This is a write-up on the Delivery machine challenge from HTB. For more information on challenges like these, check out my post on penetration testing.  Special thanks to HTB user ippsec for creating the challenge.

Getting On The Server

nmap 10.10.10.222

A basic nmap shows the machine is running SSH and hosting a web server. Visit the website, which contains links to http://helpdesk.delivery.htb/ and http://delivery.htb:8065, and add the host names to /etc/hosts.

echo "10.10.10.222	helpdesk.delivery.htb delivery.htb" >> /etc/hosts

The server is running osTicket, a helpdesk support platform, and mattermost, an open source collaboration tool. A careful read of the text on the webpage provides direction for obtaining a foothold.

  1. Open a support ticket, keeping track of the ticket number. Also note the email address that is provided when the ticket is created "If you want to add more information to your ticket, just email [email protected]"
  2. Create an account on the mattermost server, using the email address provided when creating a support ticket (e.g. [email protected]).
  3. Check on the status of the support ticket.  There will now be a message containing an validation link.
  4. Open the validation link and log into mattermost, then join the "Internal" team. Read all the messages, as they provide clues required later for privilege escalation.  
  5. One of the messaged posted includes the username and password to the server.  Use these credentials to SSH to the server and obtain user.txt.

Privilege Escalation

Based on the clues provided, look for hashes that can be used to crack the root password.  The file /opt/mattermost/config/config.json contains credentials for the mattermost database and is a good place to start.  

mysql -u mmuser -p #enter password when prompted
show databases; #determine which database to connect to
use mattermost; #connect to database
show tables; #reconnaissance / find relevant information
select * from Users; #displays information about users, including password hashes
select Password from Users where Username = ‘root’; #narrow the search

The steps above can be used to obtain a password hash for root.  To reverse the hash, the type of hash must be known. This can be obtained with the hashid command.  

hashid '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' #bcrypt/Blowfish

Next, recall the clue on the mattermost server "PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases." The hashcat command can be used to create a list of password variations based on PleaseSubscribe! and which can be used as the wordlist for reversing the hash.  Create a text file called mangleme with one line of text reading "PleaseSubscribe!" (without the quotes).  Ensure the file contains no extraneous whitespace.  

Run hashcat to create the wordlist, then run it again to reverse the hash.

hashcat -r /usr/share/hashcat/rules/best64.rule --stdout mangleme > wordlist.txt
hashcat -m 3200 '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' wordlist.txt

The password for root is revealed and can be used with the su command to elevate to the root account and obtain root.txt.