In this post, i would like to share a walkthrough of the Delivery Machine.
This room has been considered difficulty rated as an EASY machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Information Gathering on Delivery machine
Let’s open the browser and straight into the website interface.
The page will look like the screenshot above and there’s not much information that we can use over here. However, there’s a link on Contact US and Helpdesk
Firstly, we can go to Contact US which will open a website that gives us a piece of information on to open a ticket to the Helpdesk. Asides from that, we have also been given the information of the Mattermost link that required the login credentials.
Enumerate the MatterMost application on Delivery Machine
We are required to create new credentials to login to Mattermost.
We will be coming back here when we have an email that we can use to register.
On the Helpdesk link, we are directed to a website where we can open new tickets and view the ticket activity.
Once we have fully opened a ticket, we will be provided with the email that we can use to register in the mattermost.
We will see the email of account verification been sending out to us on the ticket’s support center. For the account to be active, we need to go to the link that we required from the response.
We successfully have login to the mattermost chat room after you. key-in the username and password that were done during the registration process just now.
From the message above, we have noticed that they provided a username and password. So, let’s try login with those credentials via ssh service
SSH access to the machine via credential on the Delivery Machine
We got access to the machine via ssh. Now, let’s find the user flag by going to /home/maildeliverer directory and we can get the user flag by using cat user.txt
Let’s see any malicious file that we can find in /opt/ directory and we did find there’s mattermost directory. While looking inside mattermost directory, we found a config.json file stored there.
Inside config.json, there’s something that caught my attention, especially MySQL credentials
There’s an error while trying to login to MySQL
Enumerate the MySQL database
After doing some research on the internet, we got the right command to login into MySQL.
Let’s see if any database names have been included in MySQL, we found out that mattermost is one of the database names
We can see the database by using the MySQL command such as using mattermost
When i run the MySQL command to show tables, i found out that there were User’s Tables that normally stored the username and password.
The screenshot above looks a little bit messy. So, let’s make it look nicer by getting username and password only from the tables
The hashes that we sighted in the screenshot above can be cracked with hashcat
Now, let’s crack the password so that we can access the root privileges access.
What we should use here are hash.txt and password files can be seen below:
- On the hash.txt, we need to paste the hash that we found during my investigation in MySQL (root’s hash)
- On the other hand, the password file will be using the keywords PleaseSubsribe! that we found in the Mattermost chatting room.
After a while, we got the password for the root access as shown below
Let’s try to login to root just by running the command “su” with the password that we found above,
As usual, we need to read the root flag by going to /root/ directory where it’s the location of the root flag.
Happy Learning Guys!