Name: | Delivery |
---|---|
Release Date: | 12 May 2021 |
Retire Date: | 09 Jul 2021 |
OS: | Linux |
Base Points: | Easy - Retired [0] |
Rated Difficulty: | |
Radar Graph: | |
InfoSecJack 00 days, 00 hours, 42 mins, 52 seconds | |
Coaran 00 days, 00 hours, 44 mins, 25 seconds | |
Creator: | Ippsec |
Pentest Workstation PDF: | Delivery.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.222
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
So, we have SSH (TCP 22) and HTTP (TCP 80) that are the major ports that we need to look at right now. If we navigate to http://10.10.10.222 we get a landing page that has a link to a Helpdesk portal, but the url is:
http://helpdesk.delivery.htb
We need to add 10.10.10.222 delivery.htb helpdesk.delivery.htb to our /etc/hosts file before we navigate to it.
There's also a Contact Us link on the main landing page that also has a link to:
http://delivery.htb:8065/login
but it really only works if we have an @delivery.htb email address. Let's try opening a ticket and see what happens. Entering dummy information and submitting the ticket, presents us with a success page and (surprise) a delivery.htb email address! Now let's check the ticket status on one tab, and register on the MatterMost page at the 8065 port and see if the registration confirmation comes to us. Once we click on that registration link and sign in, we can join the internal team and see the Internal chat channel with the following goodies!
@developers Please update theme to the OSTicket before we go live. Credentials to the server are maildeliverer:Youve_G0t_Mail!
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
Let's see if we can SSH using the maildeliverer credentials.
This is the ticket status before we register in MatterMost using the 9916822@delivery.htb address. The below is after.
Copy the http://delivery.htb:8065/do_verify_email?token=naay75cky4ahmax8zrotpfwuh4omtpp7uy7wwcednpztngoy518u99r756ajdqbd&email=9916822%40delivery.htb link and paste it into a new tab. Log in with the 9116822@delivery.htb and password you created and you are officially in MatterMost!
Now that we have SSH credentials, we can grab the user.txt flag and start enumerating our escalation path.
maildeliverer@Delivery:~$ cat user.txt
221a30fc0945b545cdae244f3bcd5c39
After researching MatterMost, we found that the config.json file may have environment variables (like a DB password for instance) store in it. https://docs.mattermost.com/configure/configuration-settings.html Let's take a look-see and see if we're right.
Sure enough, it does. Now we run:
mysql -u mmuser -p
Password: Crack_The_MM_Admin_PW
use mattermost
select * from Users;
and poke around the DB for any information.
The only entry that matters is:
| 0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL | | root@delivery.htb
If you recall from the Internal Chat Channel, it mentions not using variants of PleaseSubscribe!. All we need do is create hashes based on that string using:
echo PleaseSubscribe! | hashcat -r /usr/share/hashcat/rules/best64.rule --stdout
This will create a nice wordlist for us to pass through John the Ripper to crack that hash.
It cracks to: PleaseSubscribe!21
Just su root with that password and grab your well deserved flag!
root@Delivery:/home/maildeliverer# cat /root/root.txt
7a45d541ae205e66534b0b5821645888
root@bountyhunter:/home/development# cat /root/root.txt
0bc2e02e92bfff4ee4aed1e7a35071cf
Did I mention how much I love Python.... Another box down! Enjoy!