Hack the Box – Delivery

Delivery was an easy-rated Linux box by ippsec. Despite being an easy box, it had a clever path to user that relies on hacking business processes, rather than software to get to user, and tries to teach something about hashcat to escalate to root.

Initial Enumeration

An initial nmap showed ports 22, 80 and 8065 open

root@kali-e:/home/jmpalk/htb/delivery# nmap -v -n -Pn -p1-65535
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-12 15:25 EDT
Initiating SYN Stealth Scan at 15:25
Scanning [65535 ports]
Discovered open port 80/tcp on
Discovered open port 22/tcp on
Discovered open port 8065/tcp on
Completed SYN Stealth Scan at 15:25, 13.52s elapsed (65535 total ports)
Nmap scan report for
Host is up (0.023s latency).
Not shown: 65532 closed ports
22/tcp   open  ssh
80/tcp   open  http
8065/tcp open  unknown

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.65 seconds
           Raw packets sent: 65591 (2.886MB) | Rcvd: 65535 (2.621MB)

Port 80 is the splash page for the delivery service. There’s not a lot there beyond the contact us blurb, which points toward the Help Desk, located at helpdesk.delivery.htb and the Mattermost server, which is the service running on port 8065.

The "contact us" block on delivery.htb, reading "For unregistered users, please use our HelpDesk to get in touch with our team. Once you have an @delivery.htb email address, you'll be able to have access to our MatterMost server.
THis is critical information

Going to the helpdesk page, you can submit tickets via the osticket ticketing system, even without having an account.

The osticket-based help desk system
You an submit a ticket via osticket

The MatterMost server requires you to have a @delivery.htb address in order to be able to register

The Mattermost chat system signin page
Access to MatterMost requires an @delivery.htb email address

Initial foothold

The Contact Us dialog on the landing page gives the key to getting into the box. I need a ‘@delivery.htb’ address to access MatterMost. But how to get that email address? The Help Desk will give me one.

I started by creating a ticket. The content of the ticket doesn’t matter.

Image of a ticket being submitted to the delivery.htb osticket instance
What I put in the ticket isn’t as important as what osticket puts in the ticket.

The key bit is what happens once I submit the ticket.

A ticket creation confirmation, including a note "if you want to add more information to your ticket, just email to 5213117@delivery.htb"
Thank you, osticket, for creating an @delivery.htb email address

Osticket creates an email address – 5213117@delivery.htb – that I can send updates to. Taking that address over to Mattermost, I can use it to create an account.

Creating a Mattermost account with the osticket-supplied email address.
Creating a Mattermost account with the osticket email address

Once I create the account, Mattermost informs me I need to visit an account validation link it sent to my email address. Osticket helpfully receives the email and displays it to me when I check the status on my ticket.

The Mattermost account validation email as an update to my helpdesk ticket
Thanks for taking messages for me, osticket!

I copy the link into my browser, hit enter, and my Mattermost account is validated and ready to go.

Mattermost showing that my account emaill address has been verified.
Ready to log into my new Mattermost account

Logging into Mattermost and joining the System team immediately provides some interesting information.

A Mattermost conversation showing themaildeliverer account password as "Youve_G0t_Mail!", and a warning not to use passwords with a variant of "PleaseSubscribe" as they're vulnerable to bruteforce attacks with hashcat rules.
Credentials for the box, and additional password guidance

The credentials for the box get me right in, and user.txt is right there.

jmpalk@kali-e:~/htb/delivery$ ssh maildeliverer@delivery.htb
The authenticity of host 'delivery.htb (' can't be established.
ECDSA key fingerprint is SHA256:LKngIDlEjP2k8M7IAUkAoFgY/MbVVbMqvrFA6CUrHoM.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'delivery.htb,' (ECDSA) to the list of known hosts.
Enter passphrase for key '/home/jmpalk/.ssh/id_rsa': 
maildeliverer@delivery.htb's password: 
Linux Delivery 4.19.0-13-amd64 #1 SMP Debian 4.19.160-2 (2020-11-28) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jan  5 06:09:50 2021 from


From the Mattermost comment, I have a good idea of what the password is going to look like, and that I’m going to need a hash to crack. This cuts my enumeration down substantially. I’m looking for notes, scripts and config files that might have passwords. Looking around the filesystem, I find the Mattermost config file at /opt/mattermost/config/config.json. It’s got a pretty big hint right in it.

"SqlSettings": {
        "DriverName": "mysql",
        "DataSource": "mmuser:Crack_The_MM_Admin_PW@tcp(,utf8\u0026readTimeout=30s\u0026writeTimeout=30s",
        "DataSourceReplicas": [],
        "DataSourceSearchReplicas": [],
        "MaxIdleConns": 20,
        "ConnMaxLifetimeMilliseconds": 3600000,
        "MaxOpenConns": 300,
        "Trace": false,
        "AtRestEncryptKey": "n5uax3d4f919obtsp1pw1k5xetq1enez",
        "QueryTimeout": 30,
        "DisableDatabaseSearch": false

Using the provided username and password to log into MySQL, I query the user table.

Results of 'SELECT Username, Password FROM mattermost.Users'; Including a root user and hash.
Hey – look! A root user with password hash!

There’s a root hash in there. Feeding it into HashID, it comes back as blowfish, which is type 3200 in hashcat. The Mattermost note was warning people against using passwords vulnerable to hashcat rules. Hashcat rules allow one to programatically modify passwords being guessed, doing things like giving all the ‘leetspeak variations of words in a dictionary. You can come up with your own rules, but in this case, I used ‘best64’, one of the pre-written rules hashcat ships with.

PS C:\Program Files (x86)\hashcat-6.0.0> .\hashcat.exe -m 3200 .\delivery_hash.txt .\delivery-wl.txt -r .\rules\best64.rule
hashcat (v6.0.0) starting...

OpenCL API (OpenCL 2.1 AMD-APP (3075.13)) - Platform #1 [Advanced Micro Devices, Inc.]
* Device #1: Ellesmere, 8128/8192 MB (6745 MB allocatable), 36MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 77

Applicable optimizers:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Temperature abort trigger set to 90c


Session..........: hashcat
Status...........: Cracked
Hash.Name........: bcrypt $2*$, Blowfish (Unix)
Hash.Target......: $2a$10$VM6EeymRxJ29r8Wjkr8Dtev0O.1STWb4.4ScG.anuu7v...JwgjjO
Time.Started.....: Thu May 13 11:24:48 2021 (35 secs)
Time.Estimated...: Thu May 13 11:25:23 2021 (0 secs)
Guess.Base.......: File (.\delivery-wl.txt)
Guess.Mod........: Rules (.\rules\best64.rule)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:        1 H/s (6.41ms) @ Accel:1 Loops:4 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 21/77 (27.27%)
Rejected.........: 0/21 (0.00%)
Restore.Point....: 0/1 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:20-21 Iteration:1020-1024
Candidates.#1....: PleaseSubscribe!21 -> PleaseSubscribe!21
Hardware.Mon.#1..: Util:  5% Core:1347MHz Mem:2000MHz Bus:16

Started: Thu May 13 11:24:42 2021
Stopped: Thu May 13 11:25:24 2021

It came back with a hit in about 42 seconds: “PleaseSubscribe!21”. Going back to my shell, I su’d to root, and it was done.

maildeliverer@Delivery:/opt/mattermost/config$ su
root@Delivery:/opt/mattermost/config# cd
root@Delivery:~# ls
mail.sh  note.txt  py-smtp.py  root.txt
root@Delivery:~# cat root.txt

Again, a clever little path to user, and doing something I hadn’t done before with hashcat rules. Thanks, ippsec!


Kerberoasting and Silver Tickets

Kerberoasting is an attack allowing an attacker to crack Active Directory (AD) service account passwords offline, and with no fear of detection. 

Developed by Tim Medin, Kerberoasting relies on the fact that when an AD user requests access to a service, they receive back a Kerberos ticket signed with the NTLM hash of the account running the service, which an attacker can steal — even if they are a regular domain user — and crack elsewhere.

With that service account password in hand, one can then forge a “silver ticket” for that service, creating opportunities for privilege escalation.

Continue reading “Kerberoasting and Silver Tickets”

HackTheBox Walkthrough: Writeup

Writeup was a box listed as “easy” on Hackthebox.eu. While it was technically easy, its use of fail2ban had the potential to slow down one’s progress toward user, and getting the root flag required careful enumeration under particular circumstances.

Continue reading “HackTheBox Walkthrough: Writeup”

Hack the Box: Querier Walkthrough

Querier was an ‘medium’-rated machine on Hack the Box that required attackers to harvest files from unsecured SMB shells, and capture database credentials off the wire to get a toehold on the system, and then carefully enumerate the box to find admin credentials to finally pwn the system.

Continue reading “Hack the Box: Querier Walkthrough”

Kalipot – Part 3: Monitoring The Data

So, we’ve set up a kali-lookalike Cowrie honeypot, and added some iptables rules to detect nmap scans. It would be nice, though, if we had some way to see what was going on other than opening a couple of shells and running tail -f /var/log/syslog | grep “<IPT>”.

So, let’s get our data somewhere useful.


I’m using Splunk in my home lab because it’s pretty powerful, and a single-host instance is relatively easy to set up compared to something like Graylog or an ELK stack.

Continue reading “Kalipot – Part 3: Monitoring The Data”

Kalipot – Part 2: Detecting Nmap Scans With IPTables

In part 1 of this series, I showed you how to set up and customize a Cowrie honeypot on a Raspberry Pi. In this part, I’ll show how to use iptables to detect nmap scans and attempts to connect to ports other than the honeypot running on port 22.

IPTables Basics

IPTables is a common Linux firewall tool installed by default on ubuntu and other Debian-based distributions, including Raspbian. It’s available for both ipv4 and ipv6 and is easy to manage via the command line.

Continue reading “Kalipot – Part 2: Detecting Nmap Scans With IPTables”

Kalipot – Part 1: Hardening SSH and Setting Up Cowrie

For the past year, I’ve been setting up honeypots and network sensors on the wifi network at local security conferences, watching to see what other people are doing on the network. For the most part, the answer has been ‘not much’. But I wanted to write this up to capture the howto knowledge.


The Cowrie honeypot  is a python application that simulates a ssh or telnet server, and will serve up a fake shell environment which can be tailored to resemble any kind of Linux distribution you like, with a fake directory tree and hosted files an attacker could examine or pillage. It supports logging in several formats, including syslog-like logs, JSON, Cuckoo, ELK and several different SQL databases.

Continue reading “Kalipot – Part 1: Hardening SSH and Setting Up Cowrie”


Recently I got interested in HTTP2. It’s a new protocol that’s going to change a lot in the way people work with web app pentesting. Among other changes, it’s binary, it allows servers to push data to clients, and it’s multiplexing (non-blocking). It’s supposed to be faster and more efficient than good old HTTP1.1. Apache and Nginx both support it, as does curl (the HTTP2 maintainers keep a list of known implementations here).

There  also aren’t a lot of tools available for doing security testing of it.

Burp Suite doesn’t support it yet and hasn’t said when it will , although ZAP is working on it.

Yahoo’s pentesting group developed a very nice semi-intelligent fuzzer for HTTP2, described here, but they stopped development on it and let it without its replay mode.

I just released a new version which supports replay mode, when running as a client, on github. The original version is available here.

Aside – Paul’s Security Weekly did an episode on HTTP2 back in January (video | show notes).