This is a practical Walkthrough of “Delivery” machine from HackTheBox. Although this machine is marked as easy level, but for me it was kinda intermediate level. Credit goes to ippsec for making this machine available to us and base points are 20 for this machine.
This walkthrough will be explanatory, because I learned a lot of new things from this machine. So, don’t mind my blabbering.
Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.
We will kick off this machine with nmap enumeration.
We got two open ports, HTTP and SSH. Let’s visit the site.
Check page source.
From source and homepage we got hostname and virtual hostname (let’s add them to our /etc/hosts file), as well as another HTTP server running on port # 8065. There’s also a Message, “to get in touch with our team. Once you have an @delivery.htb email address, you’ll be able to have access to our server”.
My understanding is, we can able to access the HTTP server which is running on port 8065 if we have an email address with domain @delivery.htb
Let’s access helpdesk of the server.
We have to open a new ticket to get the delivery.htb email. Fill all the details and submit the ticket.
After submission, it gives you ticket number and email with same ticket number. Now we can use this email address to create new user on 8065 server.
Create new user and fill all the details.
It sends you an verification email to that given email address. Go back to helpdesk tab and check ticket status with details you got from it.
Visit the link and provide credentials of it and login.
Once you login, click on Internal.
We got credentials of a user, we can SSH into it. There’s also a message, where they need to stop using a variant of a said password, this password might not be in the “rockyou.txt” but if hash is retrieved then using custom hashcat rules it possible to crack.
Let’s login first using SSH.
We got our user flag. Now moving to root flag.
After trying all the linux PrivEsc tools, I stumbled upon a config file, inside this file there’s credentials for DB user.
Let’s access the mysql using a this credential.
Let’s find any DB names and access it to find juicy information.
We are inside mattermost DB now, let’s find some creds.
We got hash of the root user, let’s crack it with hashcat. As you understood by Internal message that we need custom rule for the said password.
I have created a wordlist with only one password ( as they have mentioned in their internal message) and using best64 rule to crack.
We got all the flags required to complete this machine.
Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.