Hack The Box - Delivery

信息收集

1

nmap -T4 -A 10.10.10.222

The target machine opens ports 22, 80, etc.

To access port 80, click CONTACT US:

Two domain names were found on this page: helpdesk.delivery.htb and delivery.htb

Add the above two domain names to the hosts file and perform the next test.

Create a new work order on

漏洞利用

http://helpdesk.delivery.htb/index.php:

Get an email and ticket ID.

Using this email address, register an account at http://delivery.htb:8065/signup_email:

After creating an account, I found that email verification is required, but I cannot obtain the link to register and authenticate at present.

There is a link to view historical tickets on helpdesk.delivery.htb and then view details in Check Ticket Status:

I found that the authentication link was sent here, click the link, confirm the account, and log in to the background:

Discover the Server's username and password in the background maildeliver:Youve_G0t_Mail! and the password rule left by the administrator: PleaseSubscribe!

SSH Login:

Get user's flag.

Find the application's config file under /opt/mattermost/config/:

Find the username and password of mysql in the file:

Log in to mysql and find sensitive information:

Discover the password hash of the root user in the web application, guessing that there is password reuse, combined with the clues of password structure left in the previous work ticket system, use hashcat to crack the password, and get the clear text of the password as: PleaseSubscribe!21

SU switch user:

Get the root user's flag.