Hack the Box - Delivery

hack the box May 23, 2021

Welcome back! Today we are going to walk through the Hack the Box machine - Delivery. This box is listed as an Easy Linux machine, let's jump in!

As always, we kick it off with an nmap scan: nmap -sC -sV -p- -oA allscan

Here are the results:

Host is up (0.048s latency).
Not shown: 65532 closed ports
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Wed, 05 May 2021 14:40:04 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: tbkykq9no7yqzmw46oepnhfy8c
|     X-Version-Id:
|     Date: Wed, 05 May 2021 20:46:01 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Wed, 05 May 2021 20:46:01 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.71 seconds

There is some interesting items here. We see that port 80 and 8065 are open. We'll browse these ports to see what they have.

Landing page for port 80

We see a generic page for some kind of IT support service. The first thing we notice is that the link points to helpdesk.delivery.htb. Viewing the source also shows us http://delivery.htb:8065 as well. We'll add these to our hosts list. After we add them, we click the link that takes us to helpdesk.delivery.htb.

We are now greeted with a support center ticketing system. This system is run on osTicket. It looks like we can create a ticket without an account. We can also go back and view the ticket without an account. When we try to register for an account, it emails us a link to activate.

Now we'll head over to the items being hosted on 8065 to see if they require eachother.

Here it looks like we are able to create an account for delivery.htb, or atleast some service associated with it. We create an account and it tells us to check our inbox for the link.

How do we get this registration link? After toying around, it looks like we can actually create a Mattermost account associated to the ticket email. Then, when the ticket is created, the email is sent to the ticket account and appended to the currently open ticket.

We can then copy the verification link out of the ticket, and verify our account.

Now we can login with the credentials we made.

We can then click internal and view some internal systems. When we get logged in we see some credentials posted in the clear maildeliverer:Youve_G0t_Mail!. We try to leverage these via ssh and we are in!

Snag the user.txt flag and start enumerating! We download linpeas.sh to our target and start enumerating. Nothing really sticks out, so we'll have to manually dig around. One item that is of interest is /opt/mattermost

Atleast we have a starting point. Sifting through the config files, we find some credentials: elastic:changeme and mmuser:Crack_The_MM_Admin_PW. Now we can try to connect to this SQL instance with these credentials.

mysql -u mmuser -p'Crack_The_MM_Admin_PW'

Awesome, a database connection. Now we can enumerate within it.


show databases;
use mattermost;
show tables;
describe Users;
select * from Users\G;

Now we have a root username and a password hash. Now we know from gaining entry to the internal site that this password is not on the RockYou password list. However, it does say that if we are clever enough, we can use hashcat rules to easily crack variations. Here are two good resources for hashcat rules: one and two.

Using a rule within hashcat is pretty simple. We just supply the -r flag. We also need to specify the --stdout option and send that out content to a text file. So in all this is what we have:

cat password.txt | ./hashcat -r OneRuleToRuleThemAll.rule --force --backend-ignore-cuda --stdout > root_combo.lst

There are some other flags in here since running hashcat in a VM on new Ryzen silicone was a pain.

Now with our new wordlist, we simply supply it to John and let it do it's work.

john -w=root_combo.lst hash.out

Now we have a password for the root sql user. What are the chances there is some password reuse?

su root

There we have it, the root flag! I hope everyone found this box fun, be sure to send Ippsec some love for all his contributions to the community!

Also, if you found this write-up useful, send me some respect over on HTB:


Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.