HackTheBox - Delivery

IppSec · Beginner ·📰 AI News & Updates ·5y ago

Key Takeaways

The video demonstrates a walkthrough of the HackTheBox - Delivery machine, showcasing various tools and techniques such as nmap, OS ticket, Mattermost, GitHub, Exploit DB, netcat, hashcat, and surack, to exploit vulnerabilities and gain access to the system.

Full Transcript

What's going on, YouTube? This is Ipsac doing delivery from Hack the Box, which is an easy machine I created. So, obviously, I'm going to be biased here and say it's amazing. The box starts off with a logic flaw that involves two applications. Matter, which is just like Slack. It's an instant messaging application, and then a help desk. The organization set up their Mattermost server to allow anyone with a company email address access to their uh chat because they assume only employees have emails. The downside to this is the help desk actually gives anyone who creates a ticket a company email address because the help desk supports emailing the help desk to update your ticket. So you can combine these two things to register for an account on Matamos and gain access to some sensitive uh conversations and then to priv there's a cracking challenge which we'll get into. So let's jump in. As always we're going to start off with the end map. So pseudo nm mapap- sc for default scripts sv or enumerate versions o aa output all formats put it in the end mapap directory first that directory has to exist then name it delivery the IP address of 1010 1022 and I'm going to add the -b flag so it shows me open ports as it finds it next I'm going to do a sleep 300 to sleep for 5 minutes and we do a full end mapap scan so pseudo nmap-pa all ports end mapap delivery-all ports 1010 1010 222 too. And it looks like the first end map already finished. So we don't have to cue up the second end map. And I'll do the -v flag here as well. So let's take a look at the results. So less endmap delivery end mapap. And the reason why I just do the script scan first is because it generally shows me everything I want. I queue up the full port scan because if there's a hidden TCP port, I still want to see it, but it can take more time to run. So that's why I always wait till after this is done. The reason why I don't do two end mapaps at once is just because you can send a lot of data and miss things. So the results of this shows me it's a Debian box, probably Debbian 10 based upon this SSH banner. Then we also have HTTP on port 80 running engine X and the title page just says welcome. So let's go take a look over at the web page. So 10 1010 2222 and we get just the welcome page that says delivery the best place to get all your email related support for an account. Check out our help desk and then there's also a contact us. So going to the help desk we see it's host name is helpes.delivery.htb. So I'm going to go in my host file. So pseudo vihost and we're going to add that. So 10 10 1022 delivery.htv. htv. So now when we click this link, it actually goes somewhere. Um I forgot helpes.delivery.htb. Now when we click the link, it actually goes somewhere. There also is a contact us page. So let's take a look at this. Uh for unregistered users, please use the help desk to get in touch with our team. Once you have a delivery.htb HTTP email address, you'll have access to our MAMO server. And the Mammo server is delivery.htb8065. So we click there and we don't go anywhere because we don't have that delivery.hb cuz I got rid of that. So let's add delivery.htb and then refresh the page and we can see a matter server. Once it loads and this is just like slack. It's an online chat application. It has its own client and whatnot. So, it's telling us we should have a delivery.htb email. So, I'm going to put this on the back burner and we're going to check out this help desk system. It is running OS ticket and we see the copyright is 2021. Its photo also tells us the host name of delivery. I don't see a way to enumerate version. So, I'm going to go OS ticket GitHub and see if there's any quick wins on enumerating what version of OS ticket this is to see maybe there's some type of um exploit. So, I'm just going to grab this readme and we'll see if readme.md exists on this box. And that was not what I wanted. Is it lowercase readme is capital MD file not found. So, let's see. I'm just going to try file.php to make sure we're in the right location. So if I go file.php unknown or invalid file. So it looks like we're good. It just doesn't have the MD files. There is a web.config. So we can try this. The main reason I'm trying it is because it didn't have the PHP like suffix. So the web server won't try to execute code. So let's go out of here. Let's go downloads web.config. config and see if it gives any information about the version. I don't see it. So, this may be a dead end. So, let's go take a look at it. And if we run into more like um issues, we can always look at the version. We can also or we can always like enumerate the version better. But we can also run search against it to see if even knowing the version would help. So, we do have a lot of exploits for this. I'm just going to go to exploit DB because I think this may tell me like the dates. Search isn't showing the dates. I wonder if there's a option search- H. Do we have date kick title? Uh, let's see. Show results in JSON format. I'm going to Oh, dashv for verbose. If I add dashv, dashv here, I do not know what verbose is about this. I wonder if JSON output if that will show anything. Okay, we have date. Uh, let's do uh jq period. There we go. Now we have the date. I'm going to search for like 20 202 and 2021. So, we do have some 2021 exploits. So, knowing the version would definitely potentially help. Uh, serverside request forgery, authenticated XSS, ticket Q, cross-ite scripting, um, save search. So, this again is authenticated. So, bunch of stuff there. Um, knowing the version may help to know if it is vulnerable to that. But we can also maybe just open a new ticket and just use this application. For the email, uh, we don't really care what we put. So, we'll do please subscribe does notexist.com, just a fake email. Uh, username, we can do ipsack, phone number, uh, 5558675309. Uh, let's just do a help desktop topic. uh contact us test ticket and we could try putting a link here. So a equals href http 10 10 10 actually we have a link button here insert link. Let's just use the website's functionality for us. So 10 10 142 test click me. So there we go. We have a link here. And I always like just putting links to see if people click them. Uh, sometimes they do, sometimes they don't. So, I'm going to do pseudo nclvnp 80. So, now if someone clicks this link, my netcat will tell me. And we just do the capture. So, A9D04 create ticket. And we see the ticket has been created. The ID is 8945126. And if we want to add more information to the ticket, just email this. And this is what's key. A lot of help desk systems actually have this functionality where you can reply to the ticket and email to update it. And you got to pay attention to what type of domain that gives you because if it gives you the same domain as the corporation, now you can potentially just bypass any verification that they just require you to have a corporate email because now we have a corporate email. So if I go to check ticket status, it's going to Oh, what did I put for the email address? Uh, please subscribe at does notexist.com. I think I hope I forgot about that piece. We can put the ticket number. View the ticket. So now we have this. So if we emailed uh the ticket ID at delivery.htb information should go here. So I'm going to copy this email and we're going to go to the matter server and create an account. So what is my email address? It is this my name IPSC my password would be password one uh p sod one exclamation point create account so it says please verify your email address so it's accepted we can refresh the ticket and we see an email registration successful please activate your email by going to this URL so we can copy this and then paste And now we have just validated we have a delivery.htb email address which allows us to log into mattermost. And I've seen this vulnerability quite often in like organizations especially once like co hit and a lot of people were working from home trying to find like remote work scenarios. Creating accounts for everyone was a tedious process. So a lot just depended on if they had an email. It was good. So we can get access to this matter and we see a message from root developers please update the theme to OS ticket before we go live. So the help desk is not live credentials to the server is mail deliverer and you've got mail. Also please create a program to help us stop reusing the same password everywhere especially those that are variant of please subscribe bang. It may not be in rockyu.ext text which is a common word list. But if any hacker manages to get our hashes, they can use hashgat rules to create a variation of all common words and passwords. So this is a pretty good hint at what we'll do in a bit. But we can go to this um box. So we can try to log in and we see no one clicked the link. So I'll just control C this. We can SSH mail deliver at 101010 222. And then we copy you've got mail. I think I copied a space there. I'm going to hit backspace. There we go. So, yeah, I had a space. That's why you heard two keys hit. So, we're on this box. Now, if we go to user.ext, we can get the flag. But the hint says, "Please subscribe may not be in rockier. If a hacker managers get this, they can easily crack all password and phrases." So, the very first thing I do is look at passders are on this box. I'm going to do gp--v and we can say um we don't want anything with false. I don't need that bracket. Uh back slashpipe is how you do an or and grap. So no login we also don't want. And we see let's see just four accounts. We have mattermost mail deliverer sync and root. We're this mail deliver account. So we may want to go into mattermost and we could use hashcat to build a variation of this word list. So there are two ways to root the box. You could skip the going into the database to get a hash by doing this. So we're going to go here and we'll use hashcat to make a word list. So let's do um v pw put please subscribe there. So hashcat then d- std out I believe pw- r for rule file then user share hashcat rules 64. And that's going to make 64 entries of this password. So we can just output this to a file now. So, we'll call this uh PW list maybe. I don't know what else to name it. And if you're curious how this rule file works, it's somewhat cool. So, we can go over it really quick. So, less this rule file. And if you want to know more about Hashcat, definitely recommend the Hack the Box Academy. Um, I've helped create that course. I think Ben did it with me, but it's a really good course. So, we can uh let's look at what it created. So pw list. So if we look at hashcat rules, colon means do nothing. So it just did nothing here. R is a magical one to reverse the password. So you can see it took that and reversed it. U is going to uppercase the whole password. T0 means toggle zero. So it's going to change the casing on the zerooth letter, which is the very first one. If that was T1, it would leave this a capital and then capitalize the L. Then we can do see it's doing a simple number append. So dollar means do something to the end. So we go to the end of the line and adding 0 1 2 3 4 5 6 7 8 9. And then it's doing it again with two digits. So you can see how that works. So hash rules are super simple. Um, this is going to append E to the end. Append S to the end because some maybe your password is password and you want the password of passwords. I don't know. Um, this is going to overwrite. So, this is delete one character. This little bracket. I bet if I Google, we can pull up a how-to on this real quick. So, again, delete one, append a. So, it deleted exclamation point. appended a delete to append s. So it's just doing common things like that. Uh if we do hashcat rule file syntax maybe uh let's see uh rulebased attack is it going to explain everything? Yeah. So this is all the functions and how to do it. So definitely recommend reading this or again if you don't want to just read the man pages go to hack the box academy which gives you more interactive learning. But now that we have this PW list the question is how we use it. Uh we could just use hydra and brute force SSH but sometimes SSH doesn't allow root to login. Actually in most cases uh root doesn't log in via passwords. So if we look at Etsy SSH SSHD config uh permit root login is no. So we can't log into this box with SSH. And I want to brute force both accounts of um mattermost sync and root. Well sync I don't really care about cuz that's not a interactive shell but I want to brute force mattermost and root. So we got this password list. The next thing is to use a program called surack. So surack GitHub to download it. And what this is going to do is just brute force with the program su. So let's go to op get clone. Uh let's see. I already have it. So let's rm-rf surack. uh get clone cds dot slashconfigure and it will allow us to um you may have to do like a I think auto reconfig I believe if that configure doesn't work to um do something but if configure doesn't work I'd recommend that auto reconfig command and if that doesn't Google whatever error you get. But now we can just do make and it's going to make surack. If we go into source, we have surack here. So I'm going to go back make dubdubdub and we're going to copy pw list to dubdubdub and then copy op surack source surack to dubdubdub. Now we can host both of these. So, python-m http.server port 8000 and then let's just make dur.work. Actually, let's try doing this from devshem for opsec reasons. The reason why I like this directory so much is it's non-persistent. This is um RAM disk. So, if the server reboots, uh the files you drop here are gone. So, you don't have to worry about cleaning up after your tracks as much. If you just created thiswork directory in the home, um if you just forgot to delete it, the file would exist until someone deletes it and that's just not good. So w get 101042 port 8000 surack and then we want to do pwlist and then let's chmod plus x surack dot slash surack and we can see we can execute it every now and then um dev shm mainly on like I think red hat and centers boxes will be mounted no exec here if we grab no exec is anything mounted here uh let's clear that out so these These directories have no exec which means I can't drop a binary and run it. Uh cis proc dev ptts. These aren't really even directories it can drop files to. So don't really matter to me. So let's do surack-h. And we can see it wants let's see srack some options user root password list. So I'm going to try that real quick. srack root pw list. Let's see what happens with no thing. Uh, no such file or directory. Let's do - RL. Okay, let's read all these options in example. So, let's look at what dash A is. Uh, let's see. Dash A options L is rules dash U is user. Word list should go at the end. I wonder if I do dev shmw list fop no such file or directory surack- a-w20- s10 u root- rl so this is rules afl pw list okay so rl works I wonder L is what is L? L is rules. If I just do R. Okay. There we go. So, this works. And we can see the password for root is please subscribe exclamation point 21. I should probably look up the syntax for surack, but I don't know every tool. I just know like I don't well I don't know how to use every tool. I certainly don't know every tool there but yeah so that is one way to do this box. The other way is using hashcat. So if we look at mattermost so I guess mammos is probably installed in opt because that's where most applications are. So we go opt mattermost look for the config probably in a directory called config and we can look at config.json. So I'm going to do cat config.json jq period. Uh, I don't have jQ here, so I'm just going to do less. And we go through this. Uh, we have an API secret. So, this could be good. This is a gift cat API secret. So, probably talking to a server that has embedded GIFs. So, not too interesting. If we wanted to upset people, we could just erase that keys and then maybe the gy won't work. But we have this SQL setting. So we have a user called mm user and a password called crack that mattermost admin pw and it's going to port 3306. Of course the driver says my SQL so we know this is a myql box. So I'm going to copy this password and then I'm just going to try su-matter to see what is here. Put the password in and it does not work. So we can also my SQL-U mattermost b put the password access denied for user mattermost at localhost. I'm going to try putting the database of mattermost. And I think we need the dash capital D flag maybe. See crack the admin pw. I wonder if there was an exclamation point. Let's see. shift exclamation point. So let's go back into config.json uh crack. So there is oh user is mm user. I would say it matter most. So if I was taking notes uh I probably would not have made that mistake. So always the benefit of taking notes but we can do this paste and we get in. So, show databases uh show datab show databases if helps if I can type and we can use mattermost and then show tables and maybe the users table is good. But if I just select star from users um gives me all the information but that may be a bit too much. So I always like doing describe first to show me all the tables within it. And then I can select what I want. So I probably want the ID, the username and password from users. And I may want like MFA secret if they are doing two factor because if I steal all these secrets then I can just bypass 2FA. But we have this and let's see ID. Okay. Username username root and here's the password. It is a brypt password. However, um the hint says to crack this password and our word list isn't too big, right? If we look at it, wclpw list, it's only 77 characters. Uh 77. Wait, why is it 77? Weird. I assumed it would be 64 because we ran best 64 on it, which should be 64 rules, but okay, whatever. So, let's vash. And to prove the hashing doesn't take too long, I'm going to do an RVM. So, I'm going to look at example hashes less brypt. And we're going to paste this hash on mode 3200. So, hashcat-m 3200 uh the password or the hash. And then we could do pw list, but we also could just do pw and then dash r for rules user share um hashcat rules best 64. So generally with hashcat I don't just output a bunch of word list because the benefit of rules is when you get into large files let's say this word list was 1 gig. If I wanted to use this best 64 rule which made this 76 lines now that 1 gig file turns into like 76 gigs. Not fun. So that's the benefit of rules. And oh, I already had this in. Let's move hashcat. Uh, yeah, let's just delete that whole directory. Or we can do hashcat.pot file. There we go. It was telling me it had already cracked. So when I was making the box, I guess I just left that in. I don't use hashgap for my VM much, but you can see it cracked it so quick because again the rule file is just small. Um, I like this piece of the box. I know it got a lot of hate, but my thought process with adding this is I run hashcat probably 100 times anytime I do a password audit because I will constantly run hashcat and then go into that rule file I just deleted. So al cat hashcat pot file um alk-f print 2 and then grab this to a new crack and then run hashcat yet again against this and every time I get a new crack it goes into the pot file and I run it again run it again run it again and you'd be surprised how many more hits you'd get if you just do a best 64 crack against an active directory database case and then take what cracked submitted against best 64 again and then again and you'd be surprised how long of a chain you go until it stops giving you new cracks. So that was what this whole piece of the box was supposed to teach you is using hashcat rule files. So yeah, hope you enjoyed the box. Before we go, I can go into I guess kind of how the box works. Um let's do su dash and please subscribe. Whoops. Please subscribe. Exclamation point 21. I probably typoed that. So, I'm just going to um cat it uh cat new crack and we'll copy and paste sq dash. So, what we can do is look at this pi smtp and mail.sh. There's also note.ext text which talks about it and gives you a blog post of what this whole attack was based upon, how I learned about it. So, if you just go to this Medium link or Google how I hacked 100 companies through the help desk, it talks about exactly what we did in this box. So, let's look at mail.sh to see what this is. Um, all this is doing is starting the PI SMTP server. So, I'm guessing if I look at my cron tab, uh, let's see, cat Etsy cron tab. Yeah. Um, it's constantly making sure this mail.sh is running. And if I look at mail.sh, it says, if I don't exist, run it. So, a really bad way to just make sure this service is running. I probably should have created like a systemd service or something, but I'm too lazy. So, I just did it this way cuz it was a quick win. Now, this SMTP server, if you noticed in one of the boxes, I forget what one, we used a Python SMTP server to um retrieve mail. And that's exactly what I'm doing here. I learned about that Python library from that box. And I'm just getting mail and then going into um the database and mainly doing that update. Mail doesn't actually work on this box because it's a closed environment. This was just a good way to get that working and get the ticket information in there. So, if you want to look at a fun script I had writing, there's this one. But yeah, that'll be it. Hope you guys enjoyed the video. Take care and I will see you all next week.

Original Description

00:00 - Intro 00:46 - Starting with nmap 02:15 - Enumerating the website to see links to the HelpDesk and Mattermost 03:40 - Attempting to enumerate the version of osTicket 05:45 - Searchsploit json output shows the date 06:30 - No exploits found, lets open a new ticket and see it gives us a way to update the ticket via email 08:40 - Creating an account on Mattermost with the email of the helpdesk to get the activation link 09:30 - Viewing the internal chat and seeing a password, then SSHing to the server 11:50 - Using hashcat to create a wordlist with its internal rule system 12:20 - Going over how Hashcat Rule files work 15:20 - Root #1: Running sucrack to bruteforce the root users password 19:50 - Root #2: Cracking the Mattermost Password 23:20 - Using hashcat to crack the Mattermost Password 26:45 - Going over how i set up the email server on this box
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from IppSec · IppSec · 0 of 60

← Previous Next →
1 HHC2016 - Analytics
HHC2016 - Analytics
IppSec
2 HackTheBox - October
HackTheBox - October
IppSec
3 HackTheBox - Arctic
HackTheBox - Arctic
IppSec
4 HackTheBox - Brainfuck
HackTheBox - Brainfuck
IppSec
5 HackTheBox - Bank
HackTheBox - Bank
IppSec
6 HackTheBox - Joker
HackTheBox - Joker
IppSec
7 HackTheBox - Lazy
HackTheBox - Lazy
IppSec
8 Camp CTF 2015 - Bitterman
Camp CTF 2015 - Bitterman
IppSec
9 HackTheBox - Devel
HackTheBox - Devel
IppSec
10 Reversing Malicious Office Document (Macro) Emotet(?)
Reversing Malicious Office Document (Macro) Emotet(?)
IppSec
11 HackTheBox - Granny and Grandpa
HackTheBox - Granny and Grandpa
IppSec
12 HackTheBox - Pivoting Update: Granny and Grandpa
HackTheBox - Pivoting Update: Granny and Grandpa
IppSec
13 HackTheBox - Optimum
HackTheBox - Optimum
IppSec
14 HackTheBox - Charon
HackTheBox - Charon
IppSec
15 HackTheBox - Sneaky
HackTheBox - Sneaky
IppSec
16 HackTheBox - Holiday
HackTheBox - Holiday
IppSec
17 HackTheBox - Europa
HackTheBox - Europa
IppSec
18 Introduction to tmux
Introduction to tmux
IppSec
19 HackTheBox - Blocky
HackTheBox - Blocky
IppSec
20 HackTheBox - Nineveh
HackTheBox - Nineveh
IppSec
21 HackTheBox - Jail
HackTheBox - Jail
IppSec
22 HackTheBox - Blue
HackTheBox - Blue
IppSec
23 HackTheBox - Calamity
HackTheBox - Calamity
IppSec
24 HackTheBox - Shrek
HackTheBox - Shrek
IppSec
25 HackTheBox - Mirai
HackTheBox - Mirai
IppSec
26 HackTheBox - Shocker
HackTheBox - Shocker
IppSec
27 HackTheBox - Mantis
HackTheBox - Mantis
IppSec
28 HackTheBox - Node
HackTheBox - Node
IppSec
29 HackTheBox - Kotarak
HackTheBox - Kotarak
IppSec
30 HackTheBox - Enterprise
HackTheBox - Enterprise
IppSec
31 HackTheBox - Sense
HackTheBox - Sense
IppSec
32 HackTheBox - Minion
HackTheBox - Minion
IppSec
33 VulnHub - Sokar
VulnHub - Sokar
IppSec
34 VulnHub - Pinkys Palace v2
VulnHub - Pinkys Palace v2
IppSec
35 HackTheBox - Inception
HackTheBox - Inception
IppSec
36 Vulnhub - Trollcave 1.2
Vulnhub - Trollcave 1.2
IppSec
37 HackTheBox - Ariekei
HackTheBox - Ariekei
IppSec
38 HackTheBox - Flux Capacitor
HackTheBox - Flux Capacitor
IppSec
39 HackTheBox - Jeeves
HackTheBox - Jeeves
IppSec
40 HackTheBox - Tally
HackTheBox - Tally
IppSec
41 HackTheBox - CrimeStoppers
HackTheBox - CrimeStoppers
IppSec
42 HackTheBox - Fulcrum
HackTheBox - Fulcrum
IppSec
43 HackTheBox - Chatterbox
HackTheBox - Chatterbox
IppSec
44 HackTheBox - Falafel
HackTheBox - Falafel
IppSec
45 How To Create Empire Modules
How To Create Empire Modules
IppSec
46 HackTheBox - Nightmare
HackTheBox - Nightmare
IppSec
47 HackTheBox - Nightmarev2  - Speed Run/Unintended Solutions
HackTheBox - Nightmarev2 - Speed Run/Unintended Solutions
IppSec
48 HackTheBox - Bart
HackTheBox - Bart
IppSec
49 HackTheBox -  Aragog
HackTheBox - Aragog
IppSec
50 HackTheBox - Valentine
HackTheBox - Valentine
IppSec
51 HackTheBox - Silo
HackTheBox - Silo
IppSec
52 HackTheBox - Rabbit
HackTheBox - Rabbit
IppSec
53 HackTheBox - Celestial
HackTheBox - Celestial
IppSec
54 HackTheBox - Stratosphere
HackTheBox - Stratosphere
IppSec
55 HackTheBox - Poison
HackTheBox - Poison
IppSec
56 HackTheBox - Canape
HackTheBox - Canape
IppSec
57 HackTheBox - Olympus
HackTheBox - Olympus
IppSec
58 HackTheBox - Sunday
HackTheBox - Sunday
IppSec
59 HackTheBox - Fighter
HackTheBox - Fighter
IppSec
60 HackTheBox - Bounty
HackTheBox - Bounty
IppSec

The video teaches how to exploit vulnerabilities in the HackTheBox - Delivery machine using various tools and techniques, and how to gain access to the system through password cracking and privilege escalation. The key takeaways are how to use nmap to scan for open ports, how to use hashcat to crack passwords, and how to exploit vulnerabilities in Mattermost.

Key Takeaways
  1. Run nmap to scan for open ports
  2. Use GitHub to find version of OS ticket
  3. Use Exploit DB to find exploits for OS ticket
  4. Create a ticket on the help desk system
  5. Use hashcat to crack passwords
  6. Use surack to brute force SSH and su login
💡 The key insight is that the HackTheBox - Delivery machine has a logic flaw in the Mattermost server that allows anyone with a company email address to access the chat, and that the help desk gives anyone who creates a ticket a company email address.

Related AI Lessons

Chapters (14)

Intro
0:46 Starting with nmap
2:15 Enumerating the website to see links to the HelpDesk and Mattermost
3:40 Attempting to enumerate the version of osTicket
5:45 Searchsploit json output shows the date
6:30 No exploits found, lets open a new ticket and see it gives us a way to update
8:40 Creating an account on Mattermost with the email of the helpdesk to get the ac
9:30 Viewing the internal chat and seeing a password, then SSHing to the server
11:50 Using hashcat to create a wordlist with its internal rule system
12:20 Going over how Hashcat Rule files work
15:20 Root #1: Running sucrack to bruteforce the root users password
19:50 Root #2: Cracking the Mattermost Password
23:20 Using hashcat to crack the Mattermost Password
26:45 Going over how i set up the email server on this box
Up next
News At 10
Channels Television
Watch →