OSCP PREPROTİONS – HTB Delivery

Delivery machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags on the target machine using these vulnerabilities.
To recognize the target machine, we first perform a network scan with nmap.

Classic Scan

Full port Scan

Port scanning shows that 22/tcp ssh OpenSSH 7.9p1, 80/tcp http nginx 1.14.2 and 8065/tcp ports are open.
Since there is no vulnerability from the ssh port, we continue through the browser to enumerate port 80.

We examined the source code, looked at the development options and found no results.
We went to the enumeration section from the interface, here when we click on the helpdesk section, it redirects a domain, we need to add this domain to the hosts file

Nano /etc/hosts

Here we added the domains. We tried to log in

Here, let’s immediately run a directory and file scan with a gobuster

We looked at a lot of things in the Gobuster directory with no results.
Continue with the enumeration part from the interface
Let’s create a ticket and then query the status of the ticket

Here, he created an e-mail address for us, we received this e-mail address and we registered at Mattermost and the purpose here is to receive the verification code that will come.

This is how we received a verification link after registration

We were able to get this verification link and log in to Mattermost

Here we have two different hints, the first is that the Server has maildeliverer:Youve_G0t_Mail! Credential information
The second is PleaseSubscribe! There are password variants from Cleartext, and in addition, it expects us to detect the hashes obtained with hashcat rules.
Let’s log in with credentials via ssh

We were able to log in successfully and received our user flag

Now what we need to do here is to lede the hash of the root user by providing local enumeration and break the hash with hashcat.
We provide enumeration

Let’s connect with mysql

Here we have obtained the hash value of the root user.
We know that this hash is the PleaseSubscribe! Variant.
Let’s use hash cat to create paros similar to this text

Save the resulting hash in a file and break it with john

We realized that the broken hash is PleaseSubscribe!21, now we switch to the root user on the target machine

This way we were able to switch to root user and get our root flag.

Full port Scan