Mattermost
Self-hosted team-chat (Slack alternative) on 8065. Channels and the config leak credentials; config.json holds the DB DSN and secrets, and slash-command/integration features can be abused for SSRF or RCE.
Ports
| Port | Proto | Notes |
|---|---|---|
8065 | tcp | Mattermost web/API |
Fingerprint
- 'Mattermost' login, /api/v4/system/ping returns status
Key files
| Path | Holds | Sensitive |
|---|---|---|
config/config.json | SqlSettings DataSource (DB creds), secrets, SMTP | sensitive |
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2021-1611 | Various auth / access-control issues across versions — check the exact build |
Exploitation primitives
- Read channels/DMs and pinned posts for credentials once you have any account
- config.json leaks the Postgres/MySQL DSN — pivot to the DB for password hashes
- Custom slash commands / outgoing webhooks point at attacker URLs → SSRF and command abuse
Overview
Mattermost is a self-hosted Slack clone on 8065. Like any chat server it’s a credential goldmine — users paste secrets in channels — and its config and integrations extend the attack surface.
Loot the config
cat config/config.json | grep -iE "DataSource|Secret|Password"The SqlSettings.DataSource line gives you the database, where the Users table holds bcrypt hashes.
Read the chat
With any login, search channels for credentials:
in:town-square passwordHardening
Patch to the current ESR, enforce SSO/2FA, restrict who can create integrations, and protect config.json.