HackTheBox: Delivery
01/13/2024
This is another one of the re-released easy retired machines. This is linux. Judging by the user ratings it looks like this is probably more of a 'medium', but we'll see.
I'm going to finish this tonight unless I pass out, because I'm going to use the official writeup if I get stuck for more than ~30 minutes.
Damn! This box was actually created by Ippsec! That's awesome...
Enumeration
Three ports open: 1) SSH on 22 2) HTTP on 80 3) Unknown on 8065
Script scan shows that the machine seems to be running Debian. The http server is nginx. The unknown service appears to be http or https based on the fingerprint Im seeing.
Okay, so the service on 8065 IS http, and it's a different site than the one that appears on port 80.
The sites on port 80 and 8065 are related; the one on 80 is the stylish customer-facing home page for what seems to be a tech support service. It prompts you to visit the "helpdesk" to register an email, and states that after creating an email account you will have access to the "mattermost" server (which is the one on 8065). So evidently port 80 is the general public page and 8065 is the members-only side.
Note that down on the bottom of the page on the port 80 site is a link to the HTML template provider, "HTML5 UP". I cant really see that being relevant since I don't think you could really exploit HTML.
I have to admit, the "mattermost" site is so detailed and well-polished that Im not sure if it's actually part of the box or not... I think it must be, I'm just blown away by how professional it looks. Ippsec doesnt fuck around.
Ah, okay. So Mattermost IS a real company, and what Im seeing is a real website. They also have software you can self-host though, which is what the login would be for. ==When I get to that point, I can see if it has any vulnerabilities like SQLinjection for auth bypass.==
So let's start from the start, and try to register an email at the help desk on port 80.
Clicking the link redirects me to http://helpdesk.delivery.htb and firefox shows a page-not-found error; guess I have to add "delivery.htb" and the subdomain "helpdesk.delivery.htb" to /etc/hosts, then refresh.
That did the trick; the "Support Center" page loads, with a few different buttons on the page. You have a "Sign in" option, then "Open a New Ticket" and "Check Ticket Status". Now, Ill admit, I've seen Ippsec himself exploit support ticket systems so many times that I probably wont need to come up with anything all that original here. Chances are Ill be able to either upload a reverse shell file or use SSTI or something, without too much fuckery.
Let's load Burp and start playing with it.
Now, this I found almost on accident; I checked Wappalyzer on the ticket page not really expecting to see much, but found that it identified the support ticket system used on the page as "osTicket". I did a quick Google search and found that ==some versions of osTicket have an SSRF vulnerability==. This one may or may not be affected.
And also, while Im digging around here, Im going to run gobuster in the background. If this really does have an SSRF vulnerability, I may be able to access any restricted areas that may be on the site.
Testing osTicket for SSRF vulnerability
The basic exploitation method is to select the "HTML" format when creating a new ticket, then add an image tag with the source set to the target site. Then after submitting this ticket attempt to print it to PDF and it should trigger the system to make a request to the site you specified. I entered:
<format><img src="http://10.10.14.231"></format>
and after submitting, got this response:
test,
You may check the status of your ticket, by navigating to the Check Status page using ticket id: 1119603.
If you want to add more information to your ticket, just email 1119603@delivery.htb.
Thanks,
Support Team