Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.222
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
So, we have SSH (TCP 22) and HTTP (TCP 80) that are the major ports that we need to look at right now. If we navigate to http://10.10.10.222 we get a landing page that has a link to a Helpdesk portal, but the url is:
We need to add 10.10.10.222 delivery.htb helpdesk.delivery.htb to our /etc/hosts file before we navigate to it.
There's also a Contact Us link on the main landing page that also has a link to:
but it really only works if we have an @delivery.htb email address. Let's try opening a ticket and see what happens. Entering dummy information and submitting the ticket, presents us with a success page and (surprise) a delivery.htb email address! Now let's check the ticket status on one tab, and register on the MatterMost page at the 8065 port and see if the registration confirmation comes to us. Once we click on that registration link and sign in, we can join the internal team and see the Internal chat channel with the following goodies!
@developers Please update theme to the OSTicket before we go live. Credentials to the server are maildeliverer:Youve_G0t_Mail!
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
Let's see if we can SSH using the maildeliverer credentials.
This is the ticket status before we register in MatterMost using the firstname.lastname@example.org address. The below is after.
Copy the http://delivery.htb:8065/do_verify_email?token=naay75cky4ahmax8zrotpfwuh4omtpp7uy7wwcednpztngoy518u99r756ajdqbd&email=9916822%40delivery.htb link and paste it into a new tab. Log in with the email@example.com and password you created and you are officially in MatterMost!
Now that we have SSH credentials, we can grab the user.txt flag and start enumerating our escalation path.
maildeliverer@Delivery:~$ cat user.txt
After researching MatterMost, we found that the config.json file may have environment variables (like a DB password for instance) store in it. https://docs.mattermost.com/configure/configuration-settings.html Let's take a look-see and see if we're right.
Sure enough, it does. Now we run:
mysql -u mmuser -p
select * from Users;
and poke around the DB for any information.
The only entry that matters is:
| 0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL | | firstname.lastname@example.org
If you recall from the Internal Chat Channel, it mentions not using variants of PleaseSubscribe!. All we need do is create hashes based on that string using:
echo PleaseSubscribe! | hashcat -r /usr/share/hashcat/rules/best64.rule --stdout
This will create a nice wordlist for us to pass through John the Ripper to crack that hash.
It cracks to: PleaseSubscribe!21
Just su root with that password and grab your well deserved flag!
root@Delivery:/home/maildeliverer# cat /root/root.txt
root@bountyhunter:/home/development# cat /root/root.txt
Did I mention how much I love Python.... Another box down! Enjoy!