Delivery — HackTheBox Writeup

Source

This is a practical Walkthrough of “Delivery” machine from HackTheBox. Although this machine is marked as easy level, but for me it was kinda intermediate level. Credit goes to ippsec for making this machine available to us and base points are 20 for this machine.

This walkthrough will be explanatory, because I learned a lot of new things from this machine. So, don’t mind my blabbering.

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Enumeration

We will kick off this machine with nmap enumeration.

We got two open ports, HTTP and SSH. Let’s visit the site.

hompage

Check page source.

virtual host
HTTP server port

From source and homepage we got hostname and virtual hostname (let’s add them to our /etc/hosts file), as well as another HTTP server running on port # 8065. There’s also a Message, “to get in touch with our team. Once you have an @delivery.htb email address, you’ll be able to have access to our server”.

HTTP server on 8065

My understanding is, we can able to access the HTTP server which is running on port 8065 if we have an email address with domain @delivery.htb

Let’s access helpdesk of the server.

Helpdesk

We have to open a new ticket to get the delivery.htb email. Fill all the details and submit the ticket.

ticket

After submission, it gives you ticket number and email with same ticket number. Now we can use this email address to create new user on 8065 server.

ticket number

Create new user and fill all the details.

Mattermost

It sends you an verification email to that given email address. Go back to helpdesk tab and check ticket status with details you got from it.

check status
verification link

Visit the link and provide credentials of it and login.

login

Once you login, click on Internal.

internal
creds

We got credentials of a user, we can SSH into it. There’s also a message, where they need to stop using a variant of a said password, this password might not be in the “rockyou.txt” but if hash is retrieved then using custom hashcat rules it possible to crack.

Let’s login first using SSH.

user flag

We got our user flag. Now moving to root flag.

config

After trying all the linux PrivEsc tools, I stumbled upon a config file, inside this file there’s credentials for DB user.

DB creds

Let’s access the mysql using a this credential.

Login DB

Let’s find any DB names and access it to find juicy information.

access DB

We are inside mattermost DB now, let’s find some creds.

root hash

We got hash of the root user, let’s crack it with hashcat. As you understood by Internal message that we need custom rule for the said password.

hashcat command

I have created a wordlist with only one password ( as they have mentioned in their internal message) and using best64 rule to crack.

hash cracked
root flag

We got all the flags required to complete this machine.

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://www.armourinfosec.com/performing-rule-based-attack-using-hashcat/
https://linuxize.com/post/how-to-show-mysql-users/