User
To start let’s see what ports has open:
[jusepe@nix:~/Documents/HackTheBox/Delivery]$ sudo scan delivery.htb
[*] OS based on TTL
Unknown OS
[*] TCP Scan
Open ports: 22,80,8065
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Tue, 19 Jan 2021 10:45:29 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: u4g3kd98h7ds8c635a6bgkzqfc
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Tue, 19 Jan 2021 11:01:06 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Tue, 19 Jan 2021 11:01:07 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8065-TCP:V=7.91%I=7%D=1/19%Time=6006B9D5%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\
SF:x20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\
SF:r\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancesto
SF:rs\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Tue,\x2019\
SF:x20Jan\x202021\x2010:45:29\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\n
SF:X-Request-Id:\x20u4g3kd98h7ds8c635a6bgkzqfc\r\nX-Version-Id:\x205\.30\.
SF:0\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Tue,\x
SF:2019\x20Jan\x202021\x2011:01:06\x20GMT\r\n\r\n<!doctype\x20html><html\x
SF:20lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport
SF:\"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user
SF:-scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollo
SF:w\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>Matter
SF:most</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\"
SF:><meta\x20name=\"application-name\"\x20content=\"Mattermost\"><meta\x20
SF:name=\"format-detection\"\x20content=\"telephone=no\"><link\x20re")%r(H
SF:TTPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x2
SF:0Tue,\x2019\x20Jan\x202021\x2011:01:07\x20GMT\r\nContent-Length:\x200\r
SF:\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConten
SF:t-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n
SF:400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCon
SF:nection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
TTL: 0
Furious: 13
Nmap: 92
Total: 105
On the landing page we are presented a VHOST called helpdesk.delivery.htb:
Additionaly there is a contact us page in which seems to throw a hint on how to exploit the box:
When we navigate on the vhost it we see that is hosting osTicket.
Firstly thought of exploiting some of the vulns it has:
[jusepe@nix:~/Documents/HackTheBox/Delivery]$ searchsploit osticket
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------- ---------------------------------
osTicket - 'l.php?url' Arbitrary Site Redirect | php/webapps/38161.txt
osTicket - 'tickets.php?status' Cross-Site Scripting | php/webapps/38162.txt
osTicket 1.10 - SQL Injection (PoC) | php/webapps/42660.txt
osTicket 1.10.1 - Arbitrary File Upload | windows/webapps/45169.txt
osTicket 1.11 - Cross-Site Scripting / Local File Inclusion | php/webapps/46753.txt
osTicket 1.12 - Formula Injection | php/webapps/47225.txt
osTicket 1.12 - Persistent Cross-Site Scripting | php/webapps/47226.txt
osTicket 1.12 - Persistent Cross-Site Scripting via File Upload | php/webapps/47224.txt
osTicket 1.14.1 - 'Saved Search' Persistent Cross-Site Scripting | php/webapps/48525.txt
osTicket 1.14.1 - 'Ticket Queue' Persistent Cross-Site Scripting | php/webapps/48524.txt
osTicket 1.14.1 - Persistent Authenticated Cross-Site Scripting | php/webapps/48413.txt
osTicket 1.2/1.3 - 'view.php?inc' Arbitrary Local File Inclusion | php/webapps/25926.txt
osTicket 1.2/1.3 - Multiple Input Validation / Remote Code Injection Vulnerabilities | php/webapps/25590.txt
osTicket 1.2/1.3 Support Cards - 'view.php' Cross-Site Scripting | php/webapps/29298.txt
osTicket 1.6 RC4 - Admin Login Blind SQL Injection | php/webapps/9032.txt
osTicket 1.6 RC5 - Multiple Vulnerabilities | php/webapps/11380.txt
osTicket 1.9.14 - 'X-Forwarded-For' Cross-Site Scripting | php/webapps/40826.py
osTicket 1.x - 'Open_form.php' Remote File Inclusion | php/webapps/27928.txt
osTicket STS 1.2 - Attachment Remote Command Execution | php/webapps/24225.php
---------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
But all the recent ones require an admin account, didn’t manage to find any credentials it seemed like a rabbit hole.
After that followed the instructions of the main page, so created a ticket:
After creating the ticket we are given a ticket code and an email, used that email to register in Mattermost which is available on port 8065:
Then checked the status of the ticket and found the link to confirm the mail on Mattermost:
With the account we can login to the webpage, and the first thing we see is this chat:
There are credentials so we just use them to login through ssh to get the user.
Root
Additionaly to the user credentials there is a hint that suggest that we may need to crack the root hash using hashcat Rule-based attack so searched for credentials, and found the database ones within mattermost config file:
(remote) maildeliverer@Delivery:/opt/mattermost/config$ cat config.json | grep Sql -A 2
"SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
Then just took the needed ones
MariaDB [mattermost]> select Id, Username, Password from Users WHERE Username="root";
+----------------------------+----------+--------------------------------------------------------------+
| Id | Username | Password |
+----------------------------+----------+--------------------------------------------------------------+
| dijg7mcf4tf3xrgxi5ntqdefma | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
+----------------------------+----------+--------------------------------------------------------------+
1 row in set (0.000 sec)
So finally searched for already existing hashcat rules sets and found this one which ended up working.
root@osboxes:/tmp# hashcat -m 3200 -r d3adhob0.rule hash.txt PleaseSubscribe! --show
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
