![]() ![]() The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags: MATTERMOST EXPLOIT CRACK Performing a second scan with the -p- flag to scan all ports: The scan has revealed port 22 (SSH) and port 80(HTTP) as open. Port 8065 has been revealed as well, through this new scan. When inspecting the source code of the contact us popup, it appears the HelpDesk hyperlink points at : When clicking on the “Contact Us” button, it says a email address is required to have access to MatterMost: The following page is displayed when visiting the web server through a browser: The next step will be to start enumerating HTTP. Upon logging the ticket, the following message is displayed, indicating that to add comments to the ticket an email can be sent to : It allows unauthenticated users to log tickets, the next step will be logging one, to see what that does: Updating the /etc/hosts file, adding these two new entries:Īccessing the help desk system at : Whereas the MatterMost hyperlink points at on port 8065: MATTERMOST EXPLOIT CODE ![]() This shows that when a new ticket is created, the web application sets up an email address based on the ticket id. MatterMost requires that users follow a confirmation link sent to their email address for the account to be activated: Using the email address generated by osTicket to subscribe and an arbitrary username and password: Mattermost is an open-source online chat service designed as an internal chat for organizations and companies, and mostly markets itself as an open-source alternative to Slack and Microsoft Teams.Īccessing MatterMost and clicking on the “Create new one” link: This email address could not be used to sign up on MatterMost. Joined the “Internal” team and skipped the tutorial: It appears the email sent by MatterMost was added as a comment, including the confirmation link:įollowing the link on a browser allows to activate the account: Going back to osTicket and clicking on “Check Ticket Status”, entering the email address Since new emails to email address will add comments to the ticket, the link should be accessible from there. This takes to a chat with a few messages from the “root” user, one of which contains credentials for the “maildeliverer” user:Īnother message from the root user also mentions how variants of “PleaseSubscribe!” are being used as passwords, and how Hashcat rules can be used to generate those variations in an automated fashion. There are quite a few columns, so to make things simpler changing the query to only display usernames and password hashes: select Username,Password from Users The “Users” table seems to be interesting, so listing its contents: Listing the existing databases, selecting the “mattermost” database and listing tables within it: Using find to identify the config.json file and grep to find the database credentials: Using SSH to authenticate as the maildeliverer user with the credentials found above: Privilege EscalationĪfter a bit of research, it appears MatterMost stores database credentials in the config.json file, in the “DataSource” variable: This is probably a hint for the next step. Pasting it into Hash Analyzer reveals it is Bcrypt: This appears to contain a few hashes, one of which is for the “root” user. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |