HTB Delivery

Writeup for Delivery box on

Initial Enumeration

nmap -sC -sV -vv -oA tcp && nmap -sC -sV -vv -p- -oA allports

Found a subdomain

Creating a ticket shows the following content:


You may check the status of your ticket, by navigating to the Check Status page using ticket id: 6256421.

If you want to add more information to your ticket, just email [email protected]


Support Team

Create a ticket and grab the email from the ticket, the signup for an account with mattermost using the email from the ticket

This will trigger an email to be sent to the ticketing system and add the info to the ticket

After this we get an validated email address

After logging in we are presented with a chat system and a few older chats



User Enumeration

Enumerating the system further we find mysql credentials



mysql -h -u mmuser -p

Privilege escalation

.\hashcat.exe -m 3200 -a 0 I:\data\htb\delivery\loot\hashes I:\data\htb\delivery\loot\pass_base -r I:\apps\hashcat\rules\best64.rule



This gives us access to the system console of mattermost and also to root via su