Delivery (Easy)

Summary

Delivery is a beginner-friendly box that does not require a lot of technical skills to solve. The foothold is about chaining logic flaws between OSTicket and Mattermost. The privesc is hashcat rule-based attack, based on a hint offered when getting the foothold.

Nmap

Enumeration

Visit port 80. The "Contact Us" page has two links:

To access these two links, edit /etc/hosts:

# HackTheBox
10.129.127.121 delivery.htb
10.129.127.121 helpdesk.delivery.htb

User Shell: Chaining Logic Flaws

The idea is:

  1. Create a ticket on OSTicket and get a @delivery.htb email address

  2. Register an account on Mattermost using the @delivery.htb email address

  3. Go back to OSTicket and abuse the "Check Ticket Status" feature to get the activation link from Mattermost

Grab the activation link:

Enter Mattermost:

Here we learn that the credential is maildeliverer:Youve_G0t_Mail!. The comment on hashcat is the hint for privesc.

Login as the maildeliverer user through SSH:

Privilege Escalation: hashcat Rule-based Attack

Search for the keyword "mattermost":

find / -name mattermost 2>/dev/null

In /opt/mattermost/config/config.json, we find a SQL credential mmuser:Crack_The_MM_Admin_PW:

The password itself is also a hint. Login as mmuser through mysql:

mysql -u mmuser -p

The Users table from the mattermost database contains usernames and passwords:

Dump the password of root:

MariaDB [mattermost]> SELECT Password from Users where Username="root";
+--------------------------------------------------------------+
| Password                                                     |
+--------------------------------------------------------------+
| $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
+--------------------------------------------------------------+
1 row in set (0.001 sec)

Identify hash type:

bcrypt hashes correspond to 3200 in hashcat:

Remember the hint from the Mattermost comment? Here we should use PleaseSubscribe! as wordlist and conduct the hashcat rule-based attack. hashcat documentation says:

The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.

This idea is very similar to mutation in fuzzing.

The hashcat rules are located in /usr/share/hashcat/rules. For this box, we use best64.rule:

$ echo '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' > hash.txt
$ echo 'PleaseSubscribe!' > wordlist.txt
$ hashcat -a 0 -m 3200 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule -o password.txt

The flags in the hashcat command represents:

  • -a 0: set attack mode to "dictionary attack"

  • -m 3200: set hash type to bcrypt

  • -r /usr/share/hashcat/rules/best64.rule: use best64.rule to conduct rule-based attack

  • -o password.txt: save the output to password.txt

Once the password is cracked, switch to the root user:

PreviousSafe (Easy)NextTheNotebook (Medium)

Last updated