Delivery machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags on the target machine using these vulnerabilities.
To recognize the target machine, we first perform a network scan with nmap.
Classic Scan
Full port Scan
Port scanning shows that 22/tcp ssh OpenSSH 7.9p1, 80/tcp http nginx 1.14.2 and 8065/tcp ports are open.
Since there is no vulnerability from the ssh port, we continue through the browser to enumerate port 80.
We examined the source code, looked at the development options and found no results.
We went to the enumeration section from the interface, here when we click on the helpdesk section, it redirects a domain, we need to add this domain to the hosts file
Nano /etc/hosts
Here we added the domains. We tried to log in
Here, let’s immediately run a directory and file scan with a gobuster
We looked at a lot of things in the Gobuster directory with no results.
Continue with the enumeration part from the interface
Let’s create a ticket and then query the status of the ticket
Here, he created an e-mail address for us, we received this e-mail address and we registered at Mattermost and the purpose here is to receive the verification code that will come.
This is how we received a verification link after registration
We were able to get this verification link and log in to Mattermost
Here we have two different hints, the first is that the Server has maildeliverer:Youve_G0t_Mail! Credential information
The second is PleaseSubscribe! There are password variants from Cleartext, and in addition, it expects us to detect the hashes obtained with hashcat rules.
Let’s log in with credentials via ssh
We were able to log in successfully and received our user flag
Now what we need to do here is to lede the hash of the root user by providing local enumeration and break the hash with hashcat.
We provide enumeration
Let’s connect with mysql
Here we have obtained the hash value of the root user.
We know that this hash is the PleaseSubscribe! Variant.
Let’s use hash cat to create paros similar to this text
Save the resulting hash in a file and break it with john
We realized that the broken hash is PleaseSubscribe!21, now we switch to the root user on the target machine
This way we were able to switch to root user and get our root flag.
Full port Scan