HackTheBox — Delivery Writeup

Fahmi J
6 min readMay 22, 2021

--

GoHTB

Delivery from HackTheBox is all about exploiting a logic flaw called TicketTrick which was discovered by Inti De Ceukelaire.

The original article is linked below:

On this machine, there is a helpdesk ticketing system that gives an unauthenticated user a temporary email with a legitimate company domain. Using that email, I’m able to register at Mattermost and gain access to the company private communication channel. The conversation in the channel leaks a set of SSH credentials and a password in which its variant is being used in the system. There is a set of database credentials in the Mattermost configuration file, which can be used to dump the password hash of the root account. After generating a variant of the exposed password with hashcat, I’m able to crack the password and obtain root access

Reconnaissance

Nmap

Running all port scan with nmap discovers 3 open ports: an SSH service on port 22, HTTP server on port 80, and an unknown service on port 8065.

nmap -p- --min-rate 1000 -sV --reason -oA nmap/10-tcp-allport-delivery 10.10.10.222

Running default script scan against the discovered ports doesn’t show anything interesting.

Poking port 8065 with curl shows it’s a web application

Enumeration

TCP 80 — Website

This page is a static website.

The text “HELPDESK” points to http://helpdesk.delivery.htb/.

Clicking on the “CONTACT US” flips the homepage to this views:

The text “MatterMost server” points to http://delivery.htb:8065.

I can use curl and grep command to grab all the links/URL from this page.

curl -s 10.10.10.222 | grep -Eo 'href="[^\"]+"' | grep -v '#'

I’ll add the newly discovered hostnames to my /etc/hosts:

echo '10.10.10.222 delivery.htb helpdesk.delivery.htb' > /etc/hosts

Before moving on, we can poke those hostnames and compare their page size to check if this site has different content when we visit it with a hostname.

Only one that has different size, so let’s move on to the next port.

TCP 80 — helpdesk.delivery.htb

There is a helpdesk ticketing system here. At the bottom of the page it shows it is powered by osTicket.

In this site, I’m allowed to create a new ticket.

Once the ticket request is submitted, it notifies that the ticket has been created.

Besides the ticket id, it also gives us a temporary email with domain of delivery.htb, and I’ll note that:

  • Ticket id: 4709941
  • Email:4709941@delivery.htb.

The created ticket is accessible on “Check Ticket Status” menu.

For now, there’s not enough information to determine the app version and search for public exploits, so let’s move to the next one.

TCP 8065 — Mattermost

There is an instance of Mattermost here and it requires an account.

Sign up is allowed, but the page clearly shows that valid email is required.

And here is why a valid email is required, there is a verification process.

Foothold

Access to Mattermost using TicketTrick

The idea of TicketTrick here is to use the temporary email address previously given by the support ticket system to register on Mattermost.

For me, the previous email is: 4709941@delivery.htb.

I’ll use that to register on Mattermost.

Back on helpdesk, I can see the verification link to activate the previously created Mattermost account.

Visiting http://delivery.htb:8065/do_verify_email?token=eoy11mus8h6m4hctpmwt9qw31cdsfcxzbg7noyc5gzpc6htp9e8mqe55wwewaju9&email=4709941%40delivery.htb redirects back to MatterMost which confirms the email has been verified.

Upon logging in, I’m able to join the Internal channel (like server on Discord) where it has one public channel called internal.

The chats from root contain a set of credentials and a few hints which indicates that they use a variant password of “PleaseSubscribe!”.

SSH — maildeliverer

The credentials of maildeliverer works on SSH.

Privilege Escalation

Internal Enumeration

Enumerating on /opt finds the Mattermost installation folder. The Mattermost config file contains the database credentials.

maildeliverer@Delivery:/opt/mattermost/config$ cat config.json | grep SqlSetting -A10

The credentials is mmuser:Crack_The_MM_Admin_PW.

MySQL

With database credentials, I can connect to the MySQL service.

maildeliverer@Delivery:/opt/mattermost/config$ mysql mattermost -u mmuser -p'Crack_The_MM_Admin_PW'

There is a users table which usually contains something juicy. I can get the columns of the table user by querying describe Users;.

I’ll dump the username and password columns from the table Users.

MariaDB [mattermost]> select Username,Password from Users;

Looks like cracking is needed, and I’ll prioritize the root hash.

Password Cracking

Based on the conversations on Mattermost, there is someone in the system that uses a variant of “PleaseSubscribe!” and they were talking about hashcat rules.

I remember exactly that Ippsec (the box author) has shown several techniques on how to generate a variant of seasonal passwords on Forest .

Now the idea is instead of generating seasonal passwords, I can try to generate a few variant of “PleaseSubscribe!” and use them for cracking.

So, I’ll start by calculating the length of “PleaseSubscribe!”.

→ root@kali «delivery» «10.10.14.70»
$ echo -n 'PleaseSubsribe!' | wc -c
15

It has length of 15. I’ll save the “PleaseSubscribe!” string to a file.

→ root@kali «delivery» «10.10.14.70»
$ echo 'PleaseSubscribe!' > IppsecSubscriber

Then I’ll feed that file to hashcat to generate some new variant of it using base64 rule, and I’ll take out only the string which has a length greater than 15 and pipe the output to a file called custom_wordlist.

hashcat IppsecSubscriber -r /usr/share/hashcat/rules/best64.rule --stdout | awk 'length($0) > 15' > custom_wordlist

It produces 46 words.

→ root@kali «delivery» «10.10.14.70»
$ wc -w custom_wordlist
46 custom_wordlist

With that wordlist the hash gets cracked instantly!

hashcat -m 3200 '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' custom_wordlist --force

The recovered password is PleaseSubscribe!21

SU — root

The password works on root user.

maildeliverer@Delivery:~$ su root
Password:
root@Delivery:/home/maildeliverer# id
uid=0(root) gid=0(root) groups=0(root)

Now I can just grab the root flag.

root@Delivery:~# cat root.txt
a7d68baadc3b3c072c6...<SNIP>...

There is also a message from the box’s author:

root@Delivery:~# cat note.txt
I hope you enjoyed this box, the attack may seem silly but it demonstrates a pretty high risk vulnerability I've seen several times. The inspiration for the box is here:
- https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4cKeep on hacking! And please don't forget to subscribe to all the security streamers out there.

That’s all, thank you.

--

--

Fahmi J
Fahmi J

Written by Fahmi J

Just curious to learn how things work, especially in digital world.

No responses yet