Enumeration

┌─[puck@parrot-lt]─[~/htb/delivery]
└──╼ $nmap 10.10.10.222 -oN allports.nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-15 09:26 CEST
Nmap scan report for delivery.htb (10.10.10.222)
Host is up (0.094s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 4.88 seconds
┌─[puck@parrot-lt]─[~/htb/delivery]

Virtual hosts discovery

Lets check the web service first.

1

As we can see that it is a simple website. If we click in the CONTACT US section we will see that there exist two virtual hostnames.

  • http://delivery.htb:8065/
  • http://helpdesk.delivery.htb/

Register an account

The first one looks like a communication service, such as microsfot teams or similar. It has an option to create an account, however it asks for email verification and the machine has no external access.

2

Due to that fact, lets see the second virtual host website. This website allows us to create a ticket as anonymous users.

3

If look carefully, there is an interesting feature which inform us that we can add additional information to the ticket by sending an email to 5243362@delivery.htb.

Remember that we could not create an account in the other virtual host because we cant verify it. However, if we sign up with this ticket email, the verification information will be seen in the created ticket.

4

Now the verification information should be visible in the ticket system virtual host.

5

Just activate the account and login to the Mattermost service.

After the login page you will see a chat where some useful information is found.

6

Finding credentials

As you can see there are some credentials, and information about the password policy.

@developers Please update theme to the OSTicket before we go live.  Credentials to the server are maildeliverer:Youve_G0t_Mail! 

Also please create a program to help us stop re-using the same passwords everywhere.... Especially those that are a variant of "PleaseSubscribe!"

If we try maildeliverer:Youve_G0t_Mail! credentials in the SSH service we will get a shell and also we will have owned the user.