In this post, i would like to share walkthrough on Delivery Machine.
This room is been considered difficulty rated as EASY machine
Once we have started the VPN connection, we can start information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Let’s open the browser and straight into the website interface.
The page will look like the screenshot above and there’s no much information that we can use over here. However, there’s a link on Contact US and Helpdesk
Firstly, we can go to Contact US where it will open a website that give us an information on to open a ticket to Helpdesk. Asides that, we also been given the information of the Mattermost link that required the login credentials.
We are required to create a new credentials in order to login to Mattermost.
We will be coming back here when we have a email that we can use to register.
On the Helpdesk link, we are directed to a website where we can open new tickets and view the ticket activity.
Once we have fully open a tickets. we will be provided with the email that we can use to register in the mattermost.
We will see the email of account verification been send out to us on the ticket’s support center. For the account to be active, we need to go the link that we required from the response.
We have successfully login the mattermost chat’s room after you. key-in the username and password that done during the registration process just now.
From the message above, we have notice that they provided username and password. So, let’s try login with those credentials via ssh service
We got access to the machine via ssh. Now, let’s find the user flag by going to /home/maildeliverer directory and we can get the user flag by using cat user.txt
Let’s see any malicious file that we can found in /opt/ directory and we did found there’s mattermost directory. While looking inside mattermost directory, we found a config.json file been stored there.
Inside config.json, there’s something that caught my attention especially mysql credentials
There’s an error while trying to login mysql
After doing some research on the internet, we got the right command to login to mysql.
Let’s see any database name have been include in the mysql and we found out that mattermost is one of the database name
We can see the database by using the mysql command such as use mattermost
When i run the msyql command show tables, i found out that there’s a Users Tables that normally stored the username and password.
The screenshot above look a little bit messy. So, let’s make it look nicer by getting username and password only from the tables
We can see that root is one of the username that the database stored but the password have been encrypted with the hashes.
Now, let’s crack the password so that we can access the root privileges access.
What we should use here are hash.txt and password file can be seen below:
- On the hash.txt, we need to paste the hash that we found during my investigation in the MySQL (root’s hash)
- On the other hand, the password file will be using the keywords PleaseSubsribe! that we found in the Mattermost chatting room.
After a while, we got the password for the root access as shown below
Let’s try to login to root just by run the command “su” with the password that we found above,
As usual, we need to read the root flag by going to /root/ directory where it’s the location of root flag.
Happy Learning Guys!