Box Walk Through
Delivery is literally one of the easy machines on HTB. This doesn’t took much time and much efforts to complete the check points(user and root flag).
Using nmap, scanning the IP for the open ports and get details of the open ports as mentioned below:
We can observe that Port 80 and 22 are open, will be using both port in later.
Visiting the IP address (10.10.10.22 )for the website hosted and can observe the two different link i.e Helpdesk and Contact Us
Moving for the helpdesk, seems we have error for site not reached.
Solving this issue by adding helpdesk.delivery.htb in host(/etc/hosts) file with the machine IP
Now visiting the helpdesk , successfully got access to helpdesk.
We can observe that we can create tickets for complaint and sign in
Trying to create new ticket with the HTML Injection payload
After submitting the tickets we have got the ticket number with the number.
Now checking the status of ticket for verifying that the text fields were vulnerable to HTML Injection or not!!
We can observe that fields were vulnerable to HTML Injection!!
Now visiting to the Contact-Us Page for more details
Here we can see that if we have an @delivery.htb email address which we have generated after creating ticket, we can access to MatterMost Server.
So trying to access the MatterMost Server and see if we can get something useful!!
Looks like we have to add this url to the hosts file to get access of the website. Thus adding delivery.htb to the hosts file
Here’s what we have got on the homepage of MatterMost Server
Since it is Login Page , tried SQLi and other method to bypass but failed. So we have only one option left i.e To create a new account!!
Thus creating new account with the @delivery.htb email address
After creating account, we need to verify the account which we can do by checking the status of ticket which get user sign in with the @delivery email id.
Verifying the account and then logging into the MatterMost Server.
After login we can access to private chats which reveals some of the sensitive data which could be used to get the access of the machine.
We can conclude that:
- The machine use the password starting with PleaseSubscribe!. We can call this as a rule which can be easily cracked by HashCat.
2. Got the credential of mail server i.e maildeliverer:Youve_G0t_Mail!
Now using ssh to connect to the mail server account with credential we have obtained
Completing the first checkpoint i.e obtaining the user flag.
Now moving towards gaining root access.
Tried to check for binary vulnerability but could not succeed due to lack of sudo permission
Since it is using Matter Most server , finding the matter most file in the system.
Checking the MatterMost directory in hope to find something useful!!
Yipeee, we got the config file in the config folder. Going through the config file, found some sensitive data i.e SQL credentials
Now using SQL credentials, logging into the database using command:
mysql -h localhost -u mmuser -pCrack_The_MM_Admin_PW
Now selecting MatterMost database and extracting data from the table, we could end up to credential of account having hash and the username.
Since this hash starts with $2*, it indicate that is encrypted with Bcrypt algorithm.
Tried using various hash decryptor for bcrypt cann’t get any positive output.
Then, all of sudden I remembered that before in server we got the info of cracking the hash with hashcat with the rules
Creating a new file with the content where most common rules are to be applied and the hash!
Since we need to crack the hash with rules. Thus creating a wordlist with the inbuilt best rules provided by the hashcat (/usr/share/hashcat/rules/best64.rule)
Creating a wordlist with the hashcat with the help of rule:
Command: hashcat -r /usr/share/hashcat/rules/best64.rule --stdout rule > wordlist.txt
Here -r refers to the rule file and rule refers to the file which have the content where rules has to be applied and stored in Wordlist.txt
Now decrypting the bcrypt hash with the wordlist.
Command used: hashcat -m 3200 -a 0 hash wordlist.txt --force
Here: --force is optional , hash is the file where hash is stored and 3200 refers to the bcrypt algorithm in hashcat
Once it is completed, we could show command to check the decrypted password for the root
Command: hashcat -m 3200 -a 0 hash wordlist.txt --show
Since now we have got the root credentials, we could complete our second checkpoint(root flag)
Changing user to root with the credentials obtained and boom got the root shell!!
Completed both the checkpoints!!
For more such blogs, stay tuned!!