maildeliverer:Youve_G0t_Mail!. The comment on hashcat is the hint for privesc.
maildelivereruser through SSH:
/opt/mattermost/config/config.json, we find a SQL credential
Userstable from the
mattermostdatabase contains usernames and passwords:
bcrypthashes correspond to
PleaseSubscribe!as wordlist and conduct the hashcat rule-based attack. hashcat documentation says:
The rule-based attack is one of the most complicated of all the attack modes. The reason for this is very simple. The rule-based attack is like a programming language designed for password candidate generation. It has functions to modify, cut or extend words and has conditional operators to skip some, etc. That makes it the most flexible, accurate and efficient attack.
/usr/share/hashcat/rules. For this box, we use
-a 0: set attack mode to "dictionary attack"
-m 3200: set hash type to
-r /usr/share/hashcat/rules/best64.rule: use
best64.ruleto conduct rule-based attack
-o password.txt: save the output to