Enumeration
First, we use:
nmap -sCV 10.10.10.222
to find open ports in the machine.
When accessing the page, we see two links:
http://helpdesk.delivery.htb
http://delivery.htb:8065
Then, I think about Virtual hosting and edit file /etc/hosts
.
10.10.10.222 delivery.htb helpdesk.delivery.htb
Go to these two sites.
http://delivery.htb:8065/login
Foothold
Try to open a new ticket.
We have an email here which we will use to create an account in Mattermost.
A verify email have been sent, we will check our ticket status.
Then we receive an email with an activation link, access this link.
Now we can login to Mattermost.
After login, we can see a message with a credential from @root
user. This is use to connect to the server and port 22 is open, so we try to connect.
ssh maildeliverer@10.10.10.222
And we get user.txt
.
Privilege Escalation
We will find a credential in /opt/mattermost/config/config.json
.
This is used to connect to MySQL database, connect to db with:
mysql -u mmuser -D mattermost -p
Enumerate the db:
select table_name from information_schema.tables where table_schema=database();
select column_name from information_schema.columns where table_name='Users';
select Username, Password, Roles from Users;
Then we have root
‘s password, but it is hashed in Blowfish.
Try to crack the password with hashcat. In hashcat, Blowfish is hash mode 3200.
In Internal Team, beside a credential of maildeliverer
, @root
provide us another hint.
“Also please create a program to help us stop re-using the same passwords everywhere…. Especially those that are a variant of “PleaseSubscribe!”“
So, we will use a wordlist contain “PleaseSubscribe!”.
sudo ./hashcat.bin -a 0 -m 3200 hash.txt wordlist.txt
After getting the password, we access to root’s shell and get the flag.