This post documents the complete walkthrough of Delivery, a retired vulnerable VM created by ippsec, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.

On this post

Background

Delivery is a retired vulnerable VM from Hack The Box.

Information Gathering

Let’s start with a masscan probe to establish the open ports in the host.

masscan -e tun0 -p1-65535,U:1-65535 10.10.10.222 --rate=500

Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2021-01-14 02:30:21 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 8065/tcp on 10.10.10.222
Discovered open port 22/tcp on 10.10.10.222
Discovered open port 80/tcp on 10.10.10.222

Port 8065/tcp seems interesting. Let’s do one better with nmap scanning the discovered ports to establish their services.

nmap -n -v -Pn -p22,80,8065 -A --reason 10.10.10.222 -oN nmap.txt
...
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    syn-ack ttl 63 nginx 1.14.2
| http-methods:
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown syn-ack ttl 63
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Thu, 14 Jan 2021 01:34:32 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: 6uf81wc6w78cdg4ejewm1n6dih
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Thu, 14 Jan 2021 02:41:55 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions:
|     HTTP/1.0 405 Method Not Allowed
|     Date: Thu, 14 Jan 2021 02:41:55 GMT
|_    Content-Length: 0

Hey, 8065/tcp is hosting Mattermost! Anyway, the contact page has all the information what to do next.

I’d better add helpdesk.delivery.htb and delivery.htb to /etc/hosts.

Creating @delivery.htb email address

Let’s create a new ticket.

There you go.

Looks like we got ourselves a free email address. I suspect something will appear on the View Ticket Thread.

Mattermost Sign Up

Now, let’s proceed to http://delivery.htb:8065 to sign up for Mattermost.

Let’s refresh the ticket.

Bam! Copy the activation URL to activate the account and we should be able to log in to Mattermost to access the internal channel like so.

Foothold

Could the credential (maildeliverer:Youve_G0t_Mail!) be the one for SSH? There’s only one way to find out.

Indeed. The file user.txt is at maildeliverer’s home directory.

Privilege Escalation

During enumeration of maildeliverer’s account, I notice that MySQL/MariaDB is running locally.

Maybe Mattermost is using MySQL/MariaDB? Look what I found in /opt/mattermost/config/config.json.

It says to crack the Mattermost admin password. :wink: Look what’s in the mattermost database.

I wonder if this has anything to do with the root password above.

Custom John the Ripper Rule

If I had to guess, I would say that I need to either affix or prefix PleaseSubscribe! to some combination of letters and/or numbers but first let’s see if we can get anything with one to four digits. To that end, I wrote the following rule set for John the Ripper.

[List.Rules:Delivery]
Az0"[0-9]"
Az"[0-9][0-9]"
Az"[0-9][0-9][0-9]"
Az"[0-9][0-9][0-9][0-9]"
A0"[0-9]"
A0"[0-9][0-9]"
A0"[0-9][0-9][0-9]"
A0"[0-9][0-9][0-9][0-9]"

Let’s give it a shot.

Heck, that was fast but is that the root password?

The end is here.

:dancer: