Hello Internet, its your resident script kitty here to talk about how I got my first own on a HTB machine. Now that Delivery is retired I can share with you the details of exactly how I got user and the interesting process that it involved.
Interestingly the largest challenge for me to overcome was that I did not initially realize that I would have to manually add the server to my hosts file because of the architecture of the lab environment. For those who are confused like I was allow me to explain, because the HTB boxes are not connected to the internet in order to resolve subdomains you must add the ip and subdomain manually to your hosts file. On Linux its as simple as just doing
sudo nano /etc/hosts and making the changes, without this you may repeat my mistake of getting stuck because the subdomain wont load and going down a rabbit hole looking for the solution.
Now with that out of the way lets begin our examination, when first scanning with Nmap we see that there are only a few ports open. 22,80, and 8065. With a open port 80 its pretty obvious our first move, we connect to the server with out web browser and sure enough its a website(Pictures not included sadly as I forgot to take them at the time and I don’t have the premium subscription so I cant get back into retired machines). A cursory examination of the landing page reveals that they have a help desk page, this is where adding the subdomain to your hosts file is important. But perhaps more interesting is that they have a Mattermost server that only requires a @Delivery.htb email address, but how would we get one?
Now this next step took me awhile because as previously mentioned I was unaware of the need to add the subdomain to the hosts file. Once you check out the help desk site you notice 2 things right away, the first is that it generates you an email address based on your ticket number that you can email to update the ticket and the second is that you don’t need any authentication to submit a ticket.
From here the solution is pretty obvious however I did get stuck for a second because when viewing the ticket you have to use the exact same email address you used to submit it, otherwise it wants you to create an account and verify your email address which is impossible because the server is isolated from the internet. I don’t know if this is a quirk of Firefox or if I just didn’t see a space or something but when it auto-filled for me the site would reject the email, I had to manually copy paste the email in.
Now that we have a ticket we can open a new tab and direct our browser to 10.10.10.222:8065 and see the Mattermost page, when creating a new account it sends an email with a link that validates your account however how can we view the email? Simply have it send the email to the ticket updating email we got in the last step, once sent you can see it updates the ticket and you are able to click the link and login.
Now that we are in the Matermost server we can see that the admin has left a few messages that give us exactly what we need, the login for a user with standard privileges and instructions for what we need to do if we want to get root on the box.
The next step is as simple as logging into the server via SSH on port 22 and doing
cat user.txt and submitting the hash. Now I wont be covering root here today as I don’t currently have access to the retired machines, but if you’re interested the official walk though has been posted now that the machine is retired.
That’s all I have for you in this one, but if you liked this write-up please consider subscribing so you can get even more Infosec content like this, and if you have any thoughts or questions you can leave them in the comments below. Until next time, this is your resident script kitty signing off.