I am embarking on my journey to attain my Offensive Security Certified Professional (OSCP) certification soon. Therefore, I will be grinding on Hack The Box. Do keep a look out for more writeups from me! Let’s get started 😀

Prerequisites

I added the machine’s IP to make my /etc/hosts file for easier access to the target machine:

echo "10.10.10.222 delivery.htb" >> /etc/hosts

Reconnaissance

My first step would usually be to run an Nmap scan on the machine.

nmap -Pn -sC -sV -A -p- -oN initial delivery.htb

From the results of the scan, I identified that port 80 – HTTP and port 22 – SSH are open. There was also a Mattermost server running on port 8065. I was able to visit and browse both sites.

Scanning & Enumeration

I found a helpdesk which users could reach out to while scanning the delivery.htb website. It redirected me to this page:

Then, I tried to create an account on the MatterMost. However, I had no luck as I needed to use a valid email for the email verification process in place.

Exploitation

I decided to go ahead and open a new ticket. The support center then provided me with an email address of the person who will be handling my ticket. Using the information I obtained in the scanning and enumeration phase, I decided to use the email provided to me to sign up for an account on MatterMost.

Aha! This provided me with the registration link. From this, I was able to verify my account for MatterMost and gain access to it.

Upon logging in, I was greeted with a group chat. Amongst all the chatter, these 2 texts stood out the most.

Gaining Access

I remembered finding SSH while performing reconnaissance. Therefore, I attempted to SSH with the credentials that were given and viola – I gained access!

I was hunting for hints on the server and finally struck some luck. There were credentials in plain text in one of the config files of the MySQL database.

Using the credentials, I gained access to the MySQL database and started hunting for even more clues: looking for the databases & tables available. There was a MatterMost database that seemed pretty interesting. I decided to dump out the users and passwords from the database:

Woohoo! Remembering what one of the texts said earlier about having passwords with different iterations of ‘PleaseSubscribe!’, I decided to use Hashcat to crack the hash.

# hashcat -a 0 -m 3200 hash dict -r /usr/share/hashcat/rules/best64.rule

Finally!! Using this, I managed to root the box.

It was an thrilling experience. Can’t wait to get my hands dirty on more boxes.