CTF Walkthroughs, Hack The Box

Hack The Box – Delivery Walkthrough

Introduction

This was an intermediate Linux machine that involved exploiting the ticket reply via email functionality of osTicket to access a MatterMost web application to find SSH credentials and using Hashcat rules to crack root hashes stored in the MySQL database to escalate privileges.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has revealed port 22 (SSH) and port 80(HTTP) as open. Performing a second scan with the -p- flag to scan all ports:

Port 8065 has been revealed as well, through this new scan. The next step will be to start enumerating HTTP.

Enumerating HTTP on Port 80

The following page is displayed when visiting the web server through a browser:

When clicking on the “Contact Us” button, it says a “@delivery.htb” email address is required to have access to MatterMost:

When inspecting the source code of the contact us popup, it appears the HelpDesk hyperlink points at http://helpdesk.delivert.htb:

Whereas the MatterMost hyperlink points at http://delivery.htb on port 8065:

Updating the /etc/hosts file, adding these two new entries:

Accessing the help desk system at helpdesk.delivery.htb:

It appears to be running osTicket. It allows unauthenticated users to log tickets, the next step will be logging one, to see what that does:

Upon logging the ticket, the following message is displayed, indicating that to add comments to the ticket an email can be sent to 7342906@delivery.htb:

This shows that when a new ticket is created, the web application sets up an email address based on the ticket id. This email address could not be used to sign up on MatterMost.

Enumerating HTTP on Port 8065

Mattermost is an open-source online chat service designed as an internal chat for organizations and companies, and mostly markets itself as an open-source alternative to Slack and Microsoft Teams.

Accessing MatterMost and clicking on the “Create new one” link:

Using the email address generated by osTicket to subscribe and an arbitrary username and password:

MatterMost requires that users follow a confirmation link sent to their email address for the account to be activated:

Since new emails to the7342906@delivery.htb email address will add comments to the ticket, the link should be accessible from there. Going back to osTicket and clicking on “Check Ticket Status”, entering the email address
and the ticket number:

It appears the email sent by MatterMost was added as a comment, including the confirmation link:

Following the link on a browser allows to activate the account:

Joined the “Internal” team and skipped the tutorial:

This takes to a chat with a few messages from the “root” user, one of which contains credentials for the “maildeliverer” user:

Another message from the root user also mentions how variants of “PleaseSubscribe!” are being used as passwords, and how Hashcat rules can be used to generate those variations in an automated fashion. This is probably a hint for the next step.

Using SSH to authenticate as the maildeliverer user with the credentials found above:

Privilege Escalation

After a bit of research, it appears MatterMost stores database credentials in the config.json file, in the “DataSource” variable:

Using find to identify the config.json file and grep to find the database credentials:

Logging into MySQL as the “mmuser” user:

Listing the existing databases, selecting the “mattermost” database and listing tables within it:

The “Users” table seems to be interesting, so listing its contents:

There are quite a few columns, so to make things simpler changing the query to only display usernames and password hashes:

select Username,Password from Users;

This appears to contain a few hashes, one of which is for the “root” user. Pasting it into Hash Analyzer reveals it is Bcrypt:

This great article explains Hashcat rules in great detail, but basically they are a way for Hashcat to transform the passwords provided in the dictionary file, for example by adding a number at the end, similar to John the Ripper’s word mangling rules.

The article also has a link to a custom rule available on GitHub:

Cloning the rule from the GitHub repository:

Saving the hash to a text file later use:

Running hashcat with the following flags to crack the hashes:

  • -a to specify the attack mode, in this case, 0 for dictionary
  • -m to specify the hash type, in this case, Bcrypt
  • the file containing the hashes
  • -r to specify the cracking rules to use
  • -O to enable optimized kernels

The password was successfully cracked by Hashcat:

Changing to the root user with the password cracked above:

This has provided a root-level shell.

Conclusion

This box was truly awesome and I particularly enjoyed because it was very real-life oriented, and using attacks and misconfigurations that are quite likely to happen in real engagements, the Hashcat rules vector was definitely the cherry on top, as it is a functionality that is often overlooked