Delivery is an Easy box listed on Hack The Box. It was released on January 9th, 2021. Delivery largely focuses on real-world human vulnerabilities around the use of shared accounts and support ticket systems without input validation. Deeper penetration into Delivery also required the use of password cracking tools, but limited system resources.
Part One: Enumeration
A standard SYN port scan revealed version information and three open ports. There’s an http server, as well as an SSH server that is likely used for maintenance. There’s also port 8065 — which I am guessing is a web service because it starts with 80. Noting that this is a web server, I start to scan for possible directories and check out the front-facing website.
Part Two: Finding a Pivot Point
After looking around the website (including source code), and scanning directories, it looks like this website is designed to respond to user input. After adding the website to my hosts list, I am able to access the Support Center website.
After seeing this, I attempted SQLMapping, but did not find anything useful. However, I AM able to create an account, while also using the ticket I created to verify a phony email address.
After making a fake ticket, it becomes apparent that the mail server is used to communicate ticket information. As suspected, this process allows me to use the account created by my ticket to pivot into private system resources.
Part Three: Social Engineering
Once I had a valid account, I was able to view internal correspondence. In practical environments, it is common for poor security practices to take place in areas thought to be inaccessible. While this is often a physical security issue, it is a data security issue here. The following is discourse between system administrators, where a pivot point is all but handed to the intruder. Immediately after reading this, I make an unsuccessful attempt at guessing the variation. After flatly being told that the key to deeper system resources is PleaseSubscribe! with an improvised salt, I am still certain that I have found a pivot point.
After getting a working password for SSH, the User flag was immediately accessible.
Part Four: Finding The Root Flag
While I have SSH access, I do not have root access. I am pretty sure that the password is some variation of PleaseSubscribe!, but after trying a few guesses, I start Googling, looking for database information. After looking around, I finally find a listing for encrypted passwords, which should help me pivot deeper into Delivery.
The account I just made is here, and the file data further supports the idea that this is what I am looking for. After Googling the common “prefix” in these passwords, $2a$10$, is generated by bcrypt encryption. Knowing this, Kali has a number of tools that can help me with decryption. This process is successful, and the Root flag is accessible with the superuser credentials gained from decryption. Here is how this is done in Hashcat.
