Delivery is a easy-rated box that I found very beginner friendly. It didn’t require anything technically complex, but rather a bit of creative thinking. The box presents a helpdesk and an instance of Mattermost. By creating a ticket at the helpdesk, I get an email that I can use to update the ticket. I’ll use that email to register a Mattermost account, where I find internal conversations that include creds for SSH. With access to the box, I’ll check out the database and dump the root password hash. Using hashcat rules mentioned in the Mattermost chat, I’ll crack that password, which is the root password on the box.

Box Stats

Name: Delivery Delivery
Release Date: 09 Jan 2021
Retire Date: 22 May 2021
OS: Linux Linux
Base Points: Easy [20]
Rated Difficulty: Rated difficulty for Delivery
Radar Graph: Radar chart for Delivery
First Blood User InfoSecJack InfoSecJack 00 days, 00 hours, 42 mins, 52 seconds
First Blood Root Coaran Coaran 00 days, 00 hours, 44 mins, 25 seconds
Creator: ippsec ippsec



nmap found three open TCP ports, SSH (22), HTTP (80), and what looks like a second HTTP server on 8065:

oxdf@parrot$ nmap -p- --min-rate 10000 -oA scans/nmap-alltcp
Starting Nmap 7.91 ( ) at 2021-05-18 13:26 EDT
Nmap scan report for delivery.htb (
Host is up (0.020s latency).
Not shown: 65532 closed ports
22/tcp   open  ssh
80/tcp   open  http
8065/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 11.38 seconds

oxdf@parrot$ nmap -p 22,80,8065 -sC -sV -oA scans/nmap-tcpscans
Starting Nmap 7.91 ( ) at 2021-05-18 13:31 EDT           
Nmap scan report for delivery.htb (                          
Host is up (0.019s latency).

22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)     
| ssh-hostkey:
|   2048 9c:40:fa:85:9b:01:ac:ac:0e:bc:0c:19:51:8a:ee:27 (RSA)            
|   256 5a:0c:c0:3b:9b:76:55:2e:6e:c4:f4:b9:5d:76:17:09 (ECDSA)           
|_  256 b7:9d:f7:48:9d:a2:f2:76:30:fd:42:d3:35:3a:80:8c (ED25519)         
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Welcome
8065/tcp open  unknown
| fingerprint-strings:
|   GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     Accept-Ranges: bytes
|     Cache-Control: no-cache, max-age=31556926, public
|     Content-Length: 3108
|     Content-Security-Policy: frame-ancestors 'self'; script-src 'self'
|     Content-Type: text/html; charset=utf-8
|     Last-Modified: Tue, 18 May 2021 17:27:40 GMT
|     X-Frame-Options: SAMEORIGIN
|     X-Request-Id: qmk1xu7ctbgdtdfomo36e7sixo
|     X-Version-Id:
|     Date: Tue, 18 May 2021 17:34:53 GMT
|     <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" conten
t="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost
"><meta name="format-detection" content="telephone=no"><link re
|   HTTPOptions: 
|     HTTP/1.0 405 Method Not Allowed
|     Date: Tue, 18 May 2021 17:34:53 GMT
|_    Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at :
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 91.38 seconds

Based on the OpenSSH version, the host is likely running Debian Buster (10). The HTTP scripts for TCP 8065 show the string “Mattermost”, so it could be an instance of that open source Slack alternative.

Website - TCP 80

The site is not really for anything, but does mention checking out the helpdesk for email related support:


The link goes to I’ll add both that subdomain and the base domain (delivery.htb) to my local /etc/hosts file.

Clicking on the “Contact Us” link displays another window:


The HelpDesk link is the as the one above. The MatterMost server link is to helpdesk.htb:8065, which explains the other port. There’s also some hint here as to the path. I need to get a @delivery.htb email to get access to the MatterMost server. - TCP 80

This is an instance of osTicket:


As a guest user, I can create a ticket:


And it will give me a page saying it’s been accepted:


The email to add to the ticket is interesting. I’ll note that.

The Sign In link has a form, as well as a registration link:


On clicking “Create an account” and filling out the form, it gives me a page that says a link has been sent to the email to activate it. On HTB, that’s basically a deadend. If I try to log in, it returns this error:


If I click the Check Ticket Status link, it asks for an email or ticket number. Because no validation was done of my email when submitting a ticket as a Guest User, I can enter that email and ticket number:


This page gives the current ticket, with the option to update it:


delivery.htb - TCP 8065

The main page here is a login form:


The create account link leads to another form:


Submitting also leads to an email confirmation step:


Without an email address, not much I can do here.

Shell as maildeliverer

Access to MatterMost

The note above suggested that I needed a @delivery.htb email address to get an account. It looks like it will work without one, but practically, I can’t receive emails at an outside account because HTB labs are not connected to the internet.

I did note that when I created a ticket, it offered the ability to update the ticket over email. I can use that to get the verification email.

I’ll create a ticket and get the email address for it. Then sign up for a MatterMost account:


Back at HelpDesk, giving it the same email I originally gave ( and the ticket number provides access to the ticket, which has the MatterMost confirmation email in it:


Visiting the link in the ticket verifies the account:


One logging in, there’s a chance to join a team:


On joining that team, there’s a single channel, with some chat from root:


I’ll note creds for the account maildeliverer, as well as a hint that a lot of the passwords on the box are variants of “PleaseSubscribe!”, and a note about how Hashcat rules will find the variants.


Those creds do work to SSH to the box:

oxdf@parrot$ sshpass -p 'Youve_G0t_Mail!' ssh maildeliverer@
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  5 06:09:50 2021 from

And grab user.txt:

maildeliverer@Delivery:~$ cat user.txt

Shell as root


MM Config

Mattermost stores it’s configuration in /opt/mattermost/config/config.json. The database connection information is in here:

maildeliverer@Delivery:/opt/mattermost/config$ cat config.json 
    "SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000, 
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false

The database password is there, along with a hint as to where to go next.


I’ll connect to the DB with the creds in the config above:

maildeliverer@Delivery:/opt/mattermost/config$ mysql -u mmuser -pCrack_The_MM_Admin_PW mattermost
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 98
Server version: 10.3.27-MariaDB-0+deb10u1 Debian 10
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [mattermost]>

There’s only the default DB and mattermost:

MariaDB [mattermost]> show databases;
| Database           |
| information_schema |
| mattermost         |
2 rows in set (0.000 sec)

I can see from the prompt that I’m already using the mattermost db, but if I needed to switch, use mattermost would do that. The mattermost database has a lot of tables:

MariaDB [mattermost]> show tables;
| Tables_in_mattermost   |
| Audits                 |
| Bots                   |
| UploadSessions         |
| UserAccessTokens       |
| UserGroups             |
| UserTermsOfService     |
| Users                  |
46 rows in set (0.001 sec)

I’ll start with the users table:

MariaDB [mattermost]> select Username,Password from Users;
| Username                         | Password                                                     |
| qqqq                             | $2a$10$5B3h2oM/j0qeugNf9/MwV.nYW1uBCNBnQrJr8kS0iDBuINB4mu1HC |
| surveybot                        |                                                              |
| c3ecacacc7b94f909d04dbfd308a9b93 | $2a$10$u5815SIBe2Fq1FZlv9S8I.VjU3zeSPBrIEg9wvpiLaS7ImuiItEiK |
| 5b785171bfb34762a933e127630c4860 | $2a$10$3m0quqyvCE8Z/R1gFcCOWO6tEj6FtqtBn8fRAXQXmaKmg.HDGpS/G |
| root                             | $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v0EFJwgjjO |
| oxdfa                            | $2a$10$W.i4QH1wBaxqKAUipiFkbOlVUAXWjwyuzIQuPi8T.tFqxeg28kUj2 |
| ff0a21fc6fc2488195e16ea854c963ee | $2a$10$RnJsISTLc9W3iUcUggl1KOG9vqADED24CQcQ8zvUm1Ir9pxS.Pduq |
| channelexport                    |                                                              |
| 9ecfb4be145d47fda0724f697f35ffaf | $2a$10$s.cLPSjAVgawGOJwB7vrqenPg2lrDtOECRtjwWahOzHfq1CoFyFqm |
| oxdf                             | $2a$10$EA7sQu.R9OSOvLUUb/kWvetfiqKJfcn1Pzvj3xvYFZgK5Q1YJ8WyK |

A lot of those look like other users or me. I’ll focus on the root user.

Crack Password

I’ll drop the hash into a file:

root@kali# cat hash 

Based on the comments from Mattermost, I’ll create a file with the password:

oxdf@parrot$ cat password 

Now I can run with a rule file to get different variations on the passwords in the file (just one in this case). There are many in /usr/share/hashcat/rules, but why not start with the one called “best”:

root@kali# hashcat -m 3200 hash password --user -r /usr/share/hashcat/rules/best64.rule 

It cracks pretty quickly.


That password works for the root account on Delivery:

maildeliverer@Delivery:/$ su -

I can grab root.txt:

root@Delivery:~# cat root.txt