Port Scanning and General Enumeration (Nmap)
Initial Nmap scan
Targeted scan on 8065
Not much for initial scanning aside from the unknown port
The contact page of the website links us to
delivery.htb:8065 which is a Mattermost server. Interesting.
Access (Mattermost, SSH, OSTicket)
The OSTicket helpdesk is what you think it would be. You can create and view tickets.
I got stuck here for a while trying to perform an XXS attack before I took a step back.
First, let’s keep this in mind:
Next, let’s create a ticket:
So, to access the mattermost server we need an
@delivery.htb email address. It looks like the support center gives us an
@delivery.htb email address, but we can’t directly access it. Or can we?
If you want to add more information to your ticket, just email
Does that mean we can use the support ticket as the email itself? Let’s try by signing up for a mattermost account using our
@delivery.htb email and checking the ticket.
Now we’ve got access to the Mattermost server!
Creds? They don’t work on OSTicket or the Agent login.. but..
They do for ssh!
Privesc (linpeas, mysql, hashcat, rsmangler)
Let’s do some enumeration!
Running linpeas we see:
The mattermost user is running mattermost located in the opt directory. Checking out the config file:
mysql -u mmuser -p with the password
Let’s roll through
show columns in Users;
select Username, Password from Users;
The entry on the mattermost server mentions PleaseSubscribe!, hashcat and hashcat rules so we can safely assume that this hash, once cracked, will be a variation of PleaseSubscribe!
PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.
I tried cracking it using different rules, but couldn’t manage it. I ended up using rsmangler to mutate PleaseSubscribe!
hashcat --force -m3200 --status -w3 -o found.txt --remove --potfile-disable hash newlist