# HackTheBox-Delivery
## NMAP
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Tue, 02 Mar 2021 21:12:13 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: dd9rh44dg3bsjmikyoawb6qabe
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Tue, 02 Mar 2021 21:49:09 GMT
| Mattermost
It looks like we need to add `delivery.htb` to `/etc/hosts`
We can also see that `Helpdesk` would lead us to a sub domain `help.delivery.htb` so we should add this to `/etc/hosts`
## PORT 8065 (HTTP)
On adding the domain in /etc/hosts
### help.delievery.htb
On selecting `Open a new ticket`
After creating a ticket we will get a token number and a mail which we will use to register on `Mattermost` which is on `delivery.htb`
On logging in with the registered email
### delievery.htb
Visit this domain and register with the `token_number@delivery.htb` which will then send you the email verification link
We will get these credentials `maildeliverer:Youve_G0t_Mail!`
Also this message
```
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.
```
Login here with the credentials
But there was not nothing on `ostickets` so I tried these credentials by logging in with ssh
Going into `/opt` directory I found a folder named `mattermost`.
Again we see an interesting folder named `config`
And we can see credentials for the mysql database
Mysql is running on port 3306 which is the defualt one so let's try logging in with the credentials we found
At the end we see a table named `Users`
We will get the information for `root` user including the password hash
Visiting `Name That Hash` website we can see that this is `bcrypt` hash
Save the hash in a text file
Now remeber the message that we saw from Mattermost chat that we need to use hashcat rules for the variation of `PleaseSubscribe!`
For creating hashcat rules I visited this page
https://hackingvision.com/2020/03/27/hashcat-rule-based-attack/
Here it talks about `Hob0Rules`
So let's run hashcat with the bcrypt hash against the password and the rule
It took a lot of time to crack the hash as I don't have a good GPU
The hash has been cracked so let's try logging in with `root` user and see if this is password for root user on the box
It looks like we need to add `delivery.htb` to `/etc/hosts`
We can also see that `Helpdesk` would lead us to a sub domain `help.delivery.htb` so we should add this to `/etc/hosts`
## PORT 8065 (HTTP)
On adding the domain in /etc/hosts
### help.delievery.htb
On selecting `Open a new ticket`
After creating a ticket we will get a token number and a mail which we will use to register on `Mattermost` which is on `delivery.htb`
On logging in with the registered email
### delievery.htb
Visit this domain and register with the `token_number@delivery.htb` which will then send you the email verification link
We will get these credentials `maildeliverer:Youve_G0t_Mail!`
Also this message
```
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.
```
Login here with the credentials
But there was not nothing on `ostickets` so I tried these credentials by logging in with ssh
Going into `/opt` directory I found a folder named `mattermost`.
Again we see an interesting folder named `config`
And we can see credentials for the mysql database
Mysql is running on port 3306 which is the defualt one so let's try logging in with the credentials we found
At the end we see a table named `Users`
We will get the information for `root` user including the password hash
Visiting `Name That Hash` website we can see that this is `bcrypt` hash
Save the hash in a text file
Now remeber the message that we saw from Mattermost chat that we need to use hashcat rules for the variation of `PleaseSubscribe!`
For creating hashcat rules I visited this page
https://hackingvision.com/2020/03/27/hashcat-rule-based-attack/
Here it talks about `Hob0Rules`
So let's run hashcat with the bcrypt hash against the password and the rule
It took a lot of time to crack the hash as I don't have a good GPU
The hash has been cracked so let's try logging in with `root` user and see if this is password for root user on the box
