HackTheBox: (“Delivery”) — Walkthrough

Hi People :D

Today we gonna solve the “Delivery” machine from HackTheBox, let’s go :D

Info

TL;DR
 — — —

1. Ports 80 and 22 are opened
2. Open the website in any browser, there’s a basic page which shows you some information about the website and there’s a contact us button
3. In contact us section, there are two different domains ( helpdesk.delivery.htb & delivery.htb ) put them in /etc/hosts file
4. Navigate to helpdesk.delivery.htb, it’s a support center which has a Tickets function so I opened a new ticket.. filled some information then it gave me an email and the ticket id
5. Navigate to delivery.htb:8065, it’s running Mattermost and there are register&login function so I registered a new account using an email that I got from my Ticket (xxxxxxx@delivery.htb)
6. After creating an account, it requests an email verification so I moved back to helpdesk.delivery.htb then I check my ticket using my email and my ticket id and I found that the verification URL had been sent to this ticket
7. Using verification URL, I was able to login to the support account in Mattermost
8. In the Mattermost chat, there’s a maildelverer creds .. using these creds you can SSH into maildelverer and you’ll find the user flag in the user directory
9. After some enumeration, I found MySQL creds in /opt/mattermost/config/config.json file.. using these creds I found the root hash in mattermost database
10. With the hint from Mattermost chat, I made a custom wordlist using hashcat rules and used it to crack root hash then I SSHed into root with a cracked password and found the root flag in /root/root.txt

Enumeration

— — — — — —

Start with Nmap

nmap -A 10.10.10.222

We have two open ports (22/80) so let’s navigate to the website on port 80

Web Enumeration

— — — — — — — —

On port 80, we have a basic page with a contact us button

Click on this contact us button, there are two words (HelpDesk & MatterMost) referring to other domains (helpdesk.delivery.htb) and (delivery.htb:8065)

Add these domains to the /etc/hosts file

Cool!..navigate to helpdesk.delivery.htb first, we have a Tickets system which we can create and check the tickets

Let’s try to create a new ticket, it requires an email, name and phone number.. fill this information with any dummy data but remember the email ( we will use it later )

Click on Create Ticket after filling the fields, it will give you a ticket id and email

Move to delivery.htb:8065, it’s running Mattermost and it requires creds to login

We can create an account, so what if we use the support email that we got from the ticket ?!... Let’s try it

After creating an account, it will ask you to verify your account

Back to helpdesk.delivery.htb and click on Check Ticket Status … put your email and your ticket id then click on View Ticket.

The verification URL was sent to our ticket!!

User Flag

— — — — —

Using this verification URL, we successfully verify the account and now we are able to login with it

You will find maildeliverer creds in the internal chat after logging into the support account (maildeliverer:Youve_G0t_Mail!)

We can SSH into maildeliverer user using these creds with:

ssh maildeliverer@10.10.10.222

You will find the user flag inside the home directory :D

Root Flag

— — — — —

After some files enumeration, I found MySQL creds in /opt/mattermost/config/config.json file (mmuser:Crack_The_MM_Admin_PW)

I used these creds with MySQL command and fortunately, it worked :D

mysql -h localhost -u mmuser -pCrack_The_MM_Admin_PW

First, execute show databases; command to list the databases then use mattermost command to use this database then use show tables; to list all tables inside mattermost database

We want to get the root hash so we must look at the Users table

To list the Users table fields, execute desc Users;

And now select the username and the password from the Users table:

select Username,Password from Users where username='root';

This command will only display the root hash

We have the root hash now but before you start cracking it, go back to Mattermost internal chat… there’s a nice hint from the root

As the hint says, we can use hashcat rules to make a custom wordlist using the “PleaseSubscribe!” word

Hashcat has some rules that come with it by default located at /usr/share/hashcat/rules directory, I used the best64 rule to make a wordlist

We can use echo command and pip it to hashcat to make a wordlist

echo "PleaseSubscribe\!" | hashcat -r /usr/share/hashcat/rules/best64.rule --stdout > wordlist.txt

( Note: if you are using a virtual Kali Linux 2021.x machine with hashcat v6, this command may not work and gives you a hardware error…try this command on windows or dual boot Kali )

It’s cracking time XD

Put the root hash in a file called anything like hash then execute this command to start the cracking process with our custom wordlist:

hashcat -m 3200 -a 0 hash wordlist.txt

• -m 3200 => specifies the hash type, 3200 stands for bcrypt hash
• -a 0 => specifies an attack mode, 0 stands for Straight mode … this will make hashcat read our wordlist line by line and try to use every word as a password

We successfully cracked the hash :D … the root password is: PleaseSubscribe!21

Use this password to SSH into root with:

ssh root@10.10.10.222

Or execute su root command from maildeliverer user and write the password, you will find the root flag in /root/root.txt file

Thanks for reading and I hope you love this writeup ❤.

You can give me a Respect on my HackTheBox Account (if you want :D).

Facebook — Twitter — LinkedIn