Skip to main content

HTB - Delivery

alt

Basic Nmap scan

Nmap Command: nmap -Pn -n -sC -sV -oA scan_boxs/delivery/nmap/10.10.10.222-d-scan 10.10.10.222
Nmap scan report for 10.10.10.222
Host is up (0.15s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c40fa859b01acac0ebc0c19518aee27 (RSA)
| 256 5a0cc03b9b76552e6ec4f4b95d761709 (ECDSA)
|_ 256 b79df7489da2f27630fd42d3353a808c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
7002/tcp filtered afs3-prserver
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Open ports : 22,80,7002

PORTSERVICEPRODUCTVERSIONEXTRAINFO
22sshOpenSSH7.9p1 Debian 10+deb10u2protocol 2.0
80httpnginx1.14.2
7002afs3-prserver

port 80

alt

Found host name: delivery.htb and there is a link to subdomain helpdesk.delivery.htb. Updating /etc/hosts file.
Clicking on Contact Us button also has pointed to another port.

alt

Enum OSTicket

alt

helpdesk is running a ticketing system and is powered by OSTicket.

Open New ticket link

alt

Check ticket status

alt

Enum Mattermost

Attempting admin/admin but looks like it needs valid email or user and password

alt

Creating account in Mattermost will send email verification. So we will use temp-mail.org to create disposable email and try to send verification email to it. But looks like it not successful.

Disposable email.
alt

alt

alt

So we need an email which is accessible and validate the email. Lets check Support Ticket System before moving forward.

create ticket on Support Ticket System

alt

alt

The process has created a ticket 4273255 and also an email [email protected]. And lets check the status.

Checking the status of the ticket.

alt

We can see the status and message.

alt

Attempting to create account with [email protected] in Mattermost maybe the ticket might reflect the email verification.

alt

This sends verification email to the [email protected] email account. Lets check the ticket.

alt

Verify the email

Successfully verified email.

alt

Successfully able to login into Mattermost.
alt

Internal Mattermost channel

alt

alt

found creds maildeliverer

maildeliverer
Youve_G0t_Mail!

alt

Attempting to connect to server on ssh.

alt

User flag

alt

Exploit

Found credentials for database on the machine.
alt

Connecting to the database on the machine.

alt

list the databases.

alt

List the tables.

alt

Users table looks interesting. List he columns of the table Users

alt

Data from the users table.
alt

Cracking with hashcat

As we observed earlier the password for root user was of the different version of PleaseSubscribe! and from this we generate a custom word list with hashcat and attempt to crack the hash.

alt

hashcat --user -a 0 -m 3200 root-hash final_list.txt

alt

root flag

alt