Delivery is an easy-rated box created by Ippsec. It takes us through exploiting ticket trick to gaining internal chat server access and using the disclosed credentials in the chat to login and find MySQL credentials inside the machine. We then find root hash inside MySQL database and crack using Hashcat rules.
- Port Scanning
- HTTP (Port 80)
- Port 8065 - Unknown Port
- Exploiting Ticket Trick
- Privilege Escalation
Nmap scan report for delivery.htb (10.10.10.222) Host is up (0.58s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA) | 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA) |_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519) 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Welcome 8065/tcp open unknown | fingerprint-strings: | GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: | HTTP/1.1 400 Bad Request | Content-Type: text/plain; charset=utf-8 | Connection: close | Request | GetRequest: | HTTP/1.0 200 OK | Accept-Ranges: bytes | Cache-Control: no-cache, max-age=31556926, public | Content-Length: 3108 | Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com | Content-Type: text/html; charset=utf-8 | Last-Modified: Sun, 31 Jan 2021 11:15:37 GMT | X-Frame-Options: SAMEORIGIN | X-Request-Id: iq8495rxpfbwxjybo8uqq3u5yh | X-Version-Id: 126.96.36.199.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false | Date: Sun, 31 Jan 2021 13:00:41 GMT | <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re | HTTPOptions: | HTTP/1.0 405 Method Not Allowed | Date: Sun, 31 Jan 2021 13:00:42 GMT |_ Content-Length: 0 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jan 31 18:32:25 2021 -- 1 IP address (1 host up) scanned in 114.26 seconds
We can see there are 3 ports open:
Port 22 - SSH (OpenSSH 7.9p1)
Port 80 - HTTP (nginx 1.14.2)
Port 8065 - Unknown Port
Accessing the website in a web browser gives us a static page with a couple of links.
The best place to get all your email related support for an account check out our helpdesk and clicking on “Helpdesk” redirects us to http://helpdesk.delivery.htb
To access it, we’ll need to add the virtual host name in /etc/hosts file. (if you’re on a Windows machine then add it to
It’s a support ticket system and it uses OSTicket which is a customer support system (https://osticket.com/)
We can create support tickets and check the status of a query.
Let’s create a support ticket…
Just fill in anything and click on Create Ticket.
This is where things get interesting, it says that we can check the status of our ticket using the ticket ID - 9337131.
I’ll get back to this but first let’s check out port 8065.
In our port scan, we got that port 8065 is open but service couldn’t be enumerated resulting in “Unknown Port” being displayed.
Let’s access port 8065 in a web browser:
Port 8065 is running Mattermost!
Mattermost is an open-source collaboration software built for developers. It’s similar to Slack, a place where people can chat and discuss.
How do we get in?
We can create a Mattermost account but it won’t be able to send a verification email to domains that it cannot reach out.
We need to create an account with email address ending with
Remember that we created a support ticket? It gave us an email address that can be used to add more information to the ticket.
That email address ended with delivery.htb name!
We can create a Mattermost account with the email address given by OSTicket after creating a support ticket and then check for ticket status for the verification email!
Fill in the details and click on Create Account.
Mattermost needs us to verify the email address. We have the option to check the ticket status, we can check the messages there and extract the verification email.
Just click on Check Ticket Status on helpdesk.delivery.htb and fill in the email address you used to create the ticket and the ticket ID.
We can see that Mattermost sent a verification email to the support ticket address. We can copy the URL and open in another tab to verify the account.
Now we can login using the password we set and get access to the internal chat room (Mattermost)
We get the tutorial on how to use Mattermost, we can skip it.
We’ve got access to the internal chats and we can see there are disclosed credentials.
SSH as maildeliverer - We’re in!
I checked for active network connections via netstat and this is what I got:
We can see that 3306 port is listening. 3306 is the standard port for MySQL
How do we access MySQL database? We need to find the MySQL login credentials for that.
After enumerating for a while, I found the credentials inside the configuration file of Mattermost. It is located inside
Main Takeaway: Look out for configuration files of known softwares that are running inside a machine. In many tools and applications, the important information like credentials, tokens are stored inside readable configuration files.
Let’s try to login using these credentials!
I checked databases and changed the current DB to “mattermost”.
show tables; we get the following output:
We see a table named “Users”. There are many entries with hashes present in them. We can see an entry with the name “root” and we have a hash with it.
We have a hash now that is
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO. Going back to the screenshot of internal chats in Mattermost, the user “root” indicates that a hacker can use hashcat rules to crack the hashes. Let’s do the same!
But before, I’d suggest you to read https://hashcat.net/wiki/doku.php?id=rule_based_attack to get an understanding of how hashcat rules work.
In the chats, the user “root” said that
PleaseSubscribe! isn’t in rockyou.txt and hacker can crack the hash using rules. Let’s create a wordlist with the string
I used best64.rule file for generating the wordlist.
We got a wordlist, we can now proceed with bruteforcing the root password with the generated wordlist.
We successfully cracked the hash!
The password is
PleaseSubscribe!21. We can use it to login as root in the box.
I hope you enjoyed the write-up and learned new stuff! Feel free to message me on my socials for feedback/suggestions. Contact Me
Thank you for reading!
If you liked this blog and want to support me, you can do it through my BuyMeACoffee page!