Delivery — HackTheBox

Image for post
Image for post
Source

This is a practical Walkthrough of “Delivery” machine from HackTheBox. Although this machine is marked as easy level, but for me it was kinda intermediate level. Credit goes to ippsec for making this machine available to us and base points are 20 for this machine.

This walkthrough will be explanatory, because I learned a lot of new things from this machine. So, don’t mind my blabbering.

Enumeration

We will kick off this machine with nmap enumeration.

Image for post
Image for post

We got two open ports, HTTP and SSH. Let’s visit the site.

Image for post
Image for post
hompage

Check page source.

Image for post
Image for post
virtual host
Image for post
Image for post
HTTP server port

From source and homepage we got hostname and virtual hostname (let’s add them to our /etc/hosts file), as well as another HTTP server running on port # 8065. There’s also a Message, “to get in touch with our team. Once you have an @delivery.htb email address, you’ll be able to have access to our server”.

Image for post
Image for post
HTTP server on 8065

My understanding is, we can able to access the HTTP server which is running on port 8065 if we have an email address with domain @delivery.htb

Let’s access helpdesk of the server.

Image for post
Image for post
Helpdesk

We have to open a new ticket to get the delivery.htb email. Fill all the details and submit the ticket.

Image for post
Image for post
ticket

After submission, it gives you ticket number and email with same ticket number. Now we can use this email address to create new user on 8065 server.

Image for post
Image for post
ticket number

Create new user and fill all the details.

Image for post
Image for post
Mattermost

It sends you an verification email to that given email address. Go back to helpdesk tab and check ticket status with details you got from it.

Image for post
Image for post
check status
Image for post
Image for post
verification link

Visit the link and provide credentials of it and login.

Image for post
Image for post
login

Once you login, click on Internal.

Image for post
Image for post
internal
Image for post
Image for post
creds

We got credentials of a user, we can SSH into it. There’s also a message, where they need to stop using a variant of a said password, this password might not be in the “rockyou.txt” but if hash is retrieved then using custom hashcat rules it possible to crack.

Let’s login first using SSH.

Image for post
Image for post
user flag

We got our user flag. Now moving to root flag.

Image for post
Image for post
config

After trying all the linux PrivEsc tools, I stumbled upon a config file, inside this file there’s credentials for DB user.

Image for post
Image for post
DB creds

Let’s access the mysql using a this credential.

Image for post
Image for post
Login DB

Let’s find any DB names and access it to find juicy information.

Image for post
Image for post
access DB

We are inside mattermost DB now, let’s find some creds.

Image for post
Image for post
root hash

We got hash of the root user, let’s crack it with hashcat. As you understood by Internal message that we need custom rule for the said password.

Image for post
Image for post
hashcat command

I have created a wordlist with only one password ( as they have mentioned in their internal message) and using best64 rule to crack.

Image for post
Image for post
hash cracked
Image for post
Image for post
root flag

We got all the flags required to complete this machine.

Reference

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store