HackTheBox Writeup — Delivery

Faisal Husaini
5 min readMay 22, 2021


Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is

Port Scan

Running NMAP full port scan on it , we get

A nice good looking webpage, also can see a Contact Us button , clicking on it

I see an information given about using the HelpDesk to reach the team, but for that I will need a @delivery.htb email address and after having that I can access their MatterMost Server

Also hovering over the HelpDesk word, it can be seen that its a link redirection to helpdesk.delivery.htb, so adding it to the hosts file and then checking the domain

Now I am going to do the instruction which I got before , for that I will open a new ticket

Now clicking on Create Ticket, I get

After creating a new ticket, I am given with two things

  • Ticket ID: 2668996
  • Email: 2668996@delivery.htb

Now, I will use this email address to register on Mattermost server as it requires an email address with @delivery.htb to access it

Also, from the instructions from Contact Us, hovering over the Mattermost word, I see that it has link redirection to the higher open port I got from the NMAP scan, so moving towards that port first and then will return here back

I try to check the Ticket Status in order to get the email confirmation for Mattermost server

I get an email from the Mattermost server for the confirmation of the account creation with a link, moving back to confirming the account

Port 8065 (Mattermost)

Checking the port with the domain in browser

I got redirected to Mattermost’s Login Page, also I see the Sign Up page, clicking on the link

I filled the details and now will sign up my account

It says that my account is created and it requires email confirmation, since this account was created using the HelpDesk, so I will need to go back there and confirm through it

After getting the confirmation link, I see

I get email verified message and now will login with the email address and password through which I created the Mattermost account

It tells me about the teams I can join, so I select the available option and then move towards the User part

User (maildeliverer)

After selecting the team option which I had

I see the welcome message, skipping the tutorial

I see some messages here and also some of them leaks credentials and also a hint towards what possibly could be the variation for the root password

Now moving onto login with the credentials I got through SSH Login

Now I get the user flag usually the same like other machines

Now time to get on the path to root


Since I saw from the message that the root user was saying that if someone manages to get the password hash for the users, he will be able to crack the password easily through Hashcat with adding some rules as the password for the variation was “PleaseSubscribe!”

Checking for Mattermost’s installation directories locally

I have a config.json file which contains the configurations for the Mattermost Server

On the file, I get the credentials for the mysql database system and also can confirm that mysql being running on this machine locally

Now login to MySQL with the credentials I got

Selecting the mattermost database and then getting the username and passwords

I got the root hash from here and now I will use Hashcat to crack it

hashcat -m 3200 hash.txt pass.txt -r rules\best64.rule

I cracked the root password which is PleaseSubscribe!21 and now will switch to root user

Now will get the root flag



Faisal Husaini

Hacker | Red Teamer | Python Coder | Gamer | Reverse Engineering Lover