Delivery HTB Writeup

Viren Saroha

4 min readJun 22, 2021

Hi everyone, This is my Writeup for “Delivery” Box found on Hack The Box.

IP address of the Machine : 10.10.10.222

Phase 1 : Recon

1. Starting off with an Nmap Scan to get information about the open ports.

nmap -sC -sV -Pn 10.10.10.222

We get the following results from the nmap scan

We have 2 Ports open :

Port 22 : Running OpenSSH 7.9p1

Port 80 : Running nginx/1.14.2

Before Enumerating Further I ran a Gobuster Scan but didn’t got any interesting results.

Part 2 : Enumeration

Let’s start by enumerating the Web Application.

The WebPage on port 80 looked like this

There was not much in this webpage, but on checking the Contact-Us part, it provided us with links to 2 more Webpages(Contact Us,Helpdesk) .

For us to access the helpdesk page we have to add it to the /etc/hosts file

10.10.10.222 delivery.htb helpdesk.delivery.htb

Enumerating Helpdesk

It is a Ticketing System powered by the OsTicket.

To test the functionalities we have to create a user.

After creating a user we can Open a New Ticket as soon as we open a new ticket we are given a email id in a message like :

Test,

You may check the status of your ticket, by navigating to the Check Status page using ticket id: 1387016.

If you want to add more information to your ticket, just email 1387016@delivery.htb.

Thanks,

Support Team

As now we have a @delivery.htb email address we can try enumerating Mattermost now.

Remember the message from Contact-Us that said if we have a @delivery.htb email address we will be able to access MatterMost server.

Enumerating Mattermost

First of all Create a user with the email-id we got earlier.

Link for Email verification will be sent on the helpdesk page of the ticket we opened.

As soon we login into we get credentials and some interesting stuff.

@developers Please update theme to the OSTicket before we go live. Credentials to the server are mail***er:You***!

Also please create a program to help us stop re-using the same passwords everywhere…. Especially those that are a variant of “PleaseSubscribe!” root 9:28 PM

PleaseSubscribe! may not be in RockYou but if any hacker manages to get our hashes, they can use hashcat rules to easily crack all variations of common words or phrases.

Part 3 : Getting User Flag

Using the credentials we got from MatterMost server to login into SSH.

And BOOM!!! we are logged In as maildeliverer and we have access to user flag.

Part 4 : Getting Root Flag

So Now let’s try for privilege escalation.

I ran linpeas.sh but it gave no useful result.

So I started looking for interesting files in the machine.

After a while, I found out MySQL credentials stored in plain text in /opt/mattermost/config/config.json

We can test the credentials with the following command to login in MySQL database :

mysql -u mmuser -p’Crack_The_MM_Admin_PW’ mattermost

After Enumerating the MySql database I found out that the Users table contain password hashes for different users.

We can get the password hash of root user with the following command

SELECT username, password FROM Users WHERE username = ‘root’;

| root | $2a$10$<redacted>.1STWb4.4ScG.anuu7v0EFJwgjjO|

Now the only task remained was to crack the hash and get the Root Flag.

Remember the comment on the Mattermost page by root to crack password using hashcat rules.

I didn’t knew about hashcat rules so I googled about it and came up with the following command to create a wordlist to use to crack hash to get passwd. Store the hash in file hash.txt and PleaseSubscribe! In a file clue.txt

hashcat -r /usr/share/hashcat/rules/best64.rule — stdout clue > mixedWordlist.txt

The above command creates a wordlist “mixedWordlist” that we can use to crack the hash.

Now crack the hash using the wordlist we just created.

hashcat -a 0 -m 3200 hash.txt mixedWordlist.txt -o crackedPasswd.txt

Now We have the password for the root user “PleaseSubsc*******”.

Use su root to change the user to root and get the root flag.