The Dutch Hacker

Delivery – HackTheBox write up

Hacckthebox delivery write up


Start the scan with nmap -T4 -A -p-
Hackthebox delivery - nmap

We see port 22 and port 80 are open

Going to the website and press on contact we noticed 2 other links and delivery.htb:8065

Hackthebox delivery - finding page

When clicking on the link you will notices they were not working and this is because there is no DNS to delivery.htb. So we need to edit our hosts file by typing the following command

Nano /etc/hosts

And add the following to that host file    delivery.htb

Now we can see the websites bij navigating to delivery.htb:8065 and to

When navigating to delivery.htb:8065 we see a login screen. We do not have an account so let’s create one

Hackthebox delivery - register account

Notice the password requirements

Once we meet the requirement we will get the next screen

Hackthebox delivery - email validation

There is no way for us to validate.

Navigate to

Click on Open a New ticket and create a ticket

Hackthebox delivery

Notice that we can mail to the ticketnumber@delivery.htb to add ticket info. But we need a delivery.htb email address to get into the mattermost server.

We can see the status of the ticket as well

Hackthebox delivery - ticket system

Now go to delivery.htb:8064 and create a new account but this time we will use the mail adress of the ticket. In our case 3754271@delivery.htb

Once we created the account we go back to the status of the helpdesk ticket

Hackthebox delivery - found email

Now we have a link to validate our email adress. Copy and paste it in the browser

Hackthebox delivery - logging in

Now log in  with the password you have set.

Hackthebox delivery - the hint

And we have found our first credentials

Using these credentials to login with ssh on port 22.

Hackthebox delivery - user flag
cat user.txt for the flag


We now have accesd to the account maildeliverer

We first fin dout how many account there are on the system by entering the following command

cat /etc/passwd | grep home
Root enumuration

Mattermost is the system that is running on this system

Now we look for files where the account maildeliverer has got acces to and containing mettermost by entering the following command

Find / -name "mattermost*"  > list.txt

Now let’s take a look at the list by typing cat ist.txt

We notice there is a directory in the opt with mattermost

Root enumuration

Navigate to this directory and see what we can find.

cd /opt/mattermost
ls -la
Root enumuration

Notice a config directory. Let’s explore

Root enumuration
Cat config.json

Notice SQL settings

Found sql credentials

Connect to the sql instance with these credentials

Access maria DB

Connect to the mettermost instance by typing use mattermost;

Now list all the tables by typing

show tables;

Notice user table


If we do


We see all that is in the table. Also we see the passwords are stored here as well

Now let’s only see users and password

Select Username,Password FROM Users;
Found root hash

We see the root password of this root account is in here we just need to crack this hash


We need to Identify what type of hash this is first by going to Hash Type Identifier – Identify unknown hashes and type in that hash in the identifier

Found bcrypt hash

We see it is a bcrypt.

Now we can use hashcat to crack it. But we need a password list to do so.

When we logged in there was a hint

root hint

Se we need to use different variation for this PleaseSubscribe! Password. Hashcat can generate a password list based on existing rules. I already explained it in this Hashcat post

So for now use the command on you kali linux terminal

echo -n "PleaseSubscribe!" | hashcat --force --stdout -r /usr/share/hashcat/rules/best64.rule >> hash.txt

Put the has in a file

echo "$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO" > roothash.txt

Now let’s crack that hash

For hash cat to crack it. It needs to know what mode this hash is in hashcat . We can find that in the help by typing

hashcat -h | grep "bcrypt"

And we see it is number 3200

crack hash

Now for the cracking part type in

 hashcat -m 3200 --force -a 0 roothash.txt hash.txt
Found password

Now that we found the password. Login as maildeliver again if not still open the become root by typing su root and then use the password we cracked

And we are in

And this conclude the box

Conclusion Hackthebox delivery

Now at my first attempt to become root I did not noticed the database of mattermost. I was building a password list and tried with hydra to brute force. But this box does not accept ssh with the root account. Just give it a try. ssh root@ Not matter the password it will not connect. And that was the rabbit hole I was in.

Most Popular Post

Sign Up

Signup today for free and be the first to get notified on new updates.
* indicates required

Follow Me

Most Popular Post

Contact Us