- OS: Linux
- Difficulty: Easy
- Points: 10
The nmap scan shows an open SSH and HTTP port. On the corresponding website we can find a Helpdesk Application and a Mattermost. To actually access the helpdesk.delivery.htb server, the IP and servername has to be added to /etc/host on the local machine. Mattermost can be accessed over the URL http://:8065. Go to the support center and “Open a new Ticket”, upon submit you get an E-Mail Address associated with your ticket 7493836@delivery.htb
which can be used to create a valid Mattermost account. The Mattermost activation E-Mails can be retrieved from the delivery support ticket system.
After a bit of searching we can find numerous messages from root that mention the user maildeliverer
with the password Youve_G0t_Mail!
.
We can use the acquired account to log into the server via SSH and retrieve the user flag. By enumerating the server further the file /opt/mattermost/config/config.json
can be found. It includes the DB user mmuser
and the password Crack_The_MM_Admin
that can be used to retrieve hashed root user credentials. After logging into MariaDB with mysql -u mmuser -D mattermost -p
the data can be retrieved by executing SELECT username, password FROM Users WHERE username = 'root';
.
The Hash is a bcrypt and can be cracked with hashcat. To make things easier we used Hob0Rules hashcat -a 0 -m 3200 hash.hash Hob0Rules/wordlists/wordlist.txt -r Hob0Rules/d3adhob0.rule -o cracked.txt -w 3 -O