HTB Delivery

Initial Enumeration

nmap -sC -sV -vv -oA tcp 10.129.79.50 && nmap -sC -sV -vv -p- -oA allports 10.129.79.50

Found a subdomain helpdesk.delivery.htb

Creating a ticket shows the following content:

test, 

You may check the status of your ticket, by navigating to the Check Status page using ticket id: 6256421.

If you want to add more information to your ticket, just email [email protected].

Thanks,

Support Team

Create a ticket and grab the email from the ticket, the signup for an account with mattermost http://10.129.79.50:8065 using the email from the ticket

This will trigger an email to be sent to the ticketing system and add the info to the ticket

After this we get an validated email address

After logging in we are presented with a chat system and a few older chats

Credentials

maildeliverer:Youve_G0t_Mail!

User Enumeration

Enumerating the system further we find mysql credentials

Credentials

mmuser:Crack_The_MM_Admin_PW

mysql -h 127.0.0.1 -u mmuser -p

Privilege escalation

.\hashcat.exe -m 3200 -a 0 I:\data\htb\delivery\loot\hashes I:\data\htb\delivery\loot\pass_base -r I:\apps\hashcat\rules\best64.rule

Credentials

root:PleaseSubscribe!21

This gives us access to the system console of mattermost and also to root via su