Delivery was an easy-rated Linux box by ippsec. Despite being an easy box, it had a clever path to user that relies on hacking business processes, rather than software to get to user, and tries to teach something about hashcat to escalate to root.
Initial Enumeration
An initial nmap showed ports 22, 80 and 8065 open
root@kali-e:/home/jmpalk/htb/delivery# nmap -v -n -Pn 10.10.10.222 -p1-65535
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-12 15:25 EDT
Initiating SYN Stealth Scan at 15:25
Scanning 10.10.10.222 [65535 ports]
Discovered open port 80/tcp on 10.10.10.222
Discovered open port 22/tcp on 10.10.10.222
Discovered open port 8065/tcp on 10.10.10.222
Completed SYN Stealth Scan at 15:25, 13.52s elapsed (65535 total ports)
Nmap scan report for 10.10.10.222
Host is up (0.023s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8065/tcp open unknown
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.65 seconds
Raw packets sent: 65591 (2.886MB) | Rcvd: 65535 (2.621MB)
root@kali-e:/home/jmpalk/htb/delivery#
Port 80 is the splash page for the delivery service. There’s not a lot there beyond the contact us blurb, which points toward the Help Desk, located at helpdesk.delivery.htb and the Mattermost server, which is the service running on port 8065.
Going to the helpdesk page, you can submit tickets via the osticket ticketing system, even without having an account.
The MatterMost server requires you to have a @delivery.htb address in order to be able to register
Initial foothold
The Contact Us dialog on the landing page gives the key to getting into the box. I need a ‘@delivery.htb’ address to access MatterMost. But how to get that email address? The Help Desk will give me one.
I started by creating a ticket. The content of the ticket doesn’t matter.
The key bit is what happens once I submit the ticket.
Osticket creates an email address – 5213117@delivery.htb – that I can send updates to. Taking that address over to Mattermost, I can use it to create an account.
Once I create the account, Mattermost informs me I need to visit an account validation link it sent to my email address. Osticket helpfully receives the email and displays it to me when I check the status on my ticket.
I copy the link into my browser, hit enter, and my Mattermost account is validated and ready to go.
Logging into Mattermost and joining the System team immediately provides some interesting information.
The credentials for the box get me right in, and user.txt is right there.
jmpalk@kali-e:~/htb/delivery$ ssh maildeliverer@delivery.htb
The authenticity of host 'delivery.htb (10.10.10.222)' can't be established.
ECDSA key fingerprint is SHA256:LKngIDlEjP2k8M7IAUkAoFgY/MbVVbMqvrFA6CUrHoM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'delivery.htb,10.10.10.222' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/jmpalk/.ssh/id_rsa':
maildeliverer@delivery.htb's password:
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 5 06:09:50 2021 from 10.10.14.5
maildeliverer@Delivery:~$ Root
From the Mattermost comment, I have a good idea of what the password is going to look like, and that I’m going to need a hash to crack. This cuts my enumeration down substantially. I’m looking for notes, scripts and config files that might have passwords. Looking around the filesystem, I find the Mattermost config file at /opt/mattermost/config/config.json. It’s got a pretty big hint right in it.
"SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": false
},Using the provided username and password to log into MySQL, I query the user table.
There’s a root hash in there. Feeding it into HashID, it comes back as blowfish, which is type 3200 in hashcat. The Mattermost note was warning people against using passwords vulnerable to hashcat rules. Hashcat rules allow one to programatically modify passwords being guessed, doing things like giving all the ‘leetspeak variations of words in a dictionary. You can come up with your own rules, but in this case, I used ‘best64’, one of the pre-written rules hashcat ships with.
PS C:\Program Files (x86)\hashcat-6.0.0> .\hashcat.exe -m 3200 .\delivery_hash.txt .\delivery-wl.txt -r .\rules\best64.rule
hashcat (v6.0.0) starting...
OpenCL API (OpenCL 2.1 AMD-APP (3075.13)) - Platform #1 [Advanced Micro Devices, Inc.]
======================================================================================
* Device #1: Ellesmere, 8128/8192 MB (6745 MB allocatable), 36MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Temperature abort trigger set to 90c
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Thu May 13 11:24:48 2021 (35 secs)
Time.Estimated...: Thu May 13 11:25:23 2021 (0 secs)
Guess.Base.......: File (.\delivery-wl.txt)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1 H/s (6.41ms) @ Accel:1 Loops:4 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 21/77 (27.27%)
Rejected.........: 0/21 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:1020-1024
Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21
Hardware.Mon.#1..: Util: 5% Core:1347MHz Mem:2000MHz Bus:16
Started: Thu May 13 11:24:42 2021
Stopped: Thu May 13 11:25:24 2021It came back with a hit in about 42 seconds: “PleaseSubscribe!21”. Going back to my shell, I su’d to root, and it was done.
maildeliverer@Delivery:/opt/mattermost/config$ su
Password:
root@Delivery:/opt/mattermost/config# cd
root@Delivery:~# ls
mail.sh note.txt py-smtp.py root.txt
root@Delivery:~# cat root.txt
bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXa
root@Delivery:~# Again, a clever little path to user, and doing something I hadn’t done before with hashcat rules. Thanks, ippsec!
-30-
Off-Kilter Security 