Enumeration:
To start the enumeration as always I am using nmap to see which ports are open and what services are available on that ports.
nmap -T4 -p- -A 10.10.10.222As you can see from the screen shot, there are two ports open. Port 80 and port 22. Usually I start on port 80. Lets see what do we have there. Oh look it is a website what a surprise. Lets see the source and if we can find something.
Oh.. thats good. we found a url. http://helpdesk.delivery.htb
That is nice. After some more enumeration I found one more url:delivery.htb:8065
This can be seen in other place if you follow the links on the “Contact” page.
What I did next is to put both in to the /etc/hosts if you don’t know how to do that, I would advice you to google it. First I tried registering an account on the second url, but was not successful. So I went to the helpdesk one.
When you are here you can “Check Ticket Status” and “Open a New Ticket”. We are going to open a new ticked. So click on that button and lets see what will happen. I will put a screen shot of what I did, but your text, mail, etc. can be different.
You can see the user and the id and the e-mail. Now we need to take the value after the hash. In my case it the whole thing will look like 8084180@delivery.htb This is gonna be used to create an account on the other url mentioned above. Time to register a user.
Pay attention what the password needs to contain. The username should be the part that you took after the hash symbol. So now we have created account and need to verify the email before we can login and see whats going on. To verify the account go to the previous tab (the one you submitted the ticket) and click on “Check Ticket Status”. There is a link you need to visit to verify the e mail. Check the screen shot bellow.
Now you can log in.
After logging in it is time to read carefully. There is information that you need. I will not post the credentials so you can get it yourself. I can say that they are obvious. On that page there is a bit more information that can be used later on to get more stuff. So take a screen shot or notes.
USER:
With the credentials found above you can ssh to the machine and the user flag will be there.
If you get stuck join our Discord. Even if you are not stuck join and chat with like minded people.
ROOT:
Ok now you are in the machine as a user maildeliverer. Now it is time to enumerate more. I will give you the correct thing here but try enumerating, because you will need to know how to do that if you do more boxes in the future or pen-testing in general.
Here you go. Now move into this directory and see whats inside.
I browsed the sub dirs and of course the most attractive one is config. In that dir there is .jason file that you can check. Read the file carefully and you will find the credentials that you need. I will not post them here, because I think that you need to learn to read this type of files and find what you need.
Now it is time to do some database stuff. Use the command bellow with the credentials you found in the .json file
mysql -h localhost -u USER -pPASSWORD
Lets see whats is available: show databases;
Lets use one of the databases: use mattermost
Lets see what tables do we have in that DB: show tables;We care about user names and password and of course we will check the table named Users: select Username,Password from Users;
So now we see bunch of hashed passwords. We care about decoding the root hash so we can get the root flag. Copy that root hash in a file named hash. You remember that I talked about that there is another clue on that page after login ? We need to generate a password file with hashcat and that clue. Put the “clue text” in a .txt file and use the command bellow.
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout clue > password.txt
Time to decode the hash with hashcat. I will provide the command and if you wander what is what please click here to see how to check what type of hash it is, and here to see how I came to that hashcat command.
hashcat -m 3200 hash password.txt
Now we have the password for root, so do su root, give the password and you are root. Find the flag.
If there is any questions please leave a comment bellow and hit me up on twitter.
