HackTheBox-Delivery

Hello everyone ,in this post I’ll be sharing my walkthrough for HTB delivery machine which was an “easy” linux machine where we would need to first open a ticket on osticket ,then having a ticket open we can register with email @delivery.htb and register on “Mattermost” , viewing the chat we were given a hint about cracking a hash and were given credentials which gave us the intial access and after that we found the password for mysql dumped the hash and cracked using the hint , so let’s jump in

NMAP

PORT     STATE SERVICE VERSION                                            
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Tue, 02 Mar 2021 21:12:13 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: dd9rh44dg3bsjmikyoawb6qabe
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Tue, 02 Mar 2021 21:49:09 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,u
ser-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mob
ile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Tue, 02 Mar 2021 21:49:09 GMT
|_ Content-Length: 0

PORT 80 (HTTP)

It looks like we need to add delivery.htb to /etc/hosts

We can also see that Helpdesk would lead us to a sub domain help.delivery.htb so we should add this to /etc/hosts

PORT 8065 (HTTP)

On adding the domain in /etc/hosts

help.delievery.htb

On selecting Open a new ticket

After creating a ticket we will get a token number and a mail which we will use to register on Mattermost which is on delivery.htb

On logging in with the registered email

delievery.htb

Visit this domain and register with the token_number@delivery.htb which will then send you the email verification link

We will get these credentials maildeliverer:Youve_G0t_Mail!

Also this message

Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.

Login here with the credentials

But there was not nothing on ostickets so I tried these credentials by logging in with ssh

Going into /opt directory I found a folder named mattermost.

Again we see an interesting folder named config

And we can see credentials for the mysql database

Mysql is running on port 3306 which is the defualt one so let’s try logging in with the credentials we found

At the end we see a table named Users

We will get the information for root user including the password hash

Visiting Name That Hash website we can see that this is bcrypt hash

Save the hash in a text file

Now remeber the message that we saw from Mattermost chat that we need to use hashcat rules for the variation of PleaseSubscribe!

For creating hashcat rules I visited this page

https://hackingvision.com/2020/03/27/hashcat-rule-based-attack/

Here it talks about Hob0Rules

So let’s run hashcat with the bcrypt hash against the password and the rule

It took a lot of time to crack the hash as I don’t have a good GPU

The hash has been cracked so let’s try logging in with root user and see if this is password for root user on the box

BS CS undergraduate | CTF Player