5.7 KiB
HackTheBox-Delivery
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Tue, 02 Mar 2021 21:12:13 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: dd9rh44dg3bsjmikyoawb6qabe
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Tue, 02 Mar 2021 21:49:09 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,u
ser-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mob
ile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Tue, 02 Mar 2021 21:49:09 GMT
|_ Content-Length: 0
PORT 80 (HTTP)
It looks like we need to add delivery.htb
to /etc/hosts
We can also see that Helpdesk
would lead us to a sub domain help.delivery.htb
so we should add this to /etc/hosts
PORT 8065 (HTTP)
On adding the domain in /etc/hosts
help.delievery.htb
On selecting Open a new ticket
After creating a ticket we will get a token number and a mail which we will use to register on Mattermost
which is on delivery.htb
On logging in with the registered email
delievery.htb
Visit this domain and register with the token_number@delivery.htb
which will then send you the email verification link
We will get these credentials maildeliverer:Youve_G0t_Mail!
Also this message
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.
Login here with the credentials
But there was not nothing on ostickets
so I tried these credentials by logging in with ssh
Going into /opt
directory I found a folder named mattermost
.
Again we see an interesting folder named config
And we can see credentials for the mysql database
Mysql is running on port 3306 which is the defualt one so let's try logging in with the credentials we found
At the end we see a table named Users
We will get the information for root
user including the password hash
Visiting Name That Hash
website we can see that this is bcrypt
hash
Save the hash in a text file
Now remeber the message that we saw from Mattermost chat that we need to use hashcat rules for the variation of PleaseSubscribe!
For creating hashcat rules I visited this page
https://hackingvision.com/2020/03/27/hashcat-rule-based-attack/
Here it talks about Hob0Rules
So let's run hashcat with the bcrypt hash against the password and the rule
It took a lot of time to crack the hash as I don't have a good GPU
The hash has been cracked so let's try logging in with root
user and see if this is password for root user on the box