EnuBox Mattermost Walkthrough Vulnhub CTF

Today we are solving enubox: mattermost walkthrough Vulnhub CTF is created by Avraham Cohen

Description: The Mattermost chatting system may or may not hold sensitive information. Can you find your way in? EnuBox Mattermost Walkthrough

EnuBox: Mattermost Download

First, step is finding our target IP address using Netdiscover Toll

EnuBox Mattermost Walkthrough
NMAP

( A network mapping tool that allows you to scan for open ports, services, and operating systems to list a few features. )

Now scanning our target Machine IP address with Nmap network mapping tool and using the parameter -A ( aggressive scan )

EnuBox Mattermost Walkthrough

After scanning our target IP address we see many ports are open but port 21 FTP is allowing login with the default username and password

connecting FTP anonymous username password

  • ftp
  • ftp
EnuBox Mattermost Walkthrough

Enumerating port 80 HTTP service running I opening the IP address our firefox browser and this web site is showing 404 Access forbidden and information Details or Servername “mattermost”

EnuBox Mattermost Walkthrough

Sometime later I am trying to FTP login with username ftpuser and password ftppassword and me successful login FTP connection

  • ftpuser
  • ftppassword
EnuBox Mattermost Walkthrough

Enumerating Directory FTP

After enumerating many directories we got a message txt file mattermost directory I download the file our local system and opening the txt file.

EnuBox Mattermost Walkthrough

I am trying the message text for password login ssh connection and we already see the browser server name

I am trying to the login ssh connection

  • username: mattermost
  • password: Welcome!!!

logging Succesful ssh connection trying to enumerate the system directory and files

EnuBox Mattermost Walkthrough
EnuBox Mattermost Walkthrough

we see a secret file mattermost Desktop directory now run the file and we see a secret file key error

Downloading the secret file our local system I am starting local PHP server port 4545 ( php -S targetvmip: any port number

download the secret file with wget command our local system

wget http://192.168.0.105:4545/secret

After Download the secret file decompiling the c++ file using tool ghidra after analysis the code we found an if-else condition with a hax value 0xf447

converting the hax value to a decimal using an online website

again run the script and type key our Decimal number value 62535 and we see our user is changed to root user

we found a text file named local.txt. Upon opening the file, we see the our last flag

Os-Hacknos-3 Walkthrough see here