Delivery was an easy difficulty machine on Hack the Box.

TL;DR I’ll identify a helpdesk virtual subdomain which will allow me to create a ticket with a temporary email address. Using that address I’ll create an account on Mattermost instance on port 8065 where I’ll find credentials to SSH. Using this access I’ll read password hashes from SQL database. Based on the information from the Mattermost I’ll create a really short wordlist for hashcracking and find out the admin password.

Nmap scan reveals 3 open ports:

PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http nginx 1.14.2
8065/tcp open unknown

Delivery.htb landing page:

Delivery landing page

ContactUs leads to a Helpdesk page and instructs how to use it to receive a registration email:

Contact us page

On helpdesk.delivery.htb virtual subdomain there’s an osTicket instance. I can create a ticket as a guest:

Create helpdesk ticket

After submitting the ticket a temporary email is created:

Ticket’s temporary e-mail

On port 8065 there’s a Mattermost instance:

Mattermost login page

I can create an account, using temporary mail from helpdesk:

Mattermost crete account

After submitting the signup form, the registration email can be received in the helpdesk:

Activation email received in helpdesk

Using received activation link, I can finish registration process and login to Mattermost. After logging in I’ll find credentials to the server on the Internal channel. There’s also a hint about another password:

Passwords in internal channel

Using above credentials I can login to SSH and grab user pass:

User flag

Root

In the Mattermost settings there are MySql credentials:

Mattermost config

The password explicitly tells me what to do next. I need to crack the MM admin password. First I’ll extract it from the SQL database:

Password hashes in MySql

Remember hint from Mattermost Internal channel? The password should be a variation of PleaseSubscribe!, so it’s the only password I’ll put in the HashCat wordlist. I’ll also use HashCat’s rules to test this password variations:

λ hashcat.exe -m3200 -a3 hashes.txt custom.txt --rules rules\best64.rule
-- snip --
$2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO:PleaseSubscribe!21

With password PleaseSubscribe!21 I can login as root and grab flag:

Root flag