The nmap scan shows an open SSH and HTTP port. On the corresponding website we can find a Helpdesk Application and a Mattermost. To actually access the helpdesk.delivery.htb server, the IP and servername has to be added to /etc/host on the local machine. Mattermost can be accessed over the URL http://7493836@delivery.htb
which can be used to create a valid Mattermost account. The Mattermost activation E-Mails can be retrieved from the delivery support ticket system.
After a bit of searching we can find numerous messages from root that mention the user maildeliverer
with the password Youve_G0t_Mail!
.
We can use the acquired account to log into the server via SSH and retrieve the user flag. By enumerating the server further the file /opt/mattermost/config/config.json
can be found. It includes the DB user mmuser
and the password Crack_The_MM_Admin
that can be used to retrieve hashed root user credentials. After logging into MariaDB with mysql -u mmuser -D mattermost -p
the data can be retrieved by executing SELECT username, password FROM Users WHERE username = 'root';
The Hash is a bcrypt and can be cracked with hashcat. To make things easier we used Hob0Rules
hashcat -a 0 -m 3200 hash.hash Hob0Rules/wordlists/wordlist.txt -r Hob0Rules/d3adhob0.rule -o cracked.txt -w 3 -O