✅Delivery (Easy)
Summary
Delivery is a beginner-friendly box that does not require a lot of technical skills to solve. The foothold is about chaining logic flaws between OSTicket and Mattermost. The privesc is hashcat rule-based attack, based on a hint offered when getting the foothold.
Nmap

Enumeration
Visit port 80. The "Contact Us" page has two links:

To access these two links, edit /etc/hosts
:
# HackTheBox
10.129.127.121 delivery.htb
10.129.127.121 helpdesk.delivery.htb
User Shell: Chaining Logic Flaws
The idea is:
Create a ticket on OSTicket and get a
@delivery.htb
email addressRegister an account on Mattermost using the
@delivery.htb
email addressGo back to OSTicket and abuse the "Check Ticket Status" feature to get the activation link from Mattermost
Grab the activation link:

Enter Mattermost:

Here we learn that the credential is maildeliverer:Youve_G0t_Mail!
. The comment on hashcat is the hint for privesc.
Login as the maildeliverer
user through SSH:

Privilege Escalation: hashcat Rule-based Attack
Search for the keyword "mattermost":
find / -name mattermost 2>/dev/null
In /opt/mattermost/config/config.json
, we find a SQL credential mmuser:Crack_The_MM_Admin_PW
:

The password itself is also a hint. Login as mmuser
through mysql
:
mysql -u mmuser -p
The Users
table from the mattermost
database contains usernames and passwords:

Dump the password of root:
MariaDB [mattermost]> SELECT Password from Users where Username="root";
+--------------------------------------------------------------+
| Password |
+--------------------------------------------------------------+
| $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
+--------------------------------------------------------------+
1 row in set (0.001 sec)
Identify hash type:

bcrypt
hashes correspond to 3200
in hashcat:

Remember the hint from the Mattermost comment? Here we should use PleaseSubscribe!
as wordlist and conduct the hashcat rule-based attack. hashcat documentation says:
The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
This idea is very similar to mutation in fuzzing.
The hashcat rules are located in /usr/share/hashcat/rules
. For this box, we use best64.rule
:
$ echo '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' > hash.txt
$ echo 'PleaseSubscribe!' > wordlist.txt
$ hashcat -a 0 -m 3200 hash.txt wordlist.txt -r /usr/share/hashcat/rules/best64.rule -o password.txt
The flags in the hashcat command represents:
-a 0
: set attack mode to "dictionary attack"-m 3200
: set hash type tobcrypt
-r /usr/share/hashcat/rules/best64.rule
: usebest64.rule
to conduct rule-based attack-o password.txt
: save the output topassword.txt
Once the password is cracked, switch to the root user:

Last updated