Delivery HackTheBox WalkThrough

Delivery Hackthebox Walkthrough

This is Delivery HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Delivery HTB machine. Before starting let us know something about this machine. It is a Linux OS box with IP address 10.10.10.222 and difficulty easy assigned by its maker. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Delivery machine by pinging its IP 10.10.10.222. If all goes correct then start hacking.

As usual, I started by scanning the machine. Used Nmap (port scanner) for this task and the result is below-

Scanning

$ nmap -sV -p- -T4 -oA nmap/delivery-all 10.10.10.222

$ cat nmap/delivery-all.nmap

Performing Nmap scan on delivery machine during its Walkthrough

Nmap found ports 22, 80 & 8065 as open. OpenSSH on port 22, nginx web server on port 80 are running. Port 8065 has some unknown service running which nmap could not enumerate. Since web server is running on port 80 so we should have some website running over this server which can be accessed at URL http://10.10.10.222. But before accessing this URL, let us add delivery.htb to our hosts file. Now URL http://10.10.10.222 became http://delivery.htb after host file modification.

Ongoing to http://delivery.htb found a new subdomain help.delivery.htb so added it too to our hosts file. The hosts file is present in /etc/ folder.

Hosts File After Modification

$ cat /etc/hosts

Host file modification during Delivery Hackthebox Walkthrough
Delivery Hackthebox Homepage captured during Walkthrough

After some initial enumeration on http://delivery.htb found MatterMost Server running at port 8065 which can be accessed at URL http://delivery.htb:8065/ and nothing interesting is present on this page. So moved forward for enumeration on http://helpdesk.delivery.htb.

After going to this URL found SUPPORT CENTER (Support Ticket System). There is a Sign In page, then tried to login with some default credentials like admin: admin, admin: password, delivery: password, etc. but all failed.

Helpdesk home page in Delivery Hackthebox Walkthrough

Opening New Ticket

Then I created a new ticket by clicking on ‘Open a New Ticket‘ with the following details.

Under Contact Information fill the following info or something other which you want.

Email Address: [email protected],

Full Name: test1,

Phone Number: 1234567890,

Help Topic: Contact Us,

Issue Summary: Issue1,

Issue Description: This is issue1,

Fill the Captcha and then Click on Create Ticket button to create a new ticket. After creating a ticket you will get a message which looks something like below as in screenshot. This message has a ticket id and assigned email address using which you can contact them. Note down them because they will be needed further.

Support ticket created image during hackthebox walkthrough

Ticket ID: 4076334

Assigned Email Address: [email protected]

Then click on Check Ticket Status in menu bar and sign in using the following credentials or the one using which you have created ticket.

Email Address: [email protected]

Ticket Number: 4076334, and click on View Ticket to view the ticket. You will get a page like this

Helpdesk Page after login into the dashboard

Leave this page as it is and go to URL http://delivery.htb:8065/ in new tab and click on Create one now to create a new account.

Mattermost login page captured during Delivery Hackthebox Walkthrough

Fill following info in Signup page

What’s your email address? :  [email protected] (replace it with your Ticket Email Address)

Choose your username: test1

Choose your password: [email protected], and click on create account button to create a new account. Then it will ask for email verification.

Email verification needed during delivery htb walkthrough

Leave this page as it is and go to the previous tab containing URL http://helpdesk.delivery.htb/tickets.php and reload it. You will get a link to activate your account. Just copy the URL and paste in new tab to activate your Account which you have just created. In my case the Activation URL is

http://delivery.htb:8065/do_verify_email?token=8jqbufpqmf9cntiykxn1aqzb8ngz9y8sjq5zy6w19mgmjjymz3psy8ej6k55j515&email=4076334%40delivery.htb

Email Confirmation token to confirm email captured from the Issue panel

After activating the account enter password [email protected] to login into dashboard. After login go to URL http://delivery.htb:8065/internal/channels/town-square. There is credentials maildeliverer: Youve_G0t_Mail!. According to this message it should be SSH credential. When I tried to login into SSH account of user maildeliverer I could easily logged in. So let us get user shell and capture user flag.

SSH password captured after logging into the Panel during Delivery Hackthebox Walkthrough

Getting User Shell

$ ssh [email protected]

~Youve_G0t_Mail!

[email protected]:~$ whoami && id

Getting user shell using SSH in delivery hackthebox walkthrough

We have successfully logged in into delivery machine. Let us capture user flag from user.txt file.

Capturing User Flag

$ cat user.txt

Capturing User flag during Delivery Hackthebox Walkthrough

Privilege Escalation

Finding PrivEsc Vector

At initial enumeration I found .mysql_history file inside the home directory of maildeliverer. So immediately I searched using $ss –lnpt command for all the listening port.

Content of maildeliverer home page

$ ss -lnpt revealed that port 3306 is listening and MySQL server is running locally.

Checking the listening port locally

So my next step is to login into this server and grab some credential from it if they are present. When I tried to login with the command $mysql with blank password (default configuration of MySQL requires no password) it asked me password. So it needs password to get login. After some enumeration I found MySQL credential inside file config.json present at directory /opt/mattermost/config/.

$ grep -A12 -i 'SqlSettings' /opt/mattermost/config/config.json

Content of config.json file present in mattermost directory

From above we got MySQL creds mmuser: Crack_The_MM_Admin_PW. This password also hints that we should crack admin (root) hash to get its credential. Let us login into MySQL using this creds and see what is present for us in the database.

Logging into MySQL

$ mysql -h 127.0.0.1 -u'mmuser' -p

Enter password: Crack_The_MM_Admin_PW

MariaDB [(none)]> show databases;

MariaDB [(none)]> use mattermost;

MariaDB [mattermost]> SELECT Username,Password FROM Users;

MariaDB [mattermost]> exit

login into MySQL server to access the database and its content

We got root hash from the table Users.

root: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO

Identifying Hash Online

Let us identify the hash so that we can crack it using hashcat.

Identifying the type of Hash online during Delivery hackthebox Walkthrough

https://hashes.com/en/tools/hash_identifier found that format of given hash is bcrypt. When I tried to crack this hash using $hashcat and wordlist rockyou.txt it could not crack. Then I tried to check for some hint and found it on the same page where we got our SSH credential. i.e., at http://delivery.htb:8065/internal/channels/town-square. This hint clearly says that PleaseSubscribe! may not be present in RockYou.txt file and also hints to use hashcat rule to generate PleaseSubscribe! like password.

Root password cracking hints from the town-square page

Let us use hashcat rule to create PleaseSubscribe! like password and crack our root hash. But there is a problem because there are many number of hashcat rules and which rule will give us our password we don’t know. So I have used rule best64.rule which is most widely used. Even ippsec has explained this rule in his video. The video link is this. After creating password using this rule when I crack the hash it found the password PleaseSubscribe!21. So let us create our custom wordlist and crack the root hash.

Creating Wordlist and Cracking Bcrypt Hash

$ echo 'PleaseSubscribe!' > pass.lst

$ cat pass.lst

$ hashcat --stdout pass.lst -r /usr/share/hashcat/rules/best64.rule > custom.lst

$ hashcat -m 3200 -a 3 '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' custom.lst

$ hashcat -m 3200 -a 3 '$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO' custom.lst --show

Creating custom wordlist using hashcat rule and cracking root password hash

The credential is root: PleaseSubscribe!21. Let us switch the user to root using this cred and capture root flag.

Getting Root Shell

$ su root

~PleaseSubscribe!21

# whoami && id

Switching user to root

We are root now. Let us capture root flag.

Capture Root Flag

# cat ~/root.txt

Root flag captured during Delivery Hackthebox Walkthrough

This was how I rooted to Delivery HackTheBox machine. Hope you have learnt something new from this machine walkthrough. Feel free to ask your doubt in the comment section if you face any. Thanks for reading this article. For any query and suggestion related to walkthrough feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.