maildeliverer:Youve_G0t_Mail!. The comment on hashcat is the hint for privesc.
maildelivereruser through SSH:
/opt/mattermost/config/config.json, we learn a SQL credential
Userstable from the
mattermostdatabase contains usernames and passwords:
bcrypthashes correspond to
PleaseSubscribe!as wordlist and conduct the hashcat rule-based attack. hashcat documentation says:
/usr/share/hashcat/rules. For this box, we use
-a 0: set attack mode to "dictionary attack"
-m 3200: set hash type to
-r /usr/share/hashcat/rules/best64.rule: use
best64.ruleto conduct rule-based attack
-o password.txt: save the output to