Welcome to another of my technical HackTheBox walk throughs, this time we are taking on the Delivery challenge, lets jump right in!
Initial nmap session:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-16 20:54 GMT
Nmap scan report for 10.10.10.222
Host is up (0.041s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.23 seconds
Navigating the web http://10.10.10.222/ I can find the contact session where two new links bring on two different subdomains:http://helpdesk.delivery.htb/http://delivery.htb:8065/
Change the /etc/hosts file and go to investigate on them.
It's a ticketing management platform based on the osticket system (but it could be an old version). Searching on exploit-db I found a lot of exploits.
Starting to build confidence with the portal, I try to register a new account and I understand that I need to confirm the registration, but, the email could never be sent out of the internal network of HTB, so I need to intercept the email becoming myself an email provider. But lets go ahead and check the second portal.
The second portal is based on the < ..
Support the originator by clicking the read the rest link below.