- OS: Linux
- Difficulty: Easy
- Points: 10
The nmap scan shows an open SSH and HTTP port. On the corresponding website we can find a Helpdesk Application and a Mattermost. To actually access the helpdesk.delivery.htb server, the IP and servername has to be added to /etc/host on the local machine. Mattermost can be accessed over the URL http://:8065. Go to the support center and “Open a new Ticket”, upon submit you get an E-Mail Address associated with your ticket
firstname.lastname@example.org which can be used to create a valid Mattermost account. The Mattermost activation E-Mails can be retrieved from the delivery support ticket system.
After a bit of searching we can find numerous messages from root that mention the user
maildeliverer with the password
We can use the acquired account to log into the server via SSH and retrieve the user flag. By enumerating the server further the file
/opt/mattermost/config/config.json can be found. It includes the DB user
mmuser and the password
Crack_The_MM_Admin that can be used to retrieve hashed root user credentials. After logging into MariaDB with
mysql -u mmuser -D mattermost -p the data can be retrieved by executing
SELECT username, password FROM Users WHERE username = 'root';.
The Hash is a bcrypt and can be cracked with hashcat. To make things easier we used Hob0Rules
hashcat -a 0 -m 3200 hash.hash Hob0Rules/wordlists/wordlist.txt -r Hob0Rules/d3adhob0.rule -o cracked.txt -w 3 -O