HTB Delivery
Writeup for Delivery box on HackTheBox.eu
Initial Enumeration
nmap -sC -sV -vv -oA tcp 10.129.79.50 && nmap -sC -sV -vv -p- -oA allports 10.129.79.50
Found a subdomain helpdesk.delivery.htb
Creating a ticket shows the following content:
test,
You may check the status of your ticket, by navigating to the Check Status page using ticket id: 6256421.
If you want to add more information to your ticket, just email [email protected].
Thanks,
Support Team
Create a ticket and grab the email from the ticket, the signup for an account with mattermost http://10.129.79.50:8065 using the email from the ticket
This will trigger an email to be sent to the ticketing system and add the info to the ticket
After this we get an validated email address
After logging in we are presented with a chat system and a few older chats
Credentials
maildeliverer:Youve_G0t_Mail!
User Enumeration
Enumerating the system further we find mysql credentials
Credentials
mmuser:Crack_The_MM_Admin_PW
mysql -h 127.0.0.1 -u mmuser -p
Privilege escalation
.\hashcat.exe -m 3200 -a 0 I:\data\htb\delivery\loot\hashes I:\data\htb\delivery\loot\pass_base -r I:\apps\hashcat\rules\best64.rule
Credentials
root:PleaseSubscribe!21
This gives us access to the system console of mattermost and also to root via su