Mailroom English

 

Mailroom is a linux machine in HackTheBox's Open Beta Season.

Enumeration

Zenmap:

View website, it show Made with ♥ for mailroom.htb, add mailroom.htb in hosts file.

Brute-force subdomain with gobuster:

Add git.mailroom.htb in hosts file. View git.mailroom.htb, this is a Gitea website. Browsing the site it shows sourcecode staffroom.

Read file auth.php

I see another subdomain exists staff-review-panel.mailroom.htb add to the file host, try to open the website but the website gives an error, I guess it's a private website.

See mailroom.htb at Contact

Then the site shows me a popup:

Exploit

Create 1 payload file pwned.js, code redirects to subdomain staff-review-panel.mailroom.htb, As a result, I get the base64 content of the index.php file.

Instead of sending from Contact, I use burpsuite to send the payload.

In file auth.php:

$user = $collection->findOne(['email' => $_POST['email'], 'password' => $_POST['password']]);

Service connects to mongodb, from this code, I guess I can use nosql injection exploit.

The results show that the nosql inject exploit is successful.

With regex nosql injection. I write a payload that does the brute-force email.

I see that the process is scanning to an then stop, the reason may be overtime running process.

I changed cal(chars, ""); to cal(chars, "an"); and try again.

Continue with the steps above until no further response is received.

I get the username, I do the same with the password.

Source code pwned: https://github.com/dryu8/hackthebox/tree/main/Mailroom

You can try to use 2 file passpwned.js and userpwned.js in source my code pwned instead pwnedpass.js and pwneduser.js.

Now, i got the email: ****tan@mailroom.thb and password:  69t*********. Use them for ssh login.

I had Tristan Shell.

My English is not good so if you want to share anything please comment below, I have set  comment for all user.

Part2: https://yu8pentest.blogspot.com/mailroom-hackthebox-part2