Hey again, this machine is a little bit special. It doesn't focus on technical vulnerabilities but on logic vulnerabilities. Also, this machine is made by Ippsec, so I highly recommend watching his .
The first time I wanted to solve this, it took me a couple of hours without any initial access. Then I came back to it and watched the Ippsec video till where I stopped, and how I was overthinking for an easy machine.
Port Scanning
Nmap was taking over 20 minutes, and that wasn't the case for any machine I solved before.
Tried utilising timing templates with -T5 and still. So I used to get the ports, then gave those ports to nmap to check its version, and scanned with some scripts for it.
rustscan -a 10.10.10.222
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Scanning ports faster than you can say 'SYN ACK'
[~] The config file is expected to be at "/home/legend/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.222:22
Open 10.10.10.222:80
Open 10.10.10.222:8065
-sCV : combine -sC, -sV
-sC: Runs default NSE (Nmap Scripting Engine) scripts for service detection.
-sV: Version detection.
-O: OS detection.
-oA: Export scan report with [.nmap, .gnmap, .xml] extensions and the name of the file DeliveryScan
-p 22,80,8065: Scan those ports, if you want to scan all ports -p-
-vvv: Verbose output
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http syn-ack ttl 63 nginx 1.14.2
|_http-title: Welcome
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
8065/tcp open unknown syn-ack ttl 63
| fingerprint-strings:
| GenericLines, Help, RTSPRequest, SSLSessionReq, TerminalServerCookie:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Accept-Ranges: bytes
| Cache-Control: no-cache, max-age=31556926, public
| Content-Length: 3108
| Content-Security-Policy: frame-ancestors 'self'; script-src 'self' cdn.rudderlabs.com
| Content-Type: text/html; charset=utf-8
| Last-Modified: Tue, 03 Jun 2025 04:34:00 GMT
| X-Frame-Options: SAMEORIGIN
| X-Request-Id: 5kobg865pf835krbsksttuz9dy
| X-Version-Id: 5.30.0.5.30.1.57fb31b889bf81d99d8af8176d4bbaaa.false
| Date: Tue, 03 Jun 2025 04:50:59 GMT
| <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0"><meta name="robots" content="noindex, nofollow"><meta name="referrer" content="no-referrer"><title>Mattermost</title><meta name="mobile-web-app-capable" content="yes"><meta name="application-name" content="Mattermost"><meta name="format-detection" content="telephone=no"><link re
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Date: Tue, 03 Jun 2025 04:51:00 GMT
|_ Content-Length: 0
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Linux 4.15 - 5.8 (95%), Linux 5.0 (95%), Linux 5.0 - 5.4 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), HP P2000 G3 NAS device (93%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 104.17 seconds
Delivery's web applications
Looks like any company web page, from it we know some information that there is a helpdesk we can talk with, and also tells us if we have an email with @delivery.htb we can access the Mattermost server.
I added delivery.htb, and helpdesk.delivery.htb to /etc/hosts
sudo sh -c 'echo "10.10.10.222 delivery.htb helpdesk.delivery.htb" >> /etc/hosts'
osTicket
Start using the web app and see how it's working. Created a ticket, and it gave an email with the company domain.
Now we can use ' check ticket status ' since we have a ticket number.
We can chat with IT like any customer support service.
The art of the rabbit hole
Here is where I stopped before because I didn't read what was on the home page.
There are many things you can think about here:
* Default credentials
* Look for any public exploits for this web app (osTicket)
* Stored XSS and get admin or helpdesk technician cookies.
We found many exploits for it. But we need to know its version. Tried going through some page source and got nothing. Tried i trick I don't remember where I saw it, but it's really smart, which is downloading the logo and any photo to get any date.
So we are looking for any exploit v1.14.6 and under, and it seems like all those are good candidates.
Tried the SSRF exploit, but it didn't work. XSS needs any interaction from any of the support people.
Create an email with the ticket email:
We need confirmation.
Mattermost
Since we hit a dead end there, so tried to see what's going on in this web app.
As we knew from the Mattermost GitHub page, this is like a group chat for developers.
We can create an account, but we still need confirmation.
Here is the idea of this machine's initial access. There is a script running that sends confirmation messages to the support system.
In the internal team channel, the root gave us credentials for the server and also told us that there is someone in the team using PleaseSubscribe! as a password with different variations every password change policy. And also give us a hint that this password ain't found in the RockYou wordlist, and we can create a new wordlist with hashcat.
Shell as maildeliverer
Tried this credential on Mattermost and osTicket, but it didn't work. So the obvious move is to try it on SSH, and now we have a shell.
ssh maildeliverer@10.10.10.222
maildeliverer@10.10.10.222's password:
maildeliverer@Delivery:~$ ls -la
total 28
drwxr-xr-x 3 maildeliverer maildeliverer 4096 Jan 3 2021 .
drwxr-xr-x 3 root root 4096 Dec 26 2020 ..
lrwxrwxrwx 1 root root 9 Dec 28 2020 .bash_history -> /dev/null
-rw-r--r-- 1 maildeliverer maildeliverer 220 Dec 26 2020 .bash_logout
-rw-r--r-- 1 maildeliverer maildeliverer 3526 Dec 26 2020 .bashrc
drwx------ 3 maildeliverer maildeliverer 4096 Dec 28 2020 .gnupg
-rw-r--r-- 1 maildeliverer maildeliverer 807 Dec 26 2020 .profile
-r-------- 1 maildeliverer maildeliverer 33 Jun 3 00:34 user.txt
maildeliverer@Delivery:~$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for maildeliverer:
Sorry, user maildeliverer may not run sudo on Delivery.
Since our user can't run anything as root so let's start some enumeration.
For fast and automated enumeration, I used linPEAS. Set up a Python web server to transfer the script.
Then we remember that it could be a variation of PleaseSubscribe!
So we need to know how to generate a wordlist. Also, we need to know what hash this is.
# gen -> PleaseSubscribe!
hashcat gen -r /usr/share/hashcat/rules/best64.rule --stdout > wordlist
wc wordlist
77 77 1177 wordlist
To visualize what it has done
Shell as Root
Now we have a password to spray with.
maildeliverer@Delivery:/opt/mattermost/config$ su mattermost
Password:
su: Authentication failure
maildeliverer@Delivery:/opt/mattermost/config$ su root
Password:
root@Delivery:/opt/mattermost/config# id
uid=0(root) gid=0(root) groups=0(root)
Really good box, I recommend watching this video.
osTicket is a widely-used open source support ticket system. It seamlessly integrates inquiries created via email, phone and web-based forms into a simple easy-to-use multi-user web interface. Manage, organize and archive all your support requests and responses in one place while providing your customers with accountability and responsiveness they deserve. []
For unregistered users, please use our to get in touch with our team. Once you have an @delivery.htb email address, you'll be able to have access to our .
For Default credentials:
Tried to go through their documentation, but nothing about default credentials. Then I found installation, but access was denied
Mattermost is an open source platform for secure collaboration across the entire software development lifecycle.. []
We have a couple of ports:
80: for the osTicket web app
22: for ssh
631: Internet Printing Protocol (I think)
1025: TCP 1025 is used by many Web hosting providers as an alternate SMTP port for their customers to reach their SMTP servers. []
3306: mysql
8065: running Mattermost
