Delivery

Enumeration

Ports and Services

Software Installed:

**Nmap Scan Results:

Gobuster Results:
http://delivery.htb/:

http://helpdesk./delivery.htb
**

Webpage (added to hosts file):
http://delivery.htb/

http://delivery.htb/#contact-us

http://helpdesk.delivery.htb/

Mattermost:8065
Port 8065 is a mattermost server

Initial Foothold

The MatterMost Server requires a @deivery.htb email address. There is no way to receive a confirmation email from either the Helpdesk nor the Mattermost server however during a test ticket creation I noticed a @delivery.htb email address:

Created a new ticket as the email address I was using seemed to cause a loop when I tried creating an account. It wouldn’t let me see the ticket

Using the @delivery.htb email address to regoster an acount on mattermost server. The account confirmation email should goto the ticket

Copy/pasting the confirmation link and verified:

Interesting note:

SSH as maildeliverer with password Youve_G0t_Mail!

User.txt Proof Screenshot

User.txt Contents

##
Privilege Escalation

SQL Server settings in plaintext in /opt/mattermost/config/config.json:

Username: mmuser
Pass: Crack_The_MM_Admin_PW
Database: mattermost
Host: 127.0.0.1

List of users in Mattersmost Database:

HashID:

Cracked with hashcat:

RootScreenshot Here: