EnuBox Mattermost Walkthrough Vulnhub CTF

Today we are solving enubox: mattermost walkthrough Vulnhub CTF is created by Avraham Cohen

Description: The Mattermost chatting system may or may not hold sensitive information. Can you find your way in? EnuBox Mattermost Walkthrough

EnuBox: Mattermost Download

First, step is finding our target IP address using Netdiscover Toll


( A network mapping tool that allows you to scan for open ports, services, and operating systems to list a few features. )

Now scanning our target Machine IP address with Nmap network mapping tool and using the parameter -A ( aggressive scan )

After scanning our target IP address we see many ports are open but port 21 FTP is allowing login with the default username and password

connecting FTP anonymous username password

  • ftp
  • ftp

Enumerating port 80 HTTP service running I opening the IP address our firefox browser and this web site is showing 404 Access forbidden and information Details or Servername “mattermost”

Sometime later I am trying to FTP login with username ftpuser and password ftppassword and me successful login FTP connection

  • ftpuser
  • ftppassword

Enumerating Directory FTP

After enumerating many directories we got a message txt file mattermost directory I download the file our local system and opening the txt file.

I am trying the message text for password login ssh connection and we already see the browser server name

I am trying to the login ssh connection

  • username: mattermost
  • password: Welcome!!!

logging Succesful ssh connection trying to enumerate the system directory and files

we see a secret file mattermost Desktop directory now run the file and we see a secret file key error

Downloading the secret file our local system I am starting local PHP server port 4545 ( php -S targetvmip: any port number

download the secret file with wget command our local system


After Download the secret file decompiling the c++ file using tool ghidra after analysis the code we found an if-else condition with a hax value 0xf447

converting the hax value to a decimal using an online website

again run the script and type key our Decimal number value 62535 and we see our user is changed to root user

we found a text file named local.txt. Upon opening the file, we see the our last flag

Os-Hacknos-3 Walkthrough see here
Exit mobile version