mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-21 19:43:03 +00:00
Add files via upload
This commit is contained in:
parent
639392090b
commit
ddcf41800d
1 changed files with 165 additions and 0 deletions
165
HackTheBox/Deilvery.md
Normal file
165
HackTheBox/Deilvery.md
Normal file
|
@ -0,0 +1,165 @@
|
|||
# HackTheBox-Delivery
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|
||||
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|
||||
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
|
||||
80/tcp open http nginx 1.14.2
|
||||
|_http-server-header: nginx/1.14.2
|
||||
|_http-title: Welcome
|
||||
8065/tcp open unknown
|
||||
| fingerprint-strings:
|
||||
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
|
||||
| HTTP/1.1 400 Bad Request
|
||||
| Content-Type: text/plain; charset=utf-8
|
||||
| Connection: close
|
||||
| Request
|
||||
| GetRequest:
|
||||
| HTTP/1.0 200 OK
|
||||
| Accept-Ranges: bytes
|
||||
| Cache-Control: no-cache, max-age=31556926, public
|
||||
| Content-Length: 3108
|
||||
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|
||||
| Content-Type: text/html; charset=utf-8
|
||||
| Last-Modified: Tue, 02 Mar 2021 21:12:13 GMT
|
||||
| X-Frame-Options: SAMEORIGIN
|
||||
| X-Request-Id: dd9rh44dg3bsjmikyoawb6qabe
|
||||
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|
||||
| Date: Tue, 02 Mar 2021 21:49:09 GMT
|
||||
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,u
|
||||
ser-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mob
|
||||
ile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|
||||
| HTTPOptions:
|
||||
| HTTP/1.0 405 Method Not Allowed
|
||||
| Date: Tue, 02 Mar 2021 21:49:09 GMT
|
||||
|_ Content-Length: 0
|
||||
```
|
||||
|
||||
## PORT 80 (HTTP)
|
||||
|
||||
<img src="https://imgur.com/fHTpeNT.png"/>
|
||||
|
||||
<img src="https://imgur.com/wQ0daUS.png"/>
|
||||
|
||||
It looks like we need to add `delivery.htb` to `/etc/hosts`
|
||||
|
||||
We can also see that `Helpdesk` would lead us to a sub domain `help.delivery.htb` so we should add this to `/etc/hosts`
|
||||
|
||||
<img src="https://imgur.com/mCUpmVk.png"/>
|
||||
|
||||
## PORT 8065 (HTTP)
|
||||
On adding the domain in /etc/hosts
|
||||
|
||||
### help.delievery.htb
|
||||
<img src="https://imgur.com/iTvtqAk.png"/>
|
||||
|
||||
On selecting `Open a new ticket`
|
||||
|
||||
<img src="https://imgur.com/c9kJKxQ.png"/>
|
||||
|
||||
<img src="https://imgur.com/cW2yG76.png"/>
|
||||
|
||||
<img src="https://imgur.com/9iyKF9S.png"/>
|
||||
|
||||
After creating a ticket we will get a token number and a mail which we will use to register on `Mattermost` which is on `delivery.htb`
|
||||
|
||||
On logging in with the registered email
|
||||
|
||||
<img src="https://imgur.com/xHcF2Xl.png"/>
|
||||
|
||||
### delievery.htb
|
||||
|
||||
Visit this domain and register with the `token_number@delivery.htb` which will then send you the email verification link
|
||||
|
||||
<img src="https://imgur.com/9batnYw.png"/>
|
||||
|
||||
<img src="https://imgur.com/8BVe05D.png"/>
|
||||
|
||||
<img src="https://imgur.com/sHvZQcj.png"/>
|
||||
|
||||
We will get these credentials `maildeliverer:Youve_G0t_Mail!`
|
||||
|
||||
Also this message
|
||||
|
||||
```
|
||||
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
|
||||
|
||||
PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.
|
||||
```
|
||||
|
||||
Login here with the credentials
|
||||
|
||||
<img src="https://imgur.com/x12MwEK.png"/>
|
||||
|
||||
<img src="https://imgur.com/Ey24ZgQ.png"/>
|
||||
|
||||
But there was not nothing on `ostickets` so I tried these credentials by logging in with ssh
|
||||
|
||||
<img src="https://imgur.com/VZPRUvb.png"/>
|
||||
|
||||
Going into `/opt` directory I found a folder named `mattermost`.
|
||||
|
||||
<img src="https://imgur.com/CwnWK5p.png"/>
|
||||
|
||||
Again we see an interesting folder named `config`
|
||||
|
||||
<img src="https://imgur.com/xIDt2OI.png"/>
|
||||
|
||||
<img src="https://imgur.com/lZYmO10.png"/>
|
||||
|
||||
And we can see credentials for the mysql database
|
||||
|
||||
<img src="https://imgur.com/XcxUGpg.png"/>
|
||||
|
||||
Mysql is running on port 3306 which is the defualt one so let's try logging in with the credentials we found
|
||||
|
||||
<img src="https://imgur.com/KQz76Xl.png"/>
|
||||
|
||||
<img src="https://imgur.com/iGP1GUu.png"/>
|
||||
|
||||
<img src="https://imgur.com/pKb75u5.png"/>
|
||||
|
||||
At the end we see a table named `Users`
|
||||
|
||||
<img src="https://imgur.com/6QFgFW2.png"/>
|
||||
|
||||
<img src="https://imgur.com/arpmz8y.png"/>
|
||||
|
||||
We will get the information for `root` user including the password hash
|
||||
|
||||
<img src="https://imgur.com/ZUy2suD.png"/>
|
||||
|
||||
Visiting `Name That Hash` website we can see that this is `bcrypt` hash
|
||||
|
||||
<img src="https://imgur.com/TcmEI51.png"/>
|
||||
|
||||
Save the hash in a text file
|
||||
|
||||
<img src="https://imgur.com/ZatfO74.png"/>
|
||||
|
||||
Now remeber the message that we saw from Mattermost chat that we need to use hashcat rules for the variation of `PleaseSubscribe!`
|
||||
|
||||
For creating hashcat rules I visited this page
|
||||
|
||||
https://hackingvision.com/2020/03/27/hashcat-rule-based-attack/
|
||||
|
||||
Here it talks about `Hob0Rules`
|
||||
|
||||
<img src="https://imgur.com/ZQSePJb.png"/>
|
||||
|
||||
<img src="https://imgur.com/tnZlvuz.png"/>
|
||||
|
||||
So let's run hashcat with the bcrypt hash against the password and the rule
|
||||
|
||||
<img src="https://imgur.com/rjkeFVV.png"/>
|
||||
|
||||
It took a lot of time to crack the hash as I don't have a good GPU
|
||||
|
||||
<img src="https://imgur.com/GcDFMWG.png"/>
|
||||
|
||||
<img src="https://imgur.com/iBerWLf.png"/>
|
Loading…
Reference in a new issue