Delivery

Delivery has ports 80 and 22 open so let's check the web page! delivery-contact-us

That tells us that there is atleast two different apps running on server, this HelpDesk thing and MatterMost server. It also tells us that we need a @delivery.htb email before we can access MatterMost so let's check out HelpDesk.

HelpDesk-form

After filling out the form we get a confirmation that our ticket has been created and that we can email some just-generated email-address to ask more questions

form-submitted

Interesting, now let's go check out that MatterMost server. And try to create an account. mattermost-create-account

Now let's go check how our support ticket is doing.

registration-succesful

What kind of black magic is this! It's quite simple really and what I've read it's also not so uncommon misconfiguration on this kind of systems: The OS-ticket system created a @delivery.htb email-address for the ticket and after creating new account on MatterMost with that given email the message came to our ticket. Anyway, next step is to check out what's in the MatterMost app.

mattermost-chat

Ippsec again being not so subtle with his YouTube advertising… But also there's also credentials to the server! After getting in let's check what users exist on that MatterMost thing, database credentials can be found on /opt/mattermost/config/config.json and are

  "SqlSettings": {                                                                                                                                                                            
"DriverName": "mysql",                                                                                                                                                                  
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",                                            
"DataSourceReplicas": [],                                                                                                                                                               
"DataSourceSearchReplicas": [],                                                                                                                                                         
"MaxIdleConns": 20,                                                                                                                                                                     
"ConnMaxLifetimeMilliseconds": 3600000,                                                                                                                                                 
"MaxOpenConns": 300,                                                                                                                                                                    
"Trace": false,                                                                                                                                                                         
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",                                                                                                                                 
"QueryTimeout": 30,                                                                                                                                                                     
"DisableDatabaseSearch": false  
},  

There we can find hash for the user "root". We already have the hash, and a pretty big hint for password (remember that earlier chat discussion) so let's grab the hash to hash-named file and create a wordlist with some rules including the "PleaseSubscribe!".

echo "PleaseSubscribe!" | hashcat -r /usr/share/hashcat/rules/d3ad0ne.rule --stdout > wordlist.txt
hashcat -m 3200 hash wordlist.txt 

Even on virtual machine the password cracks pretty quickly and we get root's password, all that is left is to switch to root and grab the flag!

Note: It is also possible to brute force the password with the wordlist without grabbing the hash but it's way faster to crack offline with hashcat than to try brute force it via ssh/mattermost login page and there also could be some kind of fail2ban-settings etc.