HackTheBox Writeup — Delivery
--
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.222
Port Scan
Running NMAP full port scan on it , we get
A nice good looking webpage, also can see a Contact Us button , clicking on it
I see an information given about using the HelpDesk to reach the team, but for that I will need a @delivery.htb email address and after having that I can access their MatterMost Server
Also hovering over the HelpDesk word, it can be seen that its a link redirection to helpdesk.delivery.htb, so adding it to the hosts file and then checking the domain
Now I am going to do the instruction which I got before , for that I will open a new ticket
Now clicking on Create Ticket, I get
After creating a new ticket, I am given with two things
- Ticket ID: 2668996
- Email: 2668996@delivery.htb
Now, I will use this email address to register on Mattermost server as it requires an email address with @delivery.htb to access it
Also, from the instructions from Contact Us, hovering over the Mattermost word, I see that it has link redirection to the higher open port I got from the NMAP scan, so moving towards that port first and then will return here back
I try to check the Ticket Status in order to get the email confirmation for Mattermost server
I get an email from the Mattermost server for the confirmation of the account creation with a link, moving back to confirming the account
Port 8065 (Mattermost)
Checking the port with the domain in browser
I got redirected to Mattermost’s Login Page, also I see the Sign Up page, clicking on the link
I filled the details and now will sign up my account
It says that my account is created and it requires email confirmation, since this account was created using the HelpDesk, so I will need to go back there and confirm through it
After getting the confirmation link, I see
I get email verified message and now will login with the email address and password through which I created the Mattermost account
It tells me about the teams I can join, so I select the available option and then move towards the User part
User (maildeliverer)
After selecting the team option which I had
I see the welcome message, skipping the tutorial
I see some messages here and also some of them leaks credentials and also a hint towards what possibly could be the variation for the root password
Now moving onto login with the credentials I got through SSH Login
Now I get the user flag usually the same like other machines
Now time to get on the path to root
Root
Since I saw from the message that the root user was saying that if someone manages to get the password hash for the users, he will be able to crack the password easily through Hashcat with adding some rules as the password for the variation was “PleaseSubscribe!”
Checking for Mattermost’s installation directories locally
I have a config.json file which contains the configurations for the Mattermost Server
On the file, I get the credentials for the mysql database system and also can confirm that mysql being running on this machine locally
Now login to MySQL with the credentials I got
Selecting the mattermost database and then getting the username and passwords
I got the root hash from here and now I will use Hashcat to crack it
hashcat -m 3200 hash.txt pass.txt -r rules\best64.ruleI cracked the root password which is PleaseSubscribe!21 and now will switch to root user
Now will get the root flag
