tsustyle

Red Team Aspirant

Delivery

1 minute read

img

Port Scanning and General Enumeration (Nmap)

Initial Nmap scan

img

All ports

img

Targeted scan on 8065

img

Not much for initial scanning aside from the unknown port 8065

The contact page of the website links us to helpdesk.delivery.htb and delivery.htb:8065 which is a Mattermost server. Interesting.

img

Access (Mattermost, SSH, OSTicket)

The OSTicket helpdesk is what you think it would be. You can create and view tickets.

img

I got stuck here for a while trying to perform an XXS attack before I took a step back.

First, let’s keep this in mind:

img

Next, let’s create a ticket:

img

So, to access the mattermost server we need an @delivery.htb email address. It looks like the support center gives us an @delivery.htb email address, but we can’t directly access it. Or can we?

If you want to add more information to your ticket, just email

Does that mean we can use the support ticket as the email itself? Let’s try by signing up for a mattermost account using our @delivery.htb email and checking the ticket.

img

Now we’ve got access to the Mattermost server!

img

Creds? They don’t work on OSTicket or the Agent login.. but..

img

img

They do for ssh!

Privesc (linpeas, mysql, hashcat, rsmangler)

Let’s do some enumeration!

Running linpeas we see:

img

The mattermost user is running mattermost located in the opt directory. Checking out the config file:

img

mysql creds?

mysql -u mmuser -p with the password Crack_The_MM_Admin_PW

Let’s roll through mysql

  1. show databases;

img

  1. use mattermost;
  2. show tables;

img

  1. show columns in Users;
  2. select Username, Password from Users;

img

Hashes!

The entry on the mattermost server mentions PleaseSubscribe!, hashcat and hashcat rules so we can safely assume that this hash, once cracked, will be a variation of PleaseSubscribe!

PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.

I tried cracking it using different rules, but couldn’t manage it. I ended up using rsmangler to mutate PleaseSubscribe!

hashcat --force -m3200 --status -w3 -o found.txt --remove --potfile-disable hash newlist

img

img

You may also enjoy

Tenet

‘Tenet’ is a medium rated box on Hack the Box. We’ll be using PHP Object Injection to get RCE and identify a race condition in a custom script for privesc.

Skynet

‘Skynet’ is a box on TryHackMe. We’ll be enumerating SMB shares, brute forcing a login and exploiting a Remote File Inclusion vulnerability in Cuppa CMS for a foothold. For our root shell we’ll take a look at exploiting some wildcard injection using a script that’s being run as a cronjob.

FFuF Cheatsheet

This is a Cheatsheet I created for reference when using FFuF

Ready

‘Ready’ is a medium rated box on Hack the Box. We’ll be using a public exploit for a vulnerable Gitlab version for a shell, enumeration and password reuse for privesc and escape a docker container for root